mirror of
https://github.com/moparisthebest/wget
synced 2024-07-03 16:38:41 -04:00
[svn] Fix bogus ".." hosts injecting such components to path.
This commit is contained in:
parent
b3363d2abd
commit
18acfe8130
@ -1,3 +1,8 @@
|
||||
2005-03-05 Hrvoje Niksic <hniksic@xemacs.org>
|
||||
|
||||
* url.c (url_file_name): Don't allow hosts named ".." to be
|
||||
appended as path elements.
|
||||
|
||||
2005-03-03 Hrvoje Niksic <hniksic@xemacs.org>
|
||||
|
||||
* retr.c (retrieve_url): Escape location header.
|
||||
|
@ -1454,7 +1454,13 @@ url_file_name (const struct url *u)
|
||||
{
|
||||
if (fnres.tail)
|
||||
append_char ('/', &fnres);
|
||||
if (0 != strcmp (u->host, ".."))
|
||||
append_string (u->host, &fnres);
|
||||
else
|
||||
/* Host name can come from the network; malicious DNS may
|
||||
allow ".." to be resolved, causing us to write to
|
||||
"../<file>". Defang such host names. */
|
||||
append_string ("%2E%2E", &fnres);
|
||||
if (u->port != scheme_default_port (u->scheme))
|
||||
{
|
||||
char portstr[24];
|
||||
|
Loading…
Reference in New Issue
Block a user