blob: 8820af3f74f707dc86dcb13413da1cc4408e10bc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 08:19:38 +0200
Subject: [PATCH] urlapi: reject percent-decoding host name into separator
bytes
CVE-2022-27780
Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27780.html
Closes #8826
Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a]
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
lib/urlapi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/urlapi.c b/lib/urlapi.c
index ff00ee4..00222fc 100644
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
#endif
}
else {
- /* letters from the second string is not ok */
- len = strcspn(hostname, " \r\n");
+ /* letters from the second string are not ok */
+ len = strcspn(hostname, " \r\n\t/:#?!@");
if(hlen != len)
/* hostname with bad content */
return CURLUE_BAD_HOSTNAME;
|
