mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-01-18 14:04:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

urlapi: verify the IPv6 numerical address

Browse Source 
It needs to parse correctly. Otherwise it could be tricked into letting
through a-f using host names that libcurl would then resolve. Like
'[ab.be]'.

Reported-by: Thomas Vegas
Closes #4315
This commit is contained in:
Daniel Stenberg 2019-09-04 23:49:30 +02:00
parent ffe34b7b59
commit eab3c580f9
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/urlapi.c
View File

@ -29,6 +29,7 @@
#include "url.h"
#include "escape.h"
#include "curl_ctype.h"
#include "inet_pton.h"
/* The last 3 #include files should be in this order */
#include "curl_printf.h"
@ -591,20 +592,22 @@ static CURLUcode junkscan(char *part)
static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
{
const char *l = NULL; /* accepted characters */
size_t len;
size_t hlen = strlen(hostname);
if(hostname[0] == '[') {
char dest[16]; /* fits a binary IPv6 address */
const char *l = "0123456789abcdefABCDEF::.";
hostname++;
l = "0123456789abcdefABCDEF::.";
hlen -= 2;
}
if(l) {
if(hostname[hlen] != ']')
return CURLUE_MALFORMED_INPUT;
/* only valid letters are ok */
len = strspn(hostname, l);
if(hlen != len) {
hlen = len;
if(hostname[len] == '%') {
/* this could now be '%[zone id]' */
char zoneid[16];
@ -628,6 +631,12 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
return CURLUE_MALFORMED_INPUT;
/* hostname is fine */
}
#ifdef ENABLE_IPV6
hostname[hlen] = 0; /* end the address there */
if(1 != Curl_inet_pton(AF_INET6, hostname, dest))
return CURLUE_MALFORMED_INPUT;
hostname[hlen] = ']'; /* restore ending bracket */
#endif
}
else {
/* letters from the second string is not ok */

4
tests/libtest/lib1560.c
View File

@ -140,6 +140,10 @@ static struct testcase get_parts_list[] ={
"file | [11] | [12] | [13] | [14] | [15] | C:\\programs\\foo | [16] | [17]",
CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
#endif
{"http://[ab.be:1]/x", "",
CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
{"http://[ab.be]/x", "",
CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
/* URL without host name */
{"http://a:b@/x", "",
CURLU_DEFAULT_SCHEME, 0, CURLUE_NO_HOST},