urlapi: reject more bad characters from the host name field

Extended test 1560 to verify

Report from the ongoing source code audit by Trail of Bits.

Closes #9608
This commit is contained in:
Daniel Stenberg 2022-09-27 17:48:08 +02:00
parent 267668308b
commit eb0167ff7d
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 21 additions and 1 deletions

View File

@ -637,7 +637,7 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname,
}
else {
/* letters from the second string are not ok */
len = strcspn(hostname, " \r\n\t/:#?!@");
len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,");
if(hlen != len)
/* hostname with bad content */
return CURLUE_BAD_HOSTNAME;

View File

@ -138,6 +138,26 @@ struct clearurlcase {
};
static const struct testcase get_parts_list[] ={
{"https://exam{}[]ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam{ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam}ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam]ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam\\ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam$ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam'ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam\"ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam^ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam`ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam*ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam<ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam>ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam=ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://exam;ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://example,net", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://example.net/}",
"https | [11] | [12] | [13] | example.net | [15] | /} | [16] | [17]",
0, 0, CURLUE_OK},
/* blank user is blank */
{"https://:password@example.net",
"https | | password | [13] | example.net | [15] | / | [16] | [17]",