| From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001 |
| From: Daniel Stenberg <daniel@haxx.se> |
| Date: Mon, 9 May 2022 08:19:38 +0200 |
| Subject: [PATCH] urlapi: reject percent-decoding host name into separator |
| bytes |
| |
| CVE-2022-27780 |
| |
| Reported-by: Axel Chong |
| Bug: https://curl.se/docs/CVE-2022-27780.html |
| Closes #8826 |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a] |
| Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> |
| --- |
| lib/urlapi.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| diff --git a/lib/urlapi.c b/lib/urlapi.c |
| index ff00ee4..00222fc 100644 |
| --- a/lib/urlapi.c |
| +++ b/lib/urlapi.c |
| @@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) |
| #endif |
| } |
| else { |
| - /* letters from the second string is not ok */ |
| - len = strcspn(hostname, " \r\n"); |
| + /* letters from the second string are not ok */ |
| + len = strcspn(hostname, " \r\n\t/:#?!@"); |
| if(hlen != len) |
| /* hostname with bad content */ |
| return CURLUE_BAD_HOSTNAME; |