[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 36/205: URL: return error on malformed URLs with ju
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 36/205: URL: return error on malformed URLs with junk after port number |
Date: |
Thu, 20 Apr 2017 16:19:36 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to annotated tag gnurl-7.54.0
in repository gnurl.
commit aadb7c7b62251c4e760930d543105f2b10cbd9b2
Author: Daniel Stenberg <address@hidden>
AuthorDate: Mon Mar 6 16:08:21 2017 +0100
URL: return error on malformed URLs with junk after port number
... because it causes confusion with users. Example URLs:
"http://[127.0.0.1]:11211:80" which a lot of languages' URL parsers will
parse and claim uses port number 80, while libcurl would use port number
11211.
"http://address@hidden:address@hidden" which by the WHATWG URL spec will
be treated to contain user name 'address@hidden' but according to
RFC3986 is user name 'user' for the host 'example.com' and then port 80
is followed by "@localhost"
Both these formats are now rejected, and verified so in test 1260.
Reported-by: Orange Tsai
---
lib/url.c | 13 +++++++------
tests/data/Makefile.inc | 1 +
tests/data/test1260 | 34 ++++++++++++++++++++++++++++++++++
3 files changed, 42 insertions(+), 6 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index 2072a61bd..300fc4d14 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -5643,7 +5643,7 @@ static CURLcode parse_remote_port(struct Curl_easy *data,
}
#endif
- portptr = strrchr(conn->host.name, ':');
+ portptr = strchr(conn->host.name, ':');
}
if(data->set.use_port && data->state.allow_port) {
@@ -5698,15 +5698,16 @@ static CURLcode parse_remote_port(struct Curl_easy
*data,
return CURLE_URL_MALFORMAT;
}
- else if(rest != &portptr[1]) {
+ if(rest[0]) {
+ failf(data, "Port number ended with '%c'", rest[0]);
+ return CURLE_URL_MALFORMAT;
+ }
+
+ if(rest != &portptr[1]) {
*portptr = '\0'; /* cut off the name there */
conn->remote_port = curlx_ultous(port);
}
else {
- if(rest[0]) {
- failf(data, "Illegal port number");
- return CURLE_URL_MALFORMAT;
- }
/* Browser behavior adaptation. If there's a colon with no digits after,
just cut off the name there which makes us ignore the colon and just
use the default port. Firefox and Chrome both do that. */
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 8251ab9a4..c51cc3595 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -129,6 +129,7 @@ test1228 test1229 test1230 test1231 test1232 test1233
test1234 test1235 \
test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \
test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \
test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \
+test1260 \
\
test1280 test1281 test1282 test1283 test1284 test1285 test1286 \
\
diff --git a/tests/data/test1260 b/tests/data/test1260
new file mode 100644
index 000000000..b5a0aef97
--- /dev/null
+++ b/tests/data/test1260
@@ -0,0 +1,34 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+</keywords>
+</info>
+
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+none
+</server>
+ <name>
+HTTP URL with rubbish after port number
+ </name>
+ <command>
+-g "http://[%HOSTIP]:%HTTPPORT:80/we/want/1260"
"http://%HOSTIP:%HTTPPORT:80/we/want/1260"
"http://address@hidden:address@hidden"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# CURLE_URL_MALFORMAT == 3
+<errorcode>
+3
+</errorcode>
+</protocol>
+</verify>
+</testcase>
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 34/205: BINDINGS: add Scilab binding, (continued)
- [GNUnet-SVN] [gnurl] 34/205: BINDINGS: add Scilab binding, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 40/205: ares: Curl_resolver_wait_resolv: clear *entry first in function, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 07/205: docs: de-duplicate file lists in the Makefiles, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 18/205: checksrc.bat: Ignore curl_config.h.in, curl_config.h, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 44/205: Makefile.am: Remove distribution man pages when running 'make clean', gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 38/205: KNOWN_BUGS: Add DarwinSSL won't import PKCS#12 without a password, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 54/205: polarssl: fixed compile errors introduced in 6448f98c, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 50/205: RELEASE-NOTES: synced with 6888a670aa01, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 23/205: tests: fixed a typo in some comments, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 56/205: build: fixed making man page in out-of-tree tarball builds, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 36/205: URL: return error on malformed URLs with junk after port number,
gnunet <=
- [GNUnet-SVN] [gnurl] 63/205: url: don't compile detect_proxy if HTTP support is disabled, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 49/205: MANPAGE: clarify the dash situation in meta data, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 37/205: test1260: removed errant XML tag, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 42/205: updatemanpages.pl: Update man pages to use current date and versions, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 57/205: tls-max.d: added to the makefile, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 47/205: test1260: added http as a required feature, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 67/205: tests: fix the authretry tests, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 60/205: ISSUE_TEMPLATE: for bugs, ask questions on the mailing list, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 65/205: curl_easy_reset: Also reset the authentication state, gnunet, 2017/04/20
- [GNUnet-SVN] [gnurl] 62/205: cmdline-opts: fixed a few typos, gnunet, 2017/04/20