[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 95/116: url: reject ASCII control characters and sp
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 95/116: url: reject ASCII control characters and space in host names |
Date: |
Tue, 05 Dec 2017 14:52:05 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit fa939220dfff7607ed7b0522b549ecb482a5e1ac
Author: Daniel Stenberg <address@hidden>
AuthorDate: Fri Nov 17 16:48:37 2017 +0100
url: reject ASCII control characters and space in host names
Host names like "127.0.0.1 moo" would otherwise be accepted by some
getaddrinfo() implementations.
Updated test 1034 and 1035 accordingly.
Fixes #2073
Closes #2092
---
lib/url.c | 49 +++++++++++++++++++++++++++++++++++++------------
tests/data/test1034 | 25 +++++--------------------
tests/data/test1035 | 21 +++++----------------
3 files changed, 47 insertions(+), 48 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index d0b9c7ef0..1de02c2bd 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1687,7 +1687,7 @@ static bool is_ASCII_name(const char *hostname)
/*
* Perform any necessary IDN conversion of hostname
*/
-static void fix_hostname(struct connectdata *conn, struct hostname *host)
+static CURLcode fix_hostname(struct connectdata *conn, struct hostname *host)
{
size_t len;
struct Curl_easy *data = conn->data;
@@ -1727,9 +1727,11 @@ static void fix_hostname(struct connectdata *conn,
struct hostname *host)
/* change the name pointer to point to the encoded hostname */
host->name = host->encalloc;
}
- else
- infof(data, "Failed to convert %s to ACE; %s\n", host->name,
+ else {
+ failf(data, "Failed to convert %s to ACE; %s\n", host->name,
idn2_strerror(rc));
+ return CURLE_URL_MALFORMAT;
+ }
}
#elif defined(USE_WIN32_IDN)
char *ace_hostname = NULL;
@@ -1739,12 +1741,24 @@ static void fix_hostname(struct connectdata *conn,
struct hostname *host)
/* change the name pointer to point to the encoded hostname */
host->name = host->encalloc;
}
- else
- infof(data, "Failed to convert %s to ACE;\n", host->name);
+ else {
+ failf(data, "Failed to convert %s to ACE;\n", host->name);
+ return CURLE_URL_MALFORMAT;
+ }
#else
infof(data, "IDN support not present, can't parse Unicode domains\n");
#endif
}
+ {
+ char *hostp;
+ for(hostp = host->name; *hostp; hostp++) {
+ if(*hostp <= 32) {
+ failf(data, "Host name '%s' contains bad letter", host->name);
+ return CURLE_URL_MALFORMAT;
+ }
+ }
+ }
+ return CURLE_OK;
}
/*
@@ -4178,13 +4192,24 @@ static CURLcode create_conn(struct Curl_easy *data,
/*************************************************************
* IDN-fix the hostnames
*************************************************************/
- fix_hostname(conn, &conn->host);
- if(conn->bits.conn_to_host)
- fix_hostname(conn, &conn->conn_to_host);
- if(conn->bits.httpproxy)
- fix_hostname(conn, &conn->http_proxy.host);
- if(conn->bits.socksproxy)
- fix_hostname(conn, &conn->socks_proxy.host);
+ result = fix_hostname(conn, &conn->host);
+ if(result)
+ goto out;
+ if(conn->bits.conn_to_host) {
+ result = fix_hostname(conn, &conn->conn_to_host);
+ if(result)
+ goto out;
+ }
+ if(conn->bits.httpproxy) {
+ result = fix_hostname(conn, &conn->http_proxy.host);
+ if(result)
+ goto out;
+ }
+ if(conn->bits.socksproxy) {
+ result = fix_hostname(conn, &conn->socks_proxy.host);
+ if(result)
+ goto out;
+ }
/*************************************************************
* Check whether the host and the "connect to host" are equal.
diff --git a/tests/data/test1034 b/tests/data/test1034
index 6c1beb671..beab0d3c0 100644
--- a/tests/data/test1034
+++ b/tests/data/test1034
@@ -13,24 +13,17 @@ config file
#
# Server-side
<reply>
-<data>
-HTTP/1.0 503 Service Unavailable
-Date: Thu, 09 Nov 2010 14:49:00 GMT
-Server: test-server/fake swsclose
-Content-Type: text/html
-Funny-head: yesyes
-
-</data>
</reply>
#
# Client-side
<client>
<server>
-http
+none
</server>
<features>
idn
+http
</features>
<setenv>
LC_ALL=
@@ -54,17 +47,9 @@ url = "http://invalid-utf8-
</client>
#
-# Verify data after the test has been "shot"
<verify>
-<strip>
-^User-Agent:.*
-</strip>
-<protocol>
-GET http://invalid-utf8-�.local/page/1034 HTTP/1.1
-Host: invalid-utf8-�.local
-Accept: */*
-Proxy-Connection: Keep-Alive
-
-</protocol>
+<errorcode>
+3
+</errorcode>
</verify>
</testcase>
diff --git a/tests/data/test1035 b/tests/data/test1035
index 033a48a72..a316c51e1 100644
--- a/tests/data/test1035
+++ b/tests/data/test1035
@@ -12,24 +12,17 @@ FAILURE
#
# Server-side
<reply>
-<data>
-HTTP/1.0 503 Service Unavailable
-Date: Thu, 09 Nov 2010 14:49:00 GMT
-Server: test-server/fake swsclose
-Content-Type: text/html
-Funny-head: yesyes
-
-</data>
</reply>
#
# Client-side
<client>
<server>
-http
+none
</server>
<features>
idn
+http
</features>
<setenv>
LC_ALL=
@@ -52,12 +45,8 @@
http://too-long-IDN-name-cürl-rüles-la-la-la-dee-da-flooby-nooby.local/page/10
<strip>
^User-Agent:.*
</strip>
-<protocol>
-GET
http://too-long-IDN-name-cürl-rüles-la-la-la-dee-da-flooby-nooby.local/page/1035
HTTP/1.1
-Host: too-long-IDN-name-cürl-rüles-la-la-la-dee-da-flooby-nooby.local
-Accept: */*
-Proxy-Connection: Keep-Alive
-
-</protocol>
+<errorcode>
+3
+</errorcode>
</verify>
</testcase>
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 69/116: --interface: add support for Linux VRF, (continued)
- [GNUnet-SVN] [gnurl] 69/116: --interface: add support for Linux VRF, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 106/116: ssh: remove check for a NULL pointer (!), gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 92/116: http2: fix "Value stored to 'hdbuf' is never read" scan-build error, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 66/116: test1554: verify connection cache sharing, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 67/116: examples: add shared-connection-cache, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 101/116: connect: add support for new TCP Fast Open API on Linux, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 58/116: url: remove unncessary NULL-check, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 79/116: INTERNALS: we may use libidn2 now, not libidn, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 96/116: test1264: verify URL with space in host name being rejected, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 26/116: auth: Added test cases for RFC7616, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 95/116: url: reject ASCII control characters and space in host names,
gnunet <=
- [GNUnet-SVN] [gnurl] 78/116: zlib/brotli: only include header files in modules needing them, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 103/116: URL: update "file:" URL handling, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 83/116: openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 70/116: RELEASE-NOTES: synced with 32828cc4f, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 98/116: connect: improve the bind error message, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 99/116: RELEASE-NOTES: synced with 31f18d272, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 108/116: wildcardmatch: fix heap buffer overflow in setcharset, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 85/116: resolve: allow IP address within [] brackets, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 71/116: cmake: Correctly include curl.rc in Windows builds (#2064), gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 50/116: ntlm: avoid malloc(0) for zero length passwords, gnunet, 2017/12/05