Created
December 1, 2016 09:24
-
-
Save bagder/a95c46e79e10b6a89b59cc67bf708fee to your computer and use it in GitHub Desktop.
curl: reject non-numeric port numbers in URLs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/lib/url.c b/lib/url.c | |
index dd3f62d..48016e2 100644 | |
--- a/lib/url.c | |
+++ b/lib/url.c | |
@@ -5451,15 +5451,20 @@ static CURLcode parse_remote_port(struct Curl_easy *data, | |
else if(rest != &portptr[1]) { | |
*portptr = '\0'; /* cut off the name there */ | |
conn->remote_port = curlx_ultous(port); | |
} | |
- else | |
+ else { | |
+ if(rest[0]) { | |
+ failf(data, "Illegal port number"); | |
+ return CURLE_URL_MALFORMAT; | |
+ } | |
/* Browser behavior adaptation. If there's a colon with no digits after, | |
just cut off the name there which makes us ignore the colon and just | |
use the default port. Firefox and Chrome both do that. */ | |
*portptr = '\0'; | |
+ } | |
} | |
/* only if remote_port was not already parsed off the URL we use the | |
default port number */ | |
if(conn->remote_port < 0) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment