Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL

contains %0a or %0d in the user, password or CWD parts. (A future fix would
include doing it for %00 as well - see KNOWN_BUGS for details.) Test case 225
and 226 were added to verify this

1 files changed, 10 insertions, 0 deletions

diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS
index 1177b37e2..1bfe25bc2 100644
--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@@ -3,6 +3,16 @@ join in and help us correct one or more of these! Also be sure to check the
 changelog of the current development status, as one or more of these problems
 may have been fixed since this was written!
 
+* FTP URLs passed to curl may contain NUL (0x00) in the RFC 1738 <user>,
+  <password>, and <fpath> components, encoded as "%00".  The problem is that
+  curl_unescape does not detect this, but instead returns a shortened C
+  string.  From a strict FTP protocol standpoint, NUL is a valid character
+  within RFC 959 <string>, so the way to handle this correctly in curl would
+  be to use a data structure other than a plain C string, one that can handle
+  embedded NUL characters.  From a practical standpoint, most FTP servers
+  would not meaningfully support NUL characters within RFC 959 <string>,
+  anyway (e.g., UNIX pathnames may not contain NUL).
+
 * Test case 241 fails on all systems that support IPv6 but that don't have the
   host name 'ip6-localhost' in /etc/hosts (or similar) since the test case
   uses that host name to test the IPv6 name to address resolver.