aboutsummaryrefslogtreecommitdiff
path: root/lib/libcurl.plist
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2011-12-23 13:24:16 +0100
committerDaniel Stenberg <daniel@haxx.se>2012-01-24 08:54:26 +0100
commit75ca568fa1c19de4c5358fed246686de8467c238 (patch)
tree3defa5cba8cb2105499cc762810274d27d44cfd6 /lib/libcurl.plist
parentdb1a856b4f7cf6ae334fb0656b26a18eea317000 (diff)
URL sanitize: reject URLs containing bad data
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich
Diffstat (limited to 'lib/libcurl.plist')
0 files changed, 0 insertions, 0 deletions