aboutsummaryrefslogtreecommitdiff
path: root/lib/escape.c
AgeCommit message (Collapse)Author
2012-01-24URL sanitize: reject URLs containing bad dataDaniel Stenberg
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich
2011-07-26stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.hYang Tse
2011-05-23compiler warning: fixYang Tse
Fix compiler warning: expression has no effect
2011-04-27source cleanup: unify look, style and indent levelsDaniel Stenberg
By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20CURL_DOES_CONVERSIONS: cleanupDaniel Stenberg
Massively reduce #ifdefs all over (23 #ifdef lines less so far) Moved conversion-specific code to non-ascii.c
2010-09-28curl_easy_escape: don't escape "unreserved" charactersDaniel Stenberg
According to RFC3986 section 2.3 the letters -, ., _ and ~ should not be percent-encoded. Reported by: Miguel Diaz Bug: http://curl.haxx.se/mail/lib-2010-09/0227.html
2010-03-24remove the CVSish $Id$ linesDaniel Stenberg
2010-02-24fix compiler warningYang Tse
2010-01-22wrap long lines and do some indent policingDaniel Stenberg
2009-04-21libcurl's memory.h renamed to curl_memory.hYang Tse
2008-10-08Added const to some pointer variablesDan Fandrich
2008-09-09Factored out Curl_isalnumDan Fandrich
2007-11-07if () => if()Daniel Stenberg
while () => while() and some other minor re-indentings
2007-09-30Alex Fishman reported a curl_easy_escape() problem that was made theDaniel Stenberg
function do wrong on all input bytes that are >= 0x80 (decimal 128) due to a signed / unsigned mistake in the code. I fixed it and added test case 543 to verify.
2007-08-26Fixed some minor mismatched types found by splint.Dan Fandrich
2007-08-04Patrick Monnerat fixed curl_easy_escape() and curlx_strtoll() to work onDaniel Stenberg
non-ASCII systems.
2006-10-17Avoid typecasting a signed char to an int when using is*() functions, as thatDaniel Stenberg
could very well cause a negate number get passed in and thus cause reading outside of the array usually used for this purpose. We avoid this by using the uppercase macro versions introduced just now that does some extra crazy typecasts to avoid byte codes > 127 to cause negative int values.
2006-04-07First commit of David McCreedy's EBCDIC and TPF changes.Daniel Stenberg
2004-07-01Variable type cleanups to please the picky MIPSPro compiler.Daniel Stenberg
2004-06-24include header for our printfsDaniel Stenberg
2004-06-24Replaced all uses of sprintf() with the safer snprintf(). It is just aDaniel Stenberg
precaution to prevent mistakes to lead to buffer overflows.
2004-05-13curl_free() doesn't free(NULL) but just returnsDaniel Stenberg
2004-05-12return NULL on out of memoryDaniel Stenberg
2004-05-11curl_global_init_mem() allows the memory functions to be replaced.Daniel Stenberg
memory.h is included everywhere for this.
2004-03-08size_t/int/long fixesDaniel Stenberg
2004-01-29Dan Fandrich's cleanup patch to make pedantic compiler options cause lessDaniel Stenberg
warnings. Minor edits by me.
2004-01-07updated year in the copyright stringDaniel Stenberg
2003-06-26use CURLDEBUG instead of MALLOCDEBUGDaniel Stenberg
2003-05-21David Balazic pointed out the lack of checks for a valid %XX code whenDaniel Stenberg
we unescape a string. We now check and decode only valid %XX strings.
2003-01-29removed the local variables for emacs and vim, use the new sample.emacsDaniel Stenberg
way for emacs, and vim users should provide a similar non-polluting style
2003-01-16copyright year update in the source headerDaniel Stenberg
2003-01-08fixed a very, very rare and very, very little memory leakJean-Philippe Barette-LaPierre
2002-09-25Walter J. Mack added curl_freeDaniel Stenberg
2002-09-03updated source code boilerplate/headerDaniel Stenberg
2002-06-26ignore '+' in URLs, generate only %-codesDaniel Stenberg
2002-03-19copyright string (year) updateDaniel Stenberg
2001-10-11looks nicer and is better compatible with older vim versionsSterling Hughes
2001-09-07Added formatting sections for emacs and vimSterling Hughes
2001-08-21Georg Huettenegger's patch curl-7.8.1-pre5-patch-20010819Daniel Stenberg
2001-08-14added typecasts when converting from unsigned int to intDaniel Stenberg
2001-08-05curl_escape() no longer attempts to detect already encoded stuff (in orderDaniel Stenberg
not to re-encode it).
2001-04-07Andrés García fixed curl_escape()Daniel Stenberg
2001-03-22Jim Drash suggested and I made it not encode what looks like an alreadyDaniel Stenberg
encoded letter (in curl_escape)
2001-03-22the new escape/unescape function setupDaniel Stenberg
2001-03-09use unsigned int hex to receive the hex digit in, caused a warning withDaniel Stenberg
-Wall and a new gcc
2001-01-03dual-license fixDaniel Stenberg
2000-11-21curl_unescape() did not stop at the set length properly when %-codes wereDaniel Stenberg
used
2000-10-09added memory debugging include fileDaniel Stenberg
2000-08-31in unescape(), '+' is now only converted to space after the first '?'Daniel Stenberg
2000-06-20haxx.nu => haxx.seDaniel Stenberg