From ad829b21ae9e0f11a821a0a98a1aaab161efa9a2 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 May 2020 15:38:36 +0200
Subject: url: accept "any length" credentials for proxy auth

They're only limited to the maximum string input restrictions, not to
256 bytes.

Added test 1178 to verify

Reported-by: Will Roberts
Fixes #5448
Closes #5449
---
 lib/escape.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'lib/escape.c')

diff --git a/lib/escape.c b/lib/escape.c
index 97352a91d..f3c558ed0 100644
--- a/lib/escape.c
+++ b/lib/escape.c
@@ -134,12 +134,17 @@ CURLcode Curl_urldecode(struct Curl_easy *data,
                         char **ostring, size_t *olen,
                         bool reject_ctrl)
 {
-  size_t alloc = (length?length:strlen(string)) + 1;
-  char *ns = malloc(alloc);
+  size_t alloc;
+  char *ns;
   size_t strindex = 0;
   unsigned long hex;
   CURLcode result = CURLE_OK;
 
+  DEBUGASSERT(string);
+
+  alloc = (length?length:strlen(string)) + 1;
+  ns = malloc(alloc);
+
   if(!ns)
     return CURLE_OUT_OF_MEMORY;
 
-- 
cgit v1.2.3