From 75ca568fa1c19de4c5358fed246686de8467c238 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 23 Dec 2011 13:24:16 +0100 Subject: URL sanitize: reject URLs containing bad data Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich --- lib/escape.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'lib/escape.h') diff --git a/lib/escape.h b/lib/escape.h index 04b06a973..4c7f84133 100644 --- a/lib/escape.h +++ b/lib/escape.h @@ -1,5 +1,5 @@ -#ifndef __ESCAPE_H -#define __ESCAPE_H +#ifndef HEADER_CURL_ESCAPE_H +#define HEADER_CURL_ESCAPE_H /*************************************************************************** * _ _ ____ _ @@ -8,7 +8,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -25,5 +25,9 @@ /* Escape and unescape URL encoding in strings. The functions return a new * allocated string or NULL if an error occurred. */ +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_crlf); #endif -- cgit v1.2.3