From eab3c580f955c571253ab0ebd062b5f8c8d2b82f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 4 Sep 2019 23:49:30 +0200
Subject: urlapi: verify the IPv6 numerical address

It needs to parse correctly. Otherwise it could be tricked into letting
through a-f using host names that libcurl would then resolve. Like
'[ab.be]'.

Reported-by: Thomas Vegas
Closes #4315
---
 tests/libtest/lib1560.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'tests/libtest')

diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
index 1185096d8..85884474e 100644
--- a/tests/libtest/lib1560.c
+++ b/tests/libtest/lib1560.c
@@ -140,6 +140,10 @@ static struct testcase get_parts_list[] ={
    "file | [11] | [12] | [13] | [14] | [15] | C:\\programs\\foo | [16] | [17]",
    CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
 #endif
+  {"http://[ab.be:1]/x", "",
+   CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
+  {"http://[ab.be]/x", "",
+   CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
   /* URL without host name */
   {"http://a:b@/x", "",
    CURLU_DEFAULT_SCHEME, 0, CURLUE_NO_HOST},
-- 
cgit v1.2.3