Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
curl.368
curl-CVE-2014-8150.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2014-8150.patch of Package curl.368
From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 25 Dec 2014 23:55:03 +0100 Subject: [PATCH] url-parsing: reject CRLFs within URLs Bug: http://curl.haxx.se/docs/adv_20150108B.html Reported-by: Andrey Labunets --- lib/url.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/url.c b/lib/url.c index 788f048..d3bb5e0 100644 --- a/lib/url.c +++ b/lib/url.c @@ -3840,10 +3840,17 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, CURLcode result; bool rebuild_url = FALSE; *prot_missing = FALSE; + /* We might pass the entire URL into the request so we need to make sure + * there are no bad characters in there.*/ + if(strpbrk(data->change.url, "\r\n")) { + failf(data, "Illegal characters found in URL"); + return CURLE_URL_MALFORMAT; + } + /************************************************************* * Parse the URL. * * We need to parse the url even when using the proxy, because we will need * the hostname and port in case we are trying to SSL connect through the -- 2.1.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor