d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

libfetch: disallow invalid escape sequences

Browse Source 
Per RFC1738 escape is "% hex hex"; other sequences do not form a valid URL.

Suggested by:	Matthew Dillon
Reviewed by:	Matthew Dillon
MFC after:	1 week
This commit is contained in:
Ed Maste 2020-02-05 16:55:00 +00:00
parent 690a8a6acd
commit 83372bda16
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/libfetch/fetch.c
View File

@ -327,6 +327,9 @@ fetch_pctdecode(char *dst, const char *src, size_t dlen)
(d2 = fetch_hexval(s[2])) >= 0 && (d1 > 0 || d2 > 0)) {
c = d1 << 4 | d2;
s += 2;
} else if (s[0] == '%') {
/* Invalid escape sequence. */
return (NULL);
} else {
c = *s;
}