From 83372bda16b53157be476df6f9c6aac9f2bc12a3 Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Wed, 5 Feb 2020 16:55:00 +0000
Subject: [PATCH] libfetch: disallow invalid escape sequences

Per RFC1738 escape is "% hex hex"; other sequences do not form a valid URL.

Suggested by:	Matthew Dillon
Reviewed by:	Matthew Dillon
MFC after:	1 week
---
 lib/libfetch/fetch.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/libfetch/fetch.c b/lib/libfetch/fetch.c
index 9eec0730fa7d..82a3c5e451a9 100644
--- a/lib/libfetch/fetch.c
+++ b/lib/libfetch/fetch.c
@@ -327,6 +327,9 @@ fetch_pctdecode(char *dst, const char *src, size_t dlen)
 		    (d2 = fetch_hexval(s[2])) >= 0 && (d1 > 0 || d2 > 0)) {
 			c = d1 << 4 | d2;
 			s += 2;
+		} else if (s[0] == '%') {
+			/* Invalid escape sequence. */
+			return (NULL);
 		} else {
 			c = *s;
 		}