From 87e533ace035849c612968fbad0a55dc93a93185 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 8 Sep 2015 13:42:48 +0200 Subject: [PATCH] parse_proxy: reject illegal port numbers If the port number in the proxy string ended weirdly or the number is too large, skip it. Mostly as a means to bail out early if a "bare" IPv6 numerical address is used without enclosing brackets. Also mention the bracket requirement for IPv6 numerical addresses to the man page for CURLOPT_PROXY. Closes #415 Reported-by: Marcel Raad --- docs/libcurl/opts/CURLOPT_PROXY.3 | 6 +++--- lib/url.c | 16 +++++++++++++++- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/docs/libcurl/opts/CURLOPT_PROXY.3 b/docs/libcurl/opts/CURLOPT_PROXY.3 index b419e51bcb3a7c..cf5c7574cb06cc 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. +.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -29,8 +29,8 @@ CURLOPT_PROXY \- set proxy to use CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY, char *proxy); .SH DESCRIPTION Set the \fIproxy\fP to use for the upcoming request. The parameter should be a -char * to a zero terminated string holding the host name or dotted IP -address. +char * to a zero terminated string holding the host name or dotted numerical +IP address. A numerical IPv6 address must be written within [brackets]. To specify port number in this string, append :[port] to the end of the host name. The proxy's port number may optionally be specified with the separate diff --git a/lib/url.c b/lib/url.c index d572f0195106c5..dccd7109e60f66 100644 --- a/lib/url.c +++ b/lib/url.c @@ -4640,10 +4640,24 @@ static CURLcode parse_proxy(struct SessionHandle *data, /* Get port number off proxy.server.com:1080 */ prox_portno = strchr(portptr, ':'); if(prox_portno) { + char *endp = NULL; + long port = 0; *prox_portno = 0x0; /* cut off number from host name */ prox_portno ++; /* now set the local port number */ - conn->port = strtol(prox_portno, NULL, 10); + port = strtol(prox_portno, &endp, 10); + if((endp && *endp && (*endp != '/') && (*endp != ' ')) || + (port >= 65536) ) { + /* meant to detect for example invalid IPv6 numerical addresses without + brackets: "2a00:fac0:a000::7:13". Accept a trailing slash only + because we then allow "URL style" with the number followed by a + slash, used in curl test cases already. Space is also an acceptable + terminating symbol. */ + infof(data, "No valid port number in proxy string (%s)\n", + prox_portno); + } + else + conn->port = port; } else { if(proxyptr[0]=='/')