Skip to content
Permalink
Browse files

urlapi: verify the IPv6 numerical address

It needs to parse correctly. Otherwise it could be tricked into letting
through a-f using host names that libcurl would then resolve. Like
'[ab.be]'.

Reported-by: Thomas Vegas
Closes #4315
  • Loading branch information...
bagder committed Sep 4, 2019
1 parent ffe34b7 commit eab3c580f955c571253ab0ebd062b5f8c8d2b82f
Showing with 17 additions and 4 deletions.
  1. +13 −4 lib/urlapi.c
  2. +4 −0 tests/libtest/lib1560.c
@@ -29,6 +29,7 @@
#include "url.h"
#include "escape.h"
#include "curl_ctype.h"
#include "inet_pton.h"

/* The last 3 #include files should be in this order */
#include "curl_printf.h"
@@ -591,20 +592,22 @@ static CURLUcode junkscan(char *part)

static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
{
const char *l = NULL; /* accepted characters */
size_t len;
size_t hlen = strlen(hostname);

if(hostname[0] == '[') {
char dest[16]; /* fits a binary IPv6 address */
const char *l = "0123456789abcdefABCDEF::.";
hostname++;
l = "0123456789abcdefABCDEF::.";
hlen -= 2;
}

if(l) {
if(hostname[hlen] != ']')
return CURLUE_MALFORMED_INPUT;

/* only valid letters are ok */
len = strspn(hostname, l);
if(hlen != len) {
hlen = len;
if(hostname[len] == '%') {
/* this could now be '%[zone id]' */
char zoneid[16];
@@ -628,6 +631,12 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
return CURLUE_MALFORMED_INPUT;
/* hostname is fine */
}
#ifdef ENABLE_IPV6
hostname[hlen] = 0; /* end the address there */
if(1 != Curl_inet_pton(AF_INET6, hostname, dest))
return CURLUE_MALFORMED_INPUT;
hostname[hlen] = ']'; /* restore ending bracket */
#endif
}
else {
/* letters from the second string is not ok */
@@ -140,6 +140,10 @@ static struct testcase get_parts_list[] ={
"file | [11] | [12] | [13] | [14] | [15] | C:\\programs\\foo | [16] | [17]",
CURLU_DEFAULT_SCHEME, 0, CURLUE_OK},
#endif
{"http://[ab.be:1]/x", "",
CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
{"http://[ab.be]/x", "",
CURLU_DEFAULT_SCHEME, 0, CURLUE_MALFORMED_INPUT},
/* URL without host name */
{"http://a:b@/x", "",
CURLU_DEFAULT_SCHEME, 0, CURLUE_NO_HOST},

0 comments on commit eab3c58

Please sign in to comment.
You can’t perform that action at this time.