Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl_url_set fails for encoded hostname #14656

Closed
muttalkadavul opened this issue Aug 23, 2024 · 2 comments
Closed

curl_url_set fails for encoded hostname #14656

muttalkadavul opened this issue Aug 23, 2024 · 2 comments

Comments

@muttalkadavul
Copy link

muttalkadavul commented Aug 23, 2024

I did this

int main() 
{
    std::string input = "resum%33%35.com";
    CURLUcode rc = CURLUE_BAD_HANDLE;
    CURLU *urlh = curl_url();

    rc = curl_url_set(urlh, CURLUPART_HOST, input.c_str(), 0);
    if(rc != CURLUE_OK)
    {
        std::cout << "curlucode = " << rc << std::endl;
        curl_url_cleanup(urlh);
    }
    
    std::cout << "Hostname: " << input << std::endl;
    std::cout << "libcurl version" << curl_version() << std::endl;
    return 0;
} 

I expected the following

I expected it to return CURLUE_OK but got this

curlucode = 21
Hostname: resum%33%35.com
libcurl versionlibcurl/8.9.1 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libpsl/0.21.0

When I run the above code with an older curl I get

Hostname: resum%33%35.com
libcurl versionlibcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3

No error!

curl/libcurl version

libcurl versionlibcurl/8.9.1 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libpsl/0.21.0

operating system

Ubuntu 22.04

@bagder
Copy link
Member

bagder commented Aug 23, 2024

Confirmed. The problem is that the hostname check function is called with the URL encoded host name as input and not the decoded version so it thinks the % in there is invalid.

Regression from 0a0c9b6

PR coming up.

@muttalkadavul
Copy link
Author

That was quick! Thanks!

bagder added a commit that referenced this issue Aug 23, 2024
It was previously wrongly verifying the input in its URL encoded format
when setting the hostname component with curl_url_set(), so it wrongly
rejected '%'.

Now it URL decodes the name appropriately before the check.

Added tests to lib1560 to verify that a fine %-code is okay and that a
bad %-code (that decodes to '%') is rejected.

Regression from 0a0c9b6, shipped in 8.0.0

Fixes #14656
Reported-by: Venkat Krishna R
@bagder bagder closed this as completed in d1394a0 Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

2 participants