Percent-encoded host names in URLs are not decoded #7830
Assignees
Labels
Comments
bagder
added a commit
that referenced
this issue
Oct 8, 2021
The host name is stored decoded and is encoded when used to extract the full URL. As a bonus, setting the host name part with curl_url_set() no longer accepts a name that contains space, CR of LF. Test 1560 has been extended to verify. Reported-by: Noam Moshe Reported-by: Sharon Brizinov Reported-by: Raul Onitza-Klugman Reported-by: Kirill Efimov Fixes #7830
bagder
added a commit
that referenced
this issue
Oct 10, 2021
The host name is stored decoded and can be encoded when used to extract the full URL. By default when extracting the URL, the host name will not be URL encoded to work as similas as possible as before. When not URL encoding the host name, the '%' character will however still be encoded. As a bonus, setting the host name part with curl_url_set() no longer accepts a name that contains space, CR of LF. Test 1560 has been extended to verify. Reported-by: Noam Moshe Reported-by: Sharon Brizinov Reported-by: Raul Onitza-Klugman Reported-by: Kirill Efimov Fixes #7830
bagder
added a commit
that referenced
this issue
Oct 10, 2021
The host name is stored decoded and can be encoded when used to extract the full URL. By default when extracting the URL, the host name will not be URL encoded to work as similar as possible as before. When not URL encoding the host name, the '%' character will however still be encoded. As a bonus, setting the host name part with curl_url_set() no longer accepts a name that contains space, CR of LF. Test 1560 has been extended to verify. Reported-by: Noam Moshe Reported-by: Sharon Brizinov Reported-by: Raul Onitza-Klugman Reported-by: Kirill Efimov Fixes #7830
bagder
added a commit
that referenced
this issue
Oct 11, 2021
The host name is stored decoded and can be encoded when used to extract the full URL. By default when extracting the URL, the host name will not be URL encoded to work as similar as possible as before. When not URL encoding the host name, the '%' character will however still be encoded. Getting the URL with the CURLU_URLENCODE flag set will encode the host name part. As a bonus, setting the host name part with curl_url_set() no longer accepts a name that contains space, CR or LF. Test 1560 has been extended to verify percent encodings. Reported-by: Noam Moshe Reported-by: Sharon Brizinov Reported-by: Raul Onitza-Klugman Reported-by: Kirill Efimov Fixes #7830
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
bagder commentedOct 8, 2021
I did this
The percent-encoding in the host name was not acknowledge but is used as-is! The RFC 3986 section for host name says it can be percent encoded!
I expected the following
... since %63 would be decoded to 'c'.
curl/libcurl version
7.79.1 and git master
operating system
any
credits
This flaw was identified by Noam Moshe,Sharon Brizinov, Raul Onitza-Klugman and Kirill Efimov
The text was updated successfully, but these errors were encountered: