Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Percent-encoded host names in URLs are not decoded #7830

Closed
bagder opened this issue Oct 8, 2021 · 0 comments
Closed

Percent-encoded host names in URLs are not decoded #7830

bagder opened this issue Oct 8, 2021 · 0 comments
Assignees
Labels

Comments

@bagder
Copy link
Member

@bagder bagder commented Oct 8, 2021

I did this

$ curl https://%63url.se/
curl: (6) Could not resolve host: %63url.se

The percent-encoding in the host name was not acknowledge but is used as-is! The RFC 3986 section for host name says it can be percent encoded!

I expected the following

$ curl https://%63url.se/
[content from https://curl.se]

... since %63 would be decoded to 'c'.

curl/libcurl version

7.79.1 and git master

operating system

any

credits

This flaw was identified by Noam Moshe,Sharon Brizinov, Raul Onitza-Klugman and Kirill Efimov

@bagder bagder added the URL label Oct 8, 2021
@bagder bagder self-assigned this Oct 8, 2021
bagder added a commit that referenced this issue Oct 8, 2021
The host name is stored decoded and is encoded when used to extract the
full URL.

As a bonus, setting the host name part with curl_url_set() no longer
accepts a name that contains space, CR of LF.

Test 1560 has been extended to verify.

Reported-by: Noam Moshe
Reported-by: Sharon Brizinov
Reported-by: Raul Onitza-Klugman
Reported-by: Kirill Efimov
Fixes #7830
bagder added a commit that referenced this issue Oct 10, 2021
The host name is stored decoded and can be encoded when used to extract
the full URL. By default when extracting the URL, the host name will not
be URL encoded to work as similas as possible as before. When not URL
encoding the host name, the '%' character will however still be encoded.

As a bonus, setting the host name part with curl_url_set() no longer
accepts a name that contains space, CR of LF.

Test 1560 has been extended to verify.

Reported-by: Noam Moshe
Reported-by: Sharon Brizinov
Reported-by: Raul Onitza-Klugman
Reported-by: Kirill Efimov
Fixes #7830
bagder added a commit that referenced this issue Oct 10, 2021
The host name is stored decoded and can be encoded when used to extract
the full URL. By default when extracting the URL, the host name will not
be URL encoded to work as similar as possible as before. When not URL
encoding the host name, the '%' character will however still be encoded.

As a bonus, setting the host name part with curl_url_set() no longer
accepts a name that contains space, CR of LF.

Test 1560 has been extended to verify.

Reported-by: Noam Moshe
Reported-by: Sharon Brizinov
Reported-by: Raul Onitza-Klugman
Reported-by: Kirill Efimov
Fixes #7830
bagder added a commit that referenced this issue Oct 11, 2021
The host name is stored decoded and can be encoded when used to extract
the full URL. By default when extracting the URL, the host name will not
be URL encoded to work as similar as possible as before. When not URL
encoding the host name, the '%' character will however still be encoded.

Getting the URL with the CURLU_URLENCODE flag set will encode the host name
part.

As a bonus, setting the host name part with curl_url_set() no longer
accepts a name that contains space, CR or LF.

Test 1560 has been extended to verify percent encodings.

Reported-by: Noam Moshe
Reported-by: Sharon Brizinov
Reported-by: Raul Onitza-Klugman
Reported-by: Kirill Efimov
Fixes #7830
@bagder bagder closed this in 9a8564a Oct 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

1 participant