Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

urlapi: reject spaces in URLs, allow if flagbit set #7073

Closed
wants to merge 1 commit into from

Conversation

@bagder
Copy link
Member

@bagder bagder commented May 15, 2021

They were never officially allowed and slipped in only due to sloppy
parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
being part of a URL.

The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl allow spaces.

@bagder bagder marked this pull request as draft May 15, 2021
@bagder bagder force-pushed the bagder/url_set-space branch from fb5bbd6 to 0db4cc7 May 15, 2021
@bagder bagder changed the title urlapi: reject spaces in URLs urlapi: reject spaces in URLs, allow if flagbit set May 15, 2021
bagder added a commit that referenced this pull request May 15, 2021
They were never officially allowed and slipped in only due to sloppy
parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
being part of a URL.

The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
allow spaces.

Closes #7073
@bagder bagder force-pushed the bagder/url_set-space branch from 0db4cc7 to 5c444ab May 15, 2021
@bagder bagder marked this pull request as ready for review May 24, 2021
bagder added a commit that referenced this pull request May 24, 2021
They were never officially allowed and slipped in only due to sloppy
parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
being part of a URL.

The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
allow spaces.

Updated test 1560 to verify.

Closes #7073
@bagder bagder force-pushed the bagder/url_set-space branch from 5c444ab to 40658cd May 24, 2021
};
size_t n = strlen(part);
size_t nfine = strcspn(part, badbytes);
if(nfine != n)
/* since we don't know which part is scanned, return a generic error
code */
return CURLUE_MALFORMED_INPUT;
return TRUE;
if(!(flags & CURLU_ALLOW_SPACE) && strchr(part, ' '))

This comment has been minimized.

@emilengler

emilengler May 30, 2021
Contributor

Cant you use ~ instead of a negotiated AND here?

This comment has been minimized.

@bagder

bagder May 30, 2021
Author Member

How would that work? I can't see how that would make the condition more readable.

They were never officially allowed and slipped in only due to sloppy
parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
being part of a URL.

The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
allow spaces.

Updated test 1560 to verify.

Closes #7073
@bagder bagder force-pushed the bagder/url_set-space branch from 40658cd to 313a9bd Jun 1, 2021
@jay
Copy link
Member

@jay jay commented Jun 13, 2021

@bagder did you intend to merge this? I notice you removed next-feature-window a while back.

@bagder
Copy link
Member Author

@bagder bagder commented Jun 14, 2021

I did mean to do that. I've hesitated a little but I'll move forward on this again in a bit.

@bagder bagder closed this in b67d3ba Jun 15, 2021
@bagder bagder deleted the bagder/url_set-space branch Jun 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants