From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 08:19:38 +0200 Subject: [PATCH] urlapi: reject percent-decoding host name into separator bytes CVE-2022-27780 Reported-by: Axel Chong Bug: https://curl.se/docs/CVE-2022-27780.html Closes #8826 Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a] Signed-off-by: Robert Joslyn --- lib/urlapi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/urlapi.c b/lib/urlapi.c index ff00ee4..00222fc 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) #endif } else { - /* letters from the second string is not ok */ - len = strcspn(hostname, " \r\n"); + /* letters from the second string are not ok */ + len = strcspn(hostname, " \r\n\t/:#?!@"); if(hlen != len) /* hostname with bad content */ return CURLUE_BAD_HOSTNAME;