On 2026-04-19T13:52:45+0800, Kevin J. McCarthy wrote: > Consider %00 an invalid character in a URL. > > Thanks to [email protected] for the security report.
This still has the tab/spaces indentation difference with surrounding code. (I don't care; it's just in case you missed it.) Still, since that's unimportant in stable: Reviewed-by: Alejandro Colomar <[email protected]> > --- > This is 7 in the list evilrabbit sent. > > Also thanks for the comment Alex, but, for me at least I think the > comment makes that last check clearer. Otherwise I have to stop and > think for a second what it's doing. I'm old and slower though! :-) > > url.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/url.c b/url.c > index 19a52443..fddbc6f2 100644 > --- a/url.c > +++ b/url.c > @@ -60,7 +60,9 @@ static int url_pct_decode (char *s) > if (s[1] && s[2] && > isxdigit ((unsigned char) s[1]) && > isxdigit ((unsigned char) s[2]) && > - hexval (s[1]) >= 0 && hexval (s[2]) >= 0) > + hexval(s[1]) >= 0 && hexval(s[2]) >= 0 && > + // check for embedded nul > + (hexval(s[1]) > 0 || hexval(s[2]) > 0)) > { > *d++ = (hexval (s[1]) << 4) | (hexval (s[2])); > s += 2; > -- > 2.53.0 > -- <https://www.alejandro-colomar.es>
signature.asc
Description: PGP signature
