On Wed, Dec 02, 2020 at 03:17:43PM +0100, Claudio Jeker wrote:
> Be stricter in what we accept as URL. Nobody should use silly encodings
> like UTF-8 or other crap in the embedded URLs. I also consider any kind of
> space as a failure (use %20 instead if that is really needed).
>
> This makes later handling of URLs a lot safer (e.g. rpki-client prints
> part of URLs in log messages).
[...]
> + /* make sure only US-ASCII chars are in the URL */
> + for (i = 0; i < dsz; i++) {
> + if (isalnum(d[i]) || ispunct(d[i]))
> + continue;
Should this also check isascii() to ensure that this works as intended
in the -portable version? The ENVIRONMENT section of the isalnum() and
ispunct() manuals suggests that the characters satisfying this could be
locale-dependent on other systems.
If that makes sense, I'd probably go for "isascii() && isgraph()"
instead of "isalnum() || ispunct()" on the grounds that taking a subset
of ASCII is less likely to result in unwanted things than the union of
the somewhat fuzzy locale-dependent classes isalnum() and ispunct().
