Commit Graph

15 Commits

Author SHA1 Message Date
Daniel Stenberg
75ca568fa1 URL sanitize: reject URLs containing bad data
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
decoded manner now use the new Curl_urldecode() function to reject URLs
with embedded control codes (anything that is or decodes to a byte value
less than 32).

URLs containing such codes could easily otherwise be used to do harm and
allow users to do unintended actions with otherwise innocent tools and
applications. Like for example using a URL like
pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
a mail and instead this would delete one.

This flaw is considered a security vulnerability: CVE-2012-0036

Security advisory at: http://curl.haxx.se/docs/adv_20120124.html

Reported by: Dan Fandrich
2012-01-24 08:54:26 +01:00
Daniel Stenberg
2309b4e330 remove the CVSish $Id$ lines 2010-03-24 11:02:54 +01:00
Daniel Stenberg
5a4b43848a First commit of David McCreedy's EBCDIC and TPF changes. 2006-04-07 21:50:47 +00:00
Daniel Stenberg
bda1e9aeab Made the copyright year match the latest modification's year. 2006-01-09 13:17:14 +00:00
Daniel Stenberg
43b3954fa5 kill trailing whitespace 2005-10-31 08:47:54 +00:00
Daniel Stenberg
053f6c85ef updated year in the copyright string 2004-01-07 09:19:33 +00:00
Daniel Stenberg
f26a338a54 copyright year update in the source header 2003-01-16 21:08:12 +00:00
Daniel Stenberg
ba4e69bebc updated source code boilerplate/header 2002-09-03 11:52:59 +00:00
Daniel Stenberg
974f314f57 copyright string (year) update 2002-03-19 07:54:55 +00:00
Daniel Stenberg
08655d8d5d Georg Huettenegger's patch curl-7.8.1-pre5-patch-20010819 2001-08-21 13:18:07 +00:00
Daniel Stenberg
f8d883355d the new escape/unescape function setup 2001-03-22 11:40:58 +00:00
Daniel Stenberg
24dee483e9 dual-license fix 2001-01-03 09:29:33 +00:00
Daniel Stenberg
1ef3600a07 haxx.nu => haxx.se 2000-06-20 15:31:26 +00:00
Daniel Stenberg
96dde76b99 moved here from the newlib branch 2000-05-22 14:12:12 +00:00
Daniel Stenberg
ae1912cb0d Initial revision 1999-12-29 14:20:26 +00:00