1From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001 2From: Daniel Stenberg <daniel@haxx.se> 3Date: Mon, 9 May 2022 08:19:38 +0200 4Subject: [PATCH] urlapi: reject percent-decoding host name into separator 5 bytes 6 7CVE-2022-27780 8 9Reported-by: Axel Chong 10Bug: https://curl.se/docs/CVE-2022-27780.html 11Closes #8826 12 13Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a] 14Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> 15--- 16 lib/urlapi.c | 4 ++-- 17 1 file changed, 2 insertions(+), 2 deletions(-) 18 19diff --git a/lib/urlapi.c b/lib/urlapi.c 20index ff00ee4..00222fc 100644 21--- a/lib/urlapi.c 22+++ b/lib/urlapi.c 23@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) 24 #endif 25 } 26 else { 27- /* letters from the second string is not ok */ 28- len = strcspn(hostname, " \r\n"); 29+ /* letters from the second string are not ok */ 30+ len = strcspn(hostname, " \r\n\t/:#?!@"); 31 if(hlen != len) 32 /* hostname with bad content */ 33 return CURLUE_BAD_HOSTNAME; 34