Andrew's git / gitweb.git / diff
?
Merge branch 'md/url-parse-harden'
authorJunio C Hamano <gitster@pobox.com>
Fri, 21 Jun 2019 18:24:12 +0000 (11:24 -0700)
committerJunio C Hamano <gitster@pobox.com>
Fri, 21 Jun 2019 18:24:12 +0000 (11:24 -0700)
The URL decoding code has been updated to avoid going past the end
of the string while parsing %-<hex>-<hex> sequence.

* md/url-parse-harden:
url: do not allow %00 to represent NUL in URLs
url: do not read past end of buffer

url.c patch | blob | history
diff --git a/url.c b/url.c
index 25576c390baa79cb0a203d7f682e8f3442f91a60..1b8ef78ceab03784ad48f8411b20669e2ea1ea1f 100644 (file)
--- a/url.c
+++ b/url.c
@@ -46,9 +46,9 @@ static char *url_decode_internal(const char **query, int len,
                        break;
                }
 
-               if (c == '%') {
+               if (c == '%' && (len < 0 || len >= 3)) {
                        int val = hex2chr(q + 1);
-                       if (0 <= val) {
+                       if (0 < val) {
                                strbuf_addch(out, val);
                                q += 3;
                                len -= 3;