Commit 23563255 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

David Balazic pointed out the lack of checks for a valid %XX code when 

we unescape a string. We now check and decode only valid %XX strings.
parent d78ec593

lib/escape.c

+20 −7
Original line number Diff line number Diff line
@@ -79,6 +79,10 @@ char *curl_escape(const char *string, int length) 
  return ns;

}



#define ishex(in) ((in >= 'a' && in <= 'f') || \

                   (in >= 'A' && in <= 'F') || \

                   (in >= '0' && in <= '9'))



char *curl_unescape(const char *string, int length)

{

  int alloc = (length?length:(int)strlen(string))+1;
@@ -93,14 +97,20 @@ char *curl_unescape(const char *string, int length) 
  

  while(--alloc > 0) {

    in = *string;

    if('%' == in) {

      /* encoded part */

      if(sscanf(string+1, "%02X", &hex)) {

    if(('%' == in) && ishex(string[1]) && ishex(string[2])) {

      /* this is two hexadecimal digits following a '%' */

      char hexstr[3];

      char *ptr;

      hexstr[0] = string[1];

      hexstr[1] = string[2];

      hexstr[2] = 0;



      hex = strtol(hexstr, &ptr, 16);



      in = hex;

      string+=2;

      alloc-=2;

    }

    }

    

    ns[index++] = in;

    string++;
@@ -109,6 +119,9 @@ char *curl_unescape(const char *string, int length) 
  return ns;

}



/* For operating systems/environments that use different malloc/free

   ssystems for the app and for this library, we provide a free that uses

   the library's memory system */

void curl_free(void *p)

{

  free(p);