diff -uNr '--exclude=*~' curl-7.21.5/lib/escape.c curl-7.21.5-url-sanitize/lib/escape.c --- curl-7.21.5/lib/escape.c 2011-03-19 11:17:13.000000000 -0400 +++ curl-7.21.5-url-sanitize/lib/escape.c 2012-01-27 22:36:54.066212151 -0500 @@ -35,6 +35,7 @@ #include "urldata.h" #include "easyif.h" #include "warnless.h" +#include "escape.h" #define _MPRINTF_REPLACE /* use our functions only */ #include <curl/mprintf.h> @@ -88,7 +89,7 @@ char *testing_ptr = NULL; unsigned char in; /* we need to treat the characters unsigned */ size_t newlen = alloc; - int strindex=0; + size_t strindex=0; size_t length; #ifndef CURL_DOES_CONVERSIONS @@ -143,26 +144,27 @@ } /* - * Unescapes the given URL escaped string of given length. Returns a - * pointer to a malloced string with length given in *olen. - * If length == 0, the length is assumed to be strlen(string). - * If olen == NULL, no output length is stored. + * Curl_urldecode() URL decodes the given string. + * + * Optionally detects control characters (byte codes lower than 32) in the + * data and rejects such data. + * + * Returns a pointer to a malloced string in *ostring with length given in + * *olen. If length == 0, the length is assumed to be strlen(string). */ -char *curl_easy_unescape(CURL *handle, const char *string, int length, - int *olen) +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_ctrl) { - int alloc = (length?length:(int)strlen(string))+1; + size_t alloc = (length?length:strlen(string))+1; char *ns = malloc(alloc); unsigned char in; - int strindex=0; + size_t strindex=0; unsigned long hex; -#ifndef CURL_DOES_CONVERSIONS - /* avoid compiler warnings */ - (void)handle; -#endif if( !ns ) - return NULL; + return CURLE_OUT_OF_MEMORY; while(--alloc > 0) { in = *string; @@ -181,16 +183,20 @@ #ifdef CURL_DOES_CONVERSIONS /* escape sequences are always in ASCII so convert them on non-ASCII hosts */ if(!handle || - (Curl_convert_from_network(handle, &in, 1) != CURLE_OK)) { + (Curl_convert_from_network(data, &in, 1) != CURLE_OK)) { /* Curl_convert_from_network calls failf if unsuccessful */ free(ns); - return NULL; + return res; } #endif /* CURL_DOES_CONVERSIONS */ string+=2; alloc-=2; } + if(reject_ctrl && (in < 0x20)) { + free(ns); + return CURLE_URL_MALFORMAT; + } ns[strindex++] = in; string++; @@ -200,7 +206,33 @@ if(olen) /* store output size */ *olen = strindex; - return ns; + + if(ostring) + /* store output string */ + *ostring = ns; + + return CURLE_OK; +} + +/* + * Unescapes the given URL escaped string of given length. Returns a + * pointer to a malloced string with length given in *olen. + * If length == 0, the length is assumed to be strlen(string). + * If olen == NULL, no output length is stored. + */ +char *curl_easy_unescape(CURL *handle, const char *string, int length, + int *olen) +{ + char *str = NULL; + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + return str; } /* For operating systems/environments that use different malloc/free diff -uNr '--exclude=*~' curl-7.21.5/lib/escape.h curl-7.21.5-url-sanitize/lib/escape.h --- curl-7.21.5/lib/escape.h 2011-03-19 11:16:07.000000000 -0400 +++ curl-7.21.5-url-sanitize/lib/escape.h 2012-01-27 22:11:59.980378902 -0500 @@ -8,7 +8,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2006, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -25,5 +25,9 @@ /* Escape and unescape URL encoding in strings. The functions return a new * allocated string or NULL if an error occurred. */ +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_crlf); #endif diff -uNr '--exclude=*~' curl-7.21.5/lib/imap.c curl-7.21.5-url-sanitize/lib/imap.c --- curl-7.21.5/lib/imap.c 2011-04-04 18:04:47.000000000 -0400 +++ curl-7.21.5-url-sanitize/lib/imap.c 2012-01-27 22:12:42.934298897 -0500 @@ -953,17 +953,12 @@ struct imap_conn *imapc = &conn->proto.imapc; struct SessionHandle *data = conn->data; const char *path = data->state.path; - int len; if(!*path) path = "INBOX"; /* url decode the path and use this mailbox */ - imapc->mailbox = curl_easy_unescape(data, path, 0, &len); - if(!imapc->mailbox) - return CURLE_OUT_OF_MEMORY; - - return CURLE_OK; + return Curl_urldecode(data, path, 0, &imapc->mailbox, NULL, TRUE); } /* call this when the DO phase has completed */ diff -uNr '--exclude=*~' curl-7.21.5/lib/pop3.c curl-7.21.5-url-sanitize/lib/pop3.c --- curl-7.21.5/lib/pop3.c 2011-04-05 11:07:17.000000000 -0400 +++ curl-7.21.5-url-sanitize/lib/pop3.c 2012-01-27 22:13:32.857586724 -0500 @@ -897,11 +897,7 @@ const char *path = data->state.path; /* url decode the path and use this mailbox */ - pop3c->mailbox = curl_easy_unescape(data, path, 0, NULL); - if (!pop3c->mailbox) - return CURLE_OUT_OF_MEMORY; - - return CURLE_OK; + return Curl_urldecode(data, path, 0, &pop3c->mailbox, NULL, TRUE); } /* call this when the DO phase has completed */ diff -uNr '--exclude=*~' curl-7.21.5/lib/smtp.c curl-7.21.5-url-sanitize/lib/smtp.c --- curl-7.21.5/lib/smtp.c 2011-04-04 18:04:47.000000000 -0400 +++ curl-7.21.5-url-sanitize/lib/smtp.c 2012-01-27 22:15:21.847977858 -0500 @@ -1097,7 +1097,6 @@ struct SessionHandle *data=conn->data; struct pingpong *pp=&smtpc->pp; const char *path = conn->data->state.path; - int len; char localhost[1024 + 1]; *done = FALSE; /* default to not done yet */ @@ -1169,9 +1168,9 @@ } /* url decode the path and use it as domain with EHLO */ - smtpc->domain = curl_easy_unescape(conn->data, path, 0, &len); - if(!smtpc->domain) - return CURLE_OUT_OF_MEMORY; + result = Curl_urldecode(conn->data, path, 0, &smtpc->domain, NULL, TRUE); + if(result) + return result; /* When we connect, we start in the state where we await the server greeting */