diff options
| author | Daniel Silverstone <dsilvers@netsurf-browser.org> | 2024-05-24 21:49:33 +0100 |
|---|---|---|
| committer | Daniel Silverstone <dsilvers@netsurf-browser.org> | 2024-05-24 21:51:35 +0100 |
| commit | 4a50da326a6fc27da1be1edf068ab50ea919384e (patch) | |
| tree | e945c2b49edbd26c57b46b16938b08b422934ab6 /utils/nsurl/parse.c | |
| parent | 506f4b14bb51cf69d8d4b8722e0ba2f47e49f301 (diff) | |
| download | netsurf-4a50da326a6fc27da1be1edf068ab50ea919384e.tar.gz netsurf-4a50da326a6fc27da1be1edf068ab50ea919384e.tar.bz2 | |
nsurl: Reject URLs with invalid host components
The host component, by the time we hit the validation code, should
be a valid DNS name. In theory it could also be an IPv6 address,
but those are far more painful to deal with so we're ignoring that
opportunity for now.
This fixes a problem where the search_web_omni logic would fail
to generate a search because nsurl_create() succeeded even though
it shouldn't have.
Signed-off-by: Daniel Silverstone <dsilvers@netsurf-browser.org>
Diffstat (limited to 'utils/nsurl/parse.c')
| -rw-r--r-- | utils/nsurl/parse.c | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/utils/nsurl/parse.c b/utils/nsurl/parse.c index dbf0c6e2c..186a1a2f1 100644 --- a/utils/nsurl/parse.c +++ b/utils/nsurl/parse.c @@ -32,6 +32,7 @@ */ #include <assert.h> +#include <ctype.h> #include <libwapcaplet/libwapcaplet.h> #include <stdlib.h> #include <string.h> @@ -1256,6 +1257,29 @@ void nsurl__calc_hash(nsurl *url) url->hash = hash; } +/** + * Check that a hostname is valid + * + * Valid hostnames are valid DNS names. This means they must consist only of + * the ASCII characters a-z A-Z 0-9 '.' or '-'. + * + * \param host The hostname to check + * \return NSERROR_OK if the hostname is valid + */ +static nserror nsurl__check_host_valid(lwc_string *host) +{ + const char *chptr = lwc_string_data(host); + size_t nchrs = lwc_string_length(host); + + while (nchrs--) { + const char ch = *chptr++; + if (!isalnum(ch) && !(ch == '.' || ch == '-')) { + /* Not alphanumeric dot or dash */ + return NSERROR_INVALID; + } + } + return NSERROR_OK; +} /****************************************************************************** * NetSurf URL Public API * @@ -1313,6 +1337,11 @@ nserror nsurl_create(const char * const url_s, nsurl **url) nsurl__components_destroy(&c); return NSERROR_BAD_URL; } + /* host names must be a-z 0-9 hyphen and dot only */ + if (nsurl__check_host_valid(c.host) != NSERROR_OK) { + nsurl__components_destroy(&c); + return NSERROR_BAD_URL; + } } e = nsurl__components_to_string(&c, NSURL_WITH_FRAGMENT, |