did you consider isprint() (or friends) ? jm2c wh ________________________________________ Von: busybox <[email protected]> im Auftrag von Radoslav Kolev <[email protected]> Gesendet: Freitag, 21. November 2025 10:21:18 An: [email protected] Betreff: [PATCH v2 1/1] wget: don't allow control characters or spaces in the URL
Fixes CVE-2025-60876 malicious URL can be used to inject HTTP headers in the request. Signed-off-by: Radoslav Kolev <[email protected]> Reviewed-by: Emmanuel Deloget <[email protected]> --- networking/wget.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/networking/wget.c b/networking/wget.c index ec3767793..fa555427b 100644 --- a/networking/wget.c +++ b/networking/wget.c @@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h) { char *url, *p, *sp; + /* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */ + /* otherwise a malicious URL can be used to inject HTTP headers in the request */ + const unsigned char *u = (void *) src_url; + while (*u) { + if (*u <= ' ') + bb_simple_error_msg_and_die("Unencoded control character found in the URL!"); + u++; + } + free(h->allocated); h->allocated = url = xstrdup(src_url); -- 2.51.1 _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
