Make url decoding more bulletproof

79c44342 · Ben Straub · d6eb3f9c · 79c44342 · 79c44342
Commit 79c44342 authored Nov 05, 2013 by Ben Straub
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 14 deletions

src/netops.c
+7 -12

tests-clar/network/urlparse.c
+2 -2

No files found.
--- a/src/netops.c
+++ b/src/netops.c
@@ -658,23 +658,18 @@ void gitno_connection_data_free_ptrs(gitno_connection_data *d)
 	git__free(d->pass); d->pass = NULL;
 }
-static char unescape_hex(char *x)
+#define hex2c(c) ((c | 32) % 39 - 9)
-{
-	char digit;
-	digit =  ((x[0] >= 'A') ? ((x[0] & 0xdf) - 'A')+10 : (x[0] - '0'));
-	digit *= 16;
-	digit += ((x[1] >= 'A') ? ((x[1] & 0xdf) - 'A')+10 : (x[1] - '0'));
-	return digit;
-}
 static char* unescape(char *str)
 {
 	int x, y;
+	int len = strlen(str);
-	for (x=y=0; str[x]; ++x, ++y) {
+	for (x=y=0; str[y]; ++x, ++y) {
 		if ((str[x] = str[y]) == '%') {
-			str[x] = unescape_hex(str+y+1);
+			if (y < len-2 && isxdigit(str[y+1]) && isxdigit(str[y+2])) {
-			y += 2;
+				str[x] = (hex2c(str[y+1]) << 4) + hex2c(str[y+2]);
+				y += 2;
+			}
 		}
 	}
 	str[x] = '\0';

--- a/tests-clar/network/urlparse.c
+++ b/tests-clar/network/urlparse.c
@@ -130,12 +130,12 @@ void test_network_urlparse__connection_data_ssl(void)
 void test_network_urlparse__encoded_username_password(void)
 {
 	cl_git_pass(gitno_connection_data_from_url(&conndata,
-				"https://user%2fname:pass%40word@example.com/foo/bar/baz", "bar/baz"));
+				"https://user%2fname:pass%40word%zyx%v@example.com/foo/bar/baz", "bar/baz"));
 	cl_assert_equal_s(conndata.host, "example.com");
 	cl_assert_equal_s(conndata.port, "443");
 	cl_assert_equal_s(conndata.path, "/foo/");
 	cl_assert_equal_s(conndata.user, "user/name");
-	cl_assert_equal_s(conndata.pass, "pass@word");
+	cl_assert_equal_s(conndata.pass, "pass@word%zyx%v");
 	cl_assert_equal_i(conndata.use_ssl, true);
 }