Don't allow ASCII control character in URLs (#790)

* Don't allow ASCII control character in URLs * Add tests
author: Erik Dubbelboer <erik@dubbelboer.com> 2020-04-25 20:54:59 +0200
committer: GitHub <noreply@github.com> 2020-04-25 20:54:59 +0200
commit: 079f39bddceb89b52f80952dd9beed0a8fc331d2 (patch)
tree: e16c30b14b4e16a397685a6eada20926fde3bf2b /uri.go
parent: Fix integer overflow handling in parseUintBuf() (#789) (diff)
download: fasthttp-079f39bddceb89b52f80952dd9beed0a8fc331d2.tar.gz
fasthttp-079f39bddceb89b52f80952dd9beed0a8fc331d2.tar.bz2
fasthttp-079f39bddceb89b52f80952dd9beed0a8fc331d2.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/uri.go b/uri.go
index c9a81d4..9d64db8 100644
--- a/uri.go
+++ b/uri.go
@@ -263,6 +263,10 @@ func (u *URI) Parse(host, uri []byte) {
 func (u *URI) parse(host, uri []byte, isTLS bool) {
 	u.Reset()
 
+	if stringContainsCTLByte(uri) {
+		return
+	}
+
 	if len(host) == 0 || bytes.Contains(uri, strColonSlashSlash) {
 		scheme, newHost, newURI := splitHostURI(host, uri)
 		u.scheme = append(u.scheme, scheme...)
@@ -581,3 +585,14 @@ func (u *URI) parseQueryArgs() {
 	u.queryArgs.ParseBytes(u.queryString)
 	u.parsedQueryArgs = true
 }
+
+// stringContainsCTLByte reports whether s contains any ASCII control character.
+func stringContainsCTLByte(s []byte) bool {
+	for i := 0; i < len(s); i++ {
+		b := s[i]
+		if b < ' ' || b == 0x7f {
+			return true
+		}
+	}
+	return false
+}
author	Erik Dubbelboer <erik@dubbelboer.com>	2020-04-25 20:54:59 +0200
committer	GitHub <noreply@github.com>	2020-04-25 20:54:59 +0200
commit	079f39bddceb89b52f80952dd9beed0a8fc331d2 (patch)
tree	e16c30b14b4e16a397685a6eada20926fde3bf2b /uri.go
parent	Fix integer overflow handling in parseUintBuf() (#789) (diff)
download	fasthttp-079f39bddceb89b52f80952dd9beed0a8fc331d2.tar.gz fasthttp-079f39bddceb89b52f80952dd9beed0a8fc331d2.tar.bz2 fasthttp-079f39bddceb89b52f80952dd9beed0a8fc331d2.zip