[PATCH 1/1] wget: don't allow control characters or spaces in the URL
Radoslav Kolev
radoslav.kolev at suse.com
Wed Nov 12 17:50:54 UTC 2025
Fixes CVE-2025-60876 malicious URL can be used to inject
HTTP headers in the request.
Signed-off-by: Radoslav Kolev <radoslav.kolev at suse.com>
---
networking/wget.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/networking/wget.c b/networking/wget.c
index ec3767793..b8a6d02bb 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h)
{
char *url, *p, *sp;
+ /* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */
+ /* otherwise a malicious URL can be used to inject HTTP headers in the request */
+ unsigned char *u = (void *) src_url;
+ while (*u) {
+ if (*u <= ' ')
+ bb_simple_error_msg_and_die("Unencoded control character found in the URL!");
+ u++;
+ }
+
free(h->allocated);
h->allocated = url = xstrdup(src_url);
--
2.51.1
More information about the busybox
mailing list