AW: [PATCH v2 1/1] wget: don't allow control characters or spaces in the URL
Walter Harms
wharms at bfs.de
Mon Jan 12 12:57:14 UTC 2026
did you consider isprint() (or friends) ?
jm2c
wh
________________________________________
Von: busybox <busybox-bounces at busybox.net> im Auftrag von Radoslav Kolev <radoslav.kolev at suse.com>
Gesendet: Freitag, 21. November 2025 10:21:18
An: busybox at busybox.net
Betreff: [PATCH v2 1/1] wget: don't allow control characters or spaces in the URL
Fixes CVE-2025-60876 malicious URL can be used to inject
HTTP headers in the request.
Signed-off-by: Radoslav Kolev <radoslav.kolev at suse.com>
Reviewed-by: Emmanuel Deloget <logout at free.fr>
---
networking/wget.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/networking/wget.c b/networking/wget.c
index ec3767793..fa555427b 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h)
{
char *url, *p, *sp;
+ /* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */
+ /* otherwise a malicious URL can be used to inject HTTP headers in the request */
+ const unsigned char *u = (void *) src_url;
+ while (*u) {
+ if (*u <= ' ')
+ bb_simple_error_msg_and_die("Unencoded control character found in the URL!");
+ u++;
+ }
+
free(h->allocated);
h->allocated = url = xstrdup(src_url);
--
2.51.1
_______________________________________________
busybox mailing list
busybox at busybox.net
https://lists.busybox.net/mailman/listinfo/busybox
More information about the busybox
mailing list