Merge pull request pocoproject#11 from NSTikhomirov/develop

Security: Throw error if URI contains illegal characters
vitlibar · Aug 13, 2019 · 6216cc0 · 6216cc0
2 parents 7a2d304 + 9c2f856
commit 6216cc0
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/Foundation/src/URI.cpp b/Foundation/src/URI.cpp
@@ -719,6 +719,11 @@ unsigned short URI::getWellKnownPort() const
 
 void URI::parse(const std::string& uri)
 {
+	std::for_each(uri.begin(), uri.end(), [] (char ch) {
+		if (static_cast<signed char>(ch) <= 32 || ch == '\x7F')
+			throw URISyntaxException("URI contains invalid characters");
+	});
+
 	std::string::const_iterator it  = uri.begin();
 	std::string::const_iterator end = uri.end();
 	if (it == end) return;

diff --git a/Foundation/testsuite/src/URITest.cpp b/Foundation/testsuite/src/URITest.cpp
@@ -9,6 +9,7 @@
 
 
 #include "URITest.h"
+#include "Poco/Exception.h"
 #include "Poco/CppUnit/TestCaller.h"
 #include "Poco/CppUnit/TestSuite.h"
 #include "Poco/URI.h"
@@ -17,6 +18,7 @@
 
 using Poco::URI;
 using Poco::Path;
+using std::string_literals::operator""s;
 
 
 URITest::URITest(const std::string& rName): CppUnit::TestCase(rName)
@@ -173,6 +175,16 @@ void URITest::testParse()
 	assert (uri.getFragment().empty());
 	assert (!uri.isRelative());
 
+	// security testing (Illegal Characters)
+
+	try {
+		uri = "http\r\n\f\t ://ww\0w.\fappinf\r\n\f\t .com"s;
+		fail("URI contains invalid characters - must throw");
+	}
+	catch (Poco::URISyntaxException&)
+	{
+	}
+
 	uri = "http://www.appinf.com/";
 	assert (uri.getScheme() == "http");
 	assert (uri.getAuthority() == "www.appinf.com");