diff options
author | Matthew DeVore <matvore@google.com> | 2019-06-04 10:57:05 -0700 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2019-06-04 14:48:25 -0700 |
commit | d37dc239a427a367427f9c4fdf12a148ad811968 (patch) | |
tree | 1bb79a242be4a4ffd8361a8b98eed573b2eb66ad /trace.c | |
parent | url: do not read past end of buffer (diff) | |
download | tgif-d37dc239a427a367427f9c4fdf12a148ad811968.tar.xz |
url: do not allow %00 to represent NUL in URLs
There is no reason to allow %00 to terminate a string, so do not allow it.
Otherwise, we end up returning arbitrary content in the string (that which is
after the %00) which is effectively hidden from callers and can escape sanity
checks and validation, and possible be used in tandem with a security
vulnerability to introduce a payload.
Helped-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Matthew DeVore <matvore@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'trace.c')
0 files changed, 0 insertions, 0 deletions