urlapi: verify the last letter of a scheme when set explictly

A logic error made the function not check the last character, which thus could make it accept invalid schemes. Added test 1965 to verify Reported-by: Otis Cui Lei Closes #20893
2026-04-28 19:22:12 +03:00 · 2026-03-11 22:36:24 +01:00 · 2026-03-11 22:36:24 +01:00 · 11c14b5ca5
commit 11c14b5ca5
parent 5fc7d50cec
5 changed files with 103 additions and 2 deletions
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@ -1649,6 +1649,7 @@ static CURLUcode set_url_scheme(CURLU *u, const char *scheme,
    const char *s = scheme;
    if(ISALPHA(*s)) {
      /* ALPHA *( ALPHA / DIGIT / "+" / "-" / "." ) */
+      s++;
      while(--plen) {
        if(ISALNUM(*s) || (*s == '+') || (*s == '-') || (*s == '.'))
          s++; /* fine */
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@ -239,7 +239,8 @@ test1916 test1917 test1918 test1919 test1920 \
 \
 test1933 test1934 test1935 test1936 test1937 test1938 test1939 test1940 \
 test1941 test1942 test1943 test1944 test1945 test1946 test1947 test1948 \
-test1955 test1956 test1957 test1958 test1959 test1960 test1964 \
+test1955 test1956 test1957 test1958 test1959 test1960 test1964 test1965 \
+\
 test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 \
 test1978 test1979 test1980 test1981 \
 \
--- a/tests/data/test1965
+++ b/tests/data/test1965
@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+urlapi
+curl_url_set
+</keywords>
+</info>
+
+<client>
+<name>
+curl_url_set() different schemes
+</name>
+<tool>
+lib%TESTNUMBER
+</tool>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<stdout mode="text">
+bad! REJECTED
+bad{ REJECTED
+bad/ REJECTED
+bad\ REJECTED
+a! REJECTED
+a+123 ACCEPTED
+http-2 ACCEPTED
+http.1 ACCEPTED
+a+-.123 ACCEPTED
+http-+++2 ACCEPTED
+http.1-- ACCEPTED
+a123 REJECTED
+-http2 REJECTED
+.http1 REJECTED
+ABC2 ACCEPTED
+2CBA REJECTED
+ REJECTED
+a ACCEPTED
+aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd ACCEPTED
+aaaaaaaaaabbbbbbbbbbccccccccccdddddddddde REJECTED
+</stdout>
+</verify>
+</testcase>
--- a/tests/libtest/Makefile.inc
+++ b/tests/libtest/Makefile.inc
@ -108,7 +108,7 @@ TESTS_C = \
  lib1940.c                                         lib1945.c \
  lib1947.c lib1948.c \
  lib1955.c lib1956.c lib1957.c lib1958.c lib1959.c lib1960.c \
-  lib1964.c                                                   lib1970.c \
+  lib1964.c lib1965.c                                         lib1970.c \
  lib1971.c lib1972.c lib1973.c lib1974.c lib1975.c lib1977.c lib1978.c \
  lib2023.c lib2032.c lib2082.c \
  lib2301.c lib2302.c lib2304.c           lib2306.c lib2308.c lib2309.c \
--- a/tests/libtest/lib1965.c
+++ b/tests/libtest/lib1965.c
@ -0,0 +1,55 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ * SPDX-License-Identifier: curl
+ *
+ ***************************************************************************/
+#include "first.h"
+
+static CURLcode test_lib1965(const char *URL)
+{
+  CURLcode result = CURLE_OK;
+  CURLUcode rc;
+  const char *schemes[] = {
+    "bad!", "bad{", "bad/", "bad\\", "a!",
+    "a+123", "http-2", "http.1",
+    "a+-.123", "http-+++2", "http.1--",
+    "+a123", "-http2", ".http1",
+    "ABC2", "2CBA", "", "a",
+    "aaaaaaaaaabbbbbbbbbbccccccccccdddddddddd",
+    "aaaaaaaaaabbbbbbbbbbccccccccccdddddddddde",
+    NULL};
+  int i;
+  (void) URL;
+
+  global_init(CURL_GLOBAL_ALL);
+
+  for(i = 0; schemes[i]; i++) {
+    CURLU *url = curl_url();
+    rc = curl_url_set(url, CURLUPART_SCHEME, schemes[i],
+                      CURLU_NON_SUPPORT_SCHEME);
+    curl_mprintf("%s %s\n", schemes[i],
+                 rc == CURLUE_OK ? "ACCEPTED" : "REJECTED");
+    curl_url_cleanup(url);
+  }
+
+  curl_global_cleanup();
+  return result;
+}