From 933c34e873d67d25a84805d8c8a86ee7fbf3731d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 3 Mar 2026 18:50:20 +0100 Subject: [PATCH] tool_operate: reset the URL --url-query between --next Pointed out by Codex Security Verify in test 1624 Closes #20802 --- src/tool_cfgable.h | 2 +- src/tool_operate.c | 10 ++++---- tests/data/Makefile.am | 2 +- tests/data/test1624 | 57 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 64 insertions(+), 7 deletions(-) create mode 100644 tests/data/test1624 diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index 9bd1f59bc9..4af31b802e 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -45,7 +45,6 @@ struct State { struct getout *urlnode; struct URLGlob inglob; struct URLGlob urlglob; - char *httpgetfields; char *uploadfile; curl_off_t upnum; /* number of files to upload */ curl_off_t upidx; /* index for upload glob */ @@ -143,6 +142,7 @@ struct OperationConfig { char *krblevel; char *request_target; char *writeout; /* %-styled format string to output */ + char *httpgetfields; struct curl_slist *quote; struct curl_slist *postquote; struct curl_slist *prequote; diff --git a/src/tool_operate.c b/src/tool_operate.c index cf900364f7..9a29b8e34c 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1359,8 +1359,8 @@ static CURLcode create_single(struct OperationConfig *config, global->isatty = orig_isatty; } - if(state->httpgetfields) { - result = append2query(config, per, state->httpgetfields); + if(config->httpgetfields) { + result = append2query(config, per, config->httpgetfields); if(result) return result; } @@ -1406,7 +1406,7 @@ static CURLcode single_transfer(struct OperationConfig *config, { CURLcode result = CURLE_OK; struct State *state = &global->state; - char *httpgetfields = state->httpgetfields; + char *httpgetfields = config->httpgetfields; *skipped = *added = FALSE; /* not yet */ @@ -1414,7 +1414,7 @@ static CURLcode single_transfer(struct OperationConfig *config, if(config->use_httpget) { if(!httpgetfields) { /* Use the postfields data for an HTTP get */ - httpgetfields = state->httpgetfields = config->postfields; + httpgetfields = config->httpgetfields = config->postfields; config->postfields = NULL; if(SetHTTPrequest((config->no_body ? TOOL_HTTPREQ_HEAD : TOOL_HTTPREQ_GET), &config->httpreq)) @@ -1425,7 +1425,7 @@ static CURLcode single_transfer(struct OperationConfig *config, return CURLE_FAILED_INIT; } if(!httpgetfields) - state->httpgetfields = config->query; + config->httpgetfields = config->query; result = set_cert_types(config); if(result) diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index c442fa13c2..f39568d3b8 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -214,7 +214,7 @@ test1590 test1591 test1592 test1593 test1594 test1595 test1596 test1597 \ test1598 test1599 test1600 test1601 test1602 test1603 test1604 test1605 \ test1606 test1607 test1608 test1609 test1610 test1611 test1612 test1613 \ test1614 test1615 test1616 test1617 \ -test1620 test1621 test1622 test1623 \ +test1620 test1621 test1622 test1623 test1624 \ \ test1630 test1631 test1632 test1633 test1634 test1635 test1636 test1637 \ \ diff --git a/tests/data/test1624 b/tests/data/test1624 new file mode 100644 index 0000000000..c0a3684801 --- /dev/null +++ b/tests/data/test1624 @@ -0,0 +1,57 @@ + + + + +HTTP +--url-query +--next + + + +# Server-side + + +HTTP/1.1 200 OK +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +ETag: "21025-dc7-39462498" +Accept-Ranges: bytes +Content-Length: 6 +Connection: close +Content-Type: text/html +Funny-head: yesyes + +-foo- + + + +# Client-side + + +http + + +URL + --url-query with --next and another URL without --url-query + + +http://%HOSTIP:%HTTPPORT/%TESTNUMBER --url-query token=secret --next http://%HOSTIP:%HTTPPORT/%TESTNUMBER + + + +# Verify data after the test has been "shot" + + +GET /%TESTNUMBER?token=secret HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +User-Agent: curl/%VERSION +Accept: */* + +GET /%TESTNUMBER HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +User-Agent: curl/%VERSION +Accept: */* + + + +