From d74c0ada4e317566f19b4fac44d91a9eaa93d2bf Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 17 May 2026 00:27:30 +0200
Subject: [PATCH] urlapi: prevent a terminal `.0x` component to normalize IPv4

Extend test 1560 to verify

Follow-up to 831a1514843bfa4d4d006627

Spotted by Codex Security
Closes #21652
---
 lib/urlapi.c            | 2 ++
 tests/libtest/lib1560.c | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/lib/urlapi.c b/lib/urlapi.c
index 71f2756ca0..dfb106dd2f 100644
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -523,6 +523,8 @@ UNITTEST int ipv4_normalize(struct dynbuf *host)
       if(c[1] == 'x') {
         c += 2; /* skip the prefix */
         rc = curlx_str_hex(&c, &l, UINT_MAX);
+        if(rc)
+          return HOST_NAME;
       }
       else
         rc = curlx_str_octal(&c, &l, UINT_MAX);
diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
index 533a44e983..3eeed6b694 100644
--- a/tests/libtest/lib1560.c
+++ b/tests/libtest/lib1560.c
@@ -625,6 +625,10 @@ static const struct testcase get_parts_list[] = {
 };
 
 static const struct urltestcase get_url_list[] = {
+  {"https://127.1.0x", "https://127.1.0x/", 0, 0, CURLUE_OK},
+  {"https://127.0x", "https://127.0x/", 0, 0, CURLUE_OK},
+  {"https://127.0x.1", "https://127.0x.1/", 0, 0, CURLUE_OK},
+  {"https://127.1.1.0x", "https://127.1.1.0x/", 0, 0, CURLUE_OK},
   {"https://127.1.", "https://127.0.0.1/", 0, 0, CURLUE_OK},
   {"https://127.1.:443", "https://127.0.0.1:443/", 0, 0, CURLUE_OK},
   {"https://127.1.?moo", "https://127.0.0.1/?moo", 0, 0, CURLUE_OK},