From ee0bc809d81bfa283afa0a759a314d473a76d6b3 Mon Sep 17 00:00:00 2001 From: JinWang An Date: Fri, 19 Feb 2021 09:26:19 +0900 Subject: [CVE-2020-8169] Remove information disclosure vulnerability curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s). Change-Id: I87a5d5ab358f3b42e9c85c4509f586e420ddfeba Signed-off-by: JinWang An --- Utilities/cmcurl/lib/url.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'Utilities/cmcurl/lib') diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c index b39a3ee22..0b1a48ba7 100644 --- a/Utilities/cmcurl/lib/url.c +++ b/Utilities/cmcurl/lib/url.c @@ -2872,12 +2872,14 @@ static CURLcode override_login(struct Curl_easy *data, /* for updated strings, we update them in the URL */ if(user_changed) { - uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0); + uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, + CURLU_URLENCODE); if(uc) return Curl_uc_to_curlcode(uc); } if(passwd_changed) { - uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0); + uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, + CURLU_URLENCODE); if(uc) return Curl_uc_to_curlcode(uc); } -- cgit v1.2.3