url: do not allow %00 to represent NUL in URLs

There is no reason to allow %00 to terminate a string, so do not allow it.
Otherwise, we end up returning arbitrary content in the string (that which is
after the %00) which is effectively hidden from callers and can escape sanity
checks and validation, and possible be used in tandem with a security
vulnerability to introduce a payload.

Helped-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Matthew DeVore <matvore@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/url.c b/url.c
index 9ea9d5611b73c024b42b0808841a143d50905b14..1b8ef78ceab03784ad48f8411b20669e2ea1ea1f 100644 (file)
--- a/url.c
+++ b/url.c
@@ -48,7 +48,7 @@ static char *url_decode_internal(const char **query, int len,
 
                if (c == '%' && (len < 0 || len >= 3)) {
                        int val = hex2chr(q + 1);
-                       if (0 <= val) {
+                       if (0 < val) {
                                strbuf_addch(out, val);
                                q += 3;
                                len -= 3;