From df6c2f7b544f1f35f2a3e0be11f345affeb6fe9c Mon Sep 17 00:00:00 2001
From: Emanuele Torre <torreemanuele6@gmail.com>
Date: Thu, 18 May 2023 10:48:19 +0200
Subject: [PATCH] urlapi: respect CURLU_ALLOW_SPACE and CURLU_NO_AUTHORITY for
 redirects

curl_url_set(uh, CURLUPART_URL, redirurl, flags)  was not respecing
CURLU_ALLOW_SPACE and CURLU_NO_AUTHORITY in the host part of redirurl
when redirecting to an absolute URL.

Closes #11136
---
 lib/urlapi.c            | 16 ++++++++++------
 tests/libtest/lib1560.c |  8 ++++++++
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/lib/urlapi.c b/lib/urlapi.c
index b163db93fc..a7dbd8ee70 100644
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -617,7 +617,8 @@ static CURLUcode ipv6_parse(struct Curl_URL *u, char *hostname,
 }
 
 static CURLUcode hostname_check(struct Curl_URL *u, char *hostname,
-                                size_t hlen) /* length of hostname */
+                                size_t hlen, /* length of hostname */
+                                unsigned int flags)
 {
   size_t len;
   DEBUGASSERT(hostname);
@@ -627,8 +628,10 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname,
   else if(hostname[0] == '[')
     return ipv6_parse(u, hostname, hlen);
   else {
-    /* letters from the second string are not ok */
-    len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,+&()%");
+    static char bad_chars[] = " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,+&()%";
+    len = strcspn(hostname, (flags & CURLU_ALLOW_SPACE)
+                            ? &bad_chars[1] /* space is allowed */
+                            : bad_chars);
     if(hlen != len)
       /* hostname with bad content */
       return CURLUE_BAD_HOSTNAME;
@@ -801,8 +804,9 @@ static CURLUcode parse_authority(struct Curl_URL *u,
     break;
   case HOST_NAME:
     result = urldecode_host(host);
-    if(!result)
-      result = hostname_check(u, Curl_dyn_ptr(host), Curl_dyn_len(host));
+    if(!result && !(flags & CURLU_NO_AUTHORITY))
+      result = hostname_check(u, Curl_dyn_ptr(host), Curl_dyn_len(host),
+                              flags);
     break;
   case HOST_ERROR:
     result = CURLUE_OUT_OF_MEMORY;
@@ -1888,7 +1892,7 @@ nomem:
         /* Skip hostname check, it's allowed to be empty. */
       }
       else {
-        if(!n || hostname_check(u, (char *)newp, n)) {
+        if(!n || hostname_check(u, (char *)newp, n, flags)) {
           free((char *)newp);
           return CURLUE_BAD_HOSTNAME;
         }
diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
index 8d7b4e966e..e81575f43b 100644
--- a/tests/libtest/lib1560.c
+++ b/tests/libtest/lib1560.c
@@ -984,6 +984,14 @@ static const struct redircase set_url_list[] = {
    "../newpage",
    "http://user:foo@example.com/newpage",
    0, 0, CURLUE_OK},
+  {"http://user:foo@example.com/path?query#frag",
+   "http://example org/",
+   "http://example org/",
+   0, CURLU_ALLOW_SPACE, CURLUE_OK},
+  {"http://user:foo@example.com/path?query#frag",
+   "http://?hi",
+   "http:///?hi",
+   0, CURLU_NO_AUTHORITY, CURLUE_OK},
   {NULL, NULL, NULL, 0, 0, CURLUE_OK}
 };