File wget-don-t-allow-control-characters-in-url.patch of Package busybox

From 9904185c589bb43f0c7f129bd16e885b140ae931 Mon Sep 17 00:00:00 2001
From: Radoslav Kolev <radoslav.kolev@suse.com>
Date: Wed, 12 Nov 2025 19:46:15 +0200
Subject: [PATCH v2 1/1] wget: don't allow control characters or spaces in the
 URL

Fixes CVE-2025-60876 malicious URL can be used to inject
HTTP headers in the request.

Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
Reviewed-by: Emmanuel Deloget <logout@free.fr>
---
 networking/wget.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/networking/wget.c b/networking/wget.c
index ec3767793..fa555427b 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -536,6 +536,15 @@ static void parse_url(const char *src_url, struct host_info *h)
 {
 	char *url, *p, *sp;
 
+	/* Fix for CVE-2025-60876 - don't allow control characters or spaces in the URL */
+	/* otherwise a malicious URL can be used to inject HTTP headers in the request */
+	const unsigned char *u = (void *) src_url;
+	while (*u) {
+		if (*u <= ' ')
+			bb_simple_error_msg_and_die("Unencoded control character found in the URL!");
+		u++;
+	}
+
 	free(h->allocated);
 	h->allocated = url = xstrdup(src_url);
 
-- 
2.51.1