File curl-CVE-2025-11563.patch of Package curl.41691

From fb0c014e30e5f4de7aa0d566c52c836a6423da29 Mon Sep 17 00:00:00 2001
From: Samuel Henrique <samueloph@debian.org>
Date: Sun, 26 Oct 2025 17:34:46 +0000
Subject: [PATCH] wcurl: sync to +dev snapshot

Closes #19247
---
 scripts/wcurl | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

Index: curl-8.14.1/scripts/wcurl
===================================================================
--- curl-8.14.1.orig/scripts/wcurl
+++ curl-8.14.1/scripts/wcurl
@@ -65,7 +65,7 @@ Options:
                            multiple times, only the last value is considered.
 
   --no-decode-filename: Don't percent-decode the output filename, even if the percent-encoding in
-                        the URL was done by wcurl, e.g.: The URL contained whitespaces.
+                        the URL was done by wcurl, e.g.: The URL contained whitespace.
 
   --dry-run: Don't actually execute curl, just print what would be invoked.
 
@@ -77,7 +77,7 @@ Options:
                  instead forwarded to the curl invocation.
 
   <URL>: URL to be downloaded. Anything that is not a parameter is considered
-         an URL. Whitespaces are percent-encoded and the URL is passed to curl, which
+         an URL. Whitespace is percent-encoded and the URL is passed to curl, which
          then performs the parsing. May be specified more than once.
 _EOF_
 }
@@ -85,7 +85,7 @@ _EOF_
 # Display an error message and bail out.
 error()
 {
-    printf "%s\n" "$*" > /dev/stderr
+    printf "%s\n" "$*" >&2
     exit 1
 }
 
@@ -113,6 +113,13 @@ readonly PER_URL_PARAMETERS="\
     --remote-time \
     --retry 5 "
 
+# Valid percent-encode codes that are considered unsafe to be decoded.
+# This is a list of space-separated percent-encoded uppercase
+# characters.
+# 2F = /
+# 5C = \
+readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
+
 # Whether to invoke curl or not.
 DRY_RUN="false"
 
@@ -137,6 +144,20 @@ is_subset_of()
     esac
 }
 
+# Indicate via exit code whether the HTML code given in the first
+# parameter is safe to be decoded.
+is_safe_percent_encode()
+{
+    upper_str=$(printf "%s" "${1}" | tr "[:lower:]" "[:upper:]")
+    for unsafe in ${UNSAFE_PERCENT_ENCODE}; do
+        if [ "${unsafe}" = "${upper_str}" ]; then
+            return 1
+        fi
+    done
+
+    return 0
+}
+
 # Print the given string percent-decoded.
 percent_decode()
 {
@@ -151,9 +172,10 @@ percent_decode()
                 decode_out="${decode_out}${decode_hex2}"
                 # Skip decoding if this is a control character (00-1F).
                 # Skip decoding if DECODE_FILENAME is not "true".
-                if is_subset_of "${decode_hex1}" "23456789abcdefABCDEF" && \
-                    is_subset_of "${decode_hex2}" "0123456789abcdefABCDEF" && \
-                    [ "${DECODE_FILENAME}" = "true" ]; then
+                if [ "${DECODE_FILENAME}" = "true" ] \
+                    && is_subset_of "${decode_hex1}" "23456789abcdefABCDEF" \
+                    && is_subset_of "${decode_hex2}" "0123456789abcdefABCDEF" \
+                    && is_safe_percent_encode "${decode_out}"; then
                     # Use printf to decode it into octal and then decode it to the final format.
                     decode_out="$(printf "%b" "\\$(printf %o "0x${decode_hex1}${decode_hex2}")")"
                 fi
@@ -298,7 +320,7 @@ while [ -n "${1-}" ]; do
             # This is the start of the list of URLs.
             shift
             for url in "$@"; do
-                # Encode whitespaces into %20, since wget supports those URLs.
+                # Encode whitespace into %20, since wget supports those URLs.
                 newurl=$(printf "%s\n" "${url}" | sed 's/ /%20/g')
                 URLS="${URLS} ${newurl}"
             done
@@ -311,7 +333,7 @@ while [ -n "${1-}" ]; do
 
         *)
             # This must be a URL.
-            # Encode whitespaces into %20, since wget supports those URLs.
+            # Encode whitespace into %20, since wget supports those URLs.
             newurl=$(printf "%s\n" "${1}" | sed 's/ /%20/g')
             URLS="${URLS} ${newurl}"
             ;;
openSUSE Build Service is sponsored by