Check for URI with userinfo parts (hostname has an @ sign) and fail for

such URI. The http client in rpki-client does not support http authentication
since it only accesses public websites.
OK jca@ job@

diff --git a/usr.sbin/rpki-client/http.c b/usr.sbin/rpki-client/http.c
index fc12a77..7773ad6 100644 (file)
--- a/usr.sbin/rpki-client/http.c
+++ b/usr.sbin/rpki-client/http.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: http.c,v 1.35 2021/08/04 16:10:03 claudio Exp $  */
+/*     $OpenBSD: http.c,v 1.36 2021/08/09 10:30:23 claudio Exp $  */
 /*
  * Copyright (c) 2020 Nils Fisher <nils_fisher@hotmail.com>
  * Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
@@ -320,6 +320,11 @@ http_parse_uri(char *uri, char **ohost, char **oport, char **opath)
                        hosttail = path;
        }
 
+       if (memchr(host, '@', hosttail - host) != NULL) {
+               warnx("%s: URI with userinfo not supported", http_info(uri));
+               return -1;
+       }
+
        if ((host = strndup(host, hosttail - host)) == NULL)
                err(1, NULL);
        if (port != NULL) {