1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From 65546bae0164a97d89d42176e366d9c7c7796261 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@xry111.site>
Date: Sun, 9 Nov 2025 14:30:34 +0800
Subject: [PATCH] wcurl: Really fix CVE-2025-11563
When we pass a string to is_safe_percent_encode, it always begins with
"%'. But the lookup table UNSAFE_PERCENT_ENCODE does not contain "%" so
nothing can be matched.
Also update the test suite to fix the false positive.
Signed-off-by: Xi Ruoyao <xry111@xry111.site>
Backported-by: Samuel Henrique <samueloph@debian.org>
* Modify wcurl patch to apply on curl sources by changing the location of the
wcurl script from wcurl to scripts/wcurl.
* Drop changes to wcurl's tests as they are not in the curl sources.
---
scripts/wcurl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/wcurl b/scripts/wcurl
index 56c04ba..cbe7b1a 100755
--- a/scripts/wcurl
+++ b/scripts/wcurl
@@ -118,7 +118,7 @@ readonly PER_URL_PARAMETERS="\
# characters.
# 2F = /
# 5C = \
-readonly UNSAFE_PERCENT_ENCODE="2F 5C"
+readonly UNSAFE_PERCENT_ENCODE="%2F %5C"
# Whether to invoke curl or not.
DRY_RUN="false"
|
