From 6bc4ebdfed541b9a3894b39af30b1dc966d2f653 Mon Sep 17 00:00:00 2001 From: Halil Durak Date: Tue, 19 May 2026 11:39:52 +0300 Subject: [PATCH] `URL.zig`: fix NUL/CR/LF/TAB character injection through authority --- src/browser/URL.zig | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/browser/URL.zig b/src/browser/URL.zig index c3bfbde7..07836fe0 100644 --- a/src/browser/URL.zig +++ b/src/browser/URL.zig @@ -883,8 +883,9 @@ fn parseAuthority(raw: []const u8) ?AuthorityInfo { const scheme_end = std.mem.indexOf(u8, raw, "://") orelse return null; const authority_start = scheme_end + 3; - // Find end of authority FIRST (start of path/query/fragment or end of string) - const authority_end = if (std.mem.indexOfAny(u8, raw[authority_start..], "/?#")) |end| + // Find end of authority FIRST (start of path/query/fragment, + // a NUL/CR/LF/TAB, or end of string). + const authority_end = if (std.mem.indexOfAny(u8, raw[authority_start..], "/?#\x00\r\n\t")) |end| authority_start + end else raw.len;