From cfa1d7614c14e5f97ada2f40cf2b63cb37d3a43e Mon Sep 17 00:00:00 2001
From: Bram Matthys <syzop@vulnscan.org>
Date: Sun, 17 May 2026 10:51:32 +0200
Subject: [PATCH] Another fix in url_unreal for rogue HTTPS servers (not super
 important)

---
 src/url_unreal.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/url_unreal.c b/src/url_unreal.c
index bf3a1ac29..799f6e5f1 100644
--- a/src/url_unreal.c
+++ b/src/url_unreal.c
@@ -497,6 +497,7 @@ int https_fatal_tls_error(int ssl_error, int my_errno, Download *handle)
 int url_parse(const char *url, char **hostname, int *port, char **username, char **password, char **document)
 {
 	char *p, *p2;
+	const char *q;
 	static char hostbuf[256];
 	static char documentbuf[512];
 
@@ -505,6 +506,12 @@ int url_parse(const char *url, char **hostname, int *port, char **username, char
 
 	if (strncmp(url, "https://", 8))
 		return 0;
+
+	/* Refuse control chars and space (would allow request-line injection). */
+	for (q = url; *q; q++)
+		if (*q <= ' ')
+			return 0;
+
 	url += 8; /* skip over https:// part */
 
 	p = strchr(url, '/');