Description
In lib/url.c, the detect_proxy function uses a fixed-size buffer, proxy_env[20], to construct proxy environment variable names (e.g., http_proxy). However, the curl URL parser (lib/urlapi.c) allows protocol schemes up to 40 characters (MAX_SCHEME_LEN). When a protocol scheme longer than 12 characters is used, the environment variable name is silently truncated to 19 characters by curl_msnprintf. This causes a business logic error where curl may read configuration from an unintended (truncated) environment variable, causing potentially unexpected proxy behavior in applications using custom schemes.
Google Gemini AI was used as an analysis aid only; all findings, including the truncation behavior, were manually verified by reviewing the source code and testing a PoC.
Affected Versions
- curl 8.18.0-DEV (latest master branch)
- Platform: Windows 10 x64 (platform-independent logic issue)
Steps to Reproduce
1. Inspect lib/url.c lines 2060–2067.
2. Note that proxy_env is declared as char proxy_env[20];.
3. Observe that conn->handler->scheme can be up to 40 characters (MAX_SCHEME_LEN).
4. Call curl_msnprintf(proxy_env, sizeof(proxy_env), "%s_proxy", conn->handler->scheme); with a long scheme.
5. Example: "extremelylongprotocolname" (25 characters) will be truncated to "extremelylongsc" instead of "extremelylongprotocolname_proxy".
Supporting/Reference Materials
- Source code snippet from lib/url.c (lines 2060–2067)
- PoC code (poc_truncation.c) demonstrating truncation
- Screenshot of PoC execution showing truncation
- Screenshot of the vulnerable code in lib/url.c
## Impact
A business logic flaw allows proxy configuration manipulation or bypass through truncating environment variable names. This can lead to unexpected network behavior or bypass security policies that rely on protocol-specific proxy settings. An attacker with control over environment variables could set truncated variable names to redirect traffic through an unauthorized proxy.
Google Gemini AI was used as an analysis aid only; all findings, including the truncation behavior, were manually verified by reviewing the source code and testing a PoC.
Affected Versions
- curl 8.18.0-DEV (latest master branch)
- Platform: Windows 10 x64 (platform-independent logic issue)
Steps to Reproduce
1. Inspect lib/url.c lines 2060–2067.
2. Note that proxy_env is declared as char proxy_env[20];.
3. Observe that conn->handler->scheme can be up to 40 characters (MAX_SCHEME_LEN).
4. Call curl_msnprintf(proxy_env, sizeof(proxy_env), "%s_proxy", conn->handler->scheme); with a long scheme.
5. Example: "extremelylongprotocolname" (25 characters) will be truncated to "extremelylongsc" instead of "extremelylongprotocolname_proxy".
Supporting/Reference Materials
- Source code snippet from lib/url.c (lines 2060–2067)
- PoC code (poc_truncation.c) demonstrating truncation
- Screenshot of PoC execution showing truncation
- Screenshot of the vulnerable code in lib/url.c
## Impact
A business logic flaw allows proxy configuration manipulation or bypass through truncating environment variable names. This can lead to unexpected network behavior or bypass security policies that rely on protocol-specific proxy settings. An attacker with control over environment variables could set truncated variable names to redirect traffic through an unauthorized proxy.
Basic Information
ID
H1:3473182
Published
Dec 20, 2025 at 06:19
Modified
Dec 21, 2025 at 21:34