{“lastseen”:”2026-01-02T11:25:49″,”description”:”Control characters slip through during URL handling in curl\u2019s Gopher setup. Though null bytes get blocked by the `REJECT_ZERO` setting, returns and line feeds remain permitted. A specially built address using percent-encoded breaks – like %0D%0A – opens room for command insertion. Because of how decoding works here, unintended instructions may pass into the data flow. Unexpected behavior follows when those sequences reach downstream systems.\\n\\nRoot Cause: `lib\/gopher.c` handles data, decoding occurs within the path segment through a specific function call\\n“`c\\nresult = Curl_urldecode(newp, 0, \\u0026buf_alloc, \\u0026buf_len, REJECT_ZERO);\\n“`\\nBecause `REJECT_CTRL` is absent, encoded CRLF sequences become actual line breaks when the request reaches the server.\\n\\nSteps to Reproduce:\\n\\n- Create the listener script: (Use the Python script below to capture raw bytes and detect injection).\\n“`bash\\nimport socket\\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\\ns.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\ns.bind((‘127.0.0.1′, 7070))\\ns.listen(1)\\nprint(\\”Server listening on 7070…\\”)\\nwhile True:\\n conn, addr = s.accept()\\n data = conn.recv(4096)\\n print(f\\”Received: {repr(data)}\\”)\\n if b’\\\\r\\\\n’ in data: print(\\”\ud83d\udea8 CRLF INJECTION DETECTED!\\”)\\n conn.close()\\n“`\\n- Execute the Payload: Run curl with an encoded CRLF sequence in the Gopher path:\\n“`bash\\ncurl \\”gopher:\/\/127.0.0.1:7070\/x%0D%0AINJECTED_COMMAND\\”\\n“`\\n- Verify the Injection: Check your listener output. You will see that the INJECTED_COMMAND appears on a new line, confirming that the protocol stream was broken:\\n“`text\\n[+] Client connected from (‘127.0.0.1’, 53518)\\n[RECEIVED] b’yz\\\\r\\\\nINJECTED\\\\r\\\\n’\\n[HEX] 797a0d0a494e4a45435445440d0a\\n\\n\ud83d\udea8 CRLF INJECTION DETECTED!\\n“`\\n\\n## Impact\\n\\nSecurity limits may be crossed in this scenario. When an attacker influences the URL or triggers a redirection, interaction with internal systems becomes possible – systems such as Redis, Memcached, or mail components. Execution of unintended instructions follows under these conditions.\\n\\nFix: In `lib\/gopher.c`, swap `REJECT_ZERO` with `REJECT_CTRL`. This change ensures full suppression of control characters. Implementation now prevents unintended character handling by using the updated flag. Outcome aligns with expected filtering behavior. Final effect appears consistent across test cases.\\n\\nDisclosure:\\nTo test the idea, a basic `TCP server` was built `using a code-generation assistant`, focused strictly on recording byte streams from Gopher links. Rather than automating analysis, each stage – examining flaws, tracing origins, judging consequences, replicating issues – was completed by hand. Simplicity guided the design of the server; its purpose limited to exposing how data moves at the protocol layer.”,”published”:”2026-01-02T05:54:08″,”modified”:”2026-01-02T10:41:22″,”type”:”hackerone”,”title”:”curl: CRLF Injection in Gopher Protocol (`lib\/gopher.c`)”,”source”:””,”references”:””,”id”:”H1:3484506″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3484506″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-02T11:25:49″,”description”:”Control characters slip through during URL handling in curl\u2019s Gopher setup. Though null bytes get blocked by the `REJECT_ZERO` setting, returns and line feeds remain…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-33709","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n