fixed vulnerabilities identified by red4sec.com (#4521)

1 files changed, 3 insertions, 1 deletions

diff --git a/libnetdata/url/url.c b/libnetdata/url/url.c
index 8a96063a03..07a9f8069e 100644
--- a/libnetdata/url/url.c
+++ b/libnetdata/url/url.c
@@ -60,7 +60,9 @@ char *url_decode_r(char *to, char *url, size_t size) {
     while(*s && d < e) {
         if(unlikely(*s == '%')) {
             if(likely(s[1] && s[2])) {
-                *d++ = from_hex(s[1]) << 4 | from_hex(s[2]);
+                char t = from_hex(s[1]) << 4 | from_hex(s[2]);
+                // avoid HTTP header injection
+                *d++ = (char)((isprint(t))? t : ' ');
                 s += 2;
             }
         }