commit 4d729e322fae359a1aefaafec1144764a54e8ad4
Author: Tim Rühsen <tim.ruehsen@gmx.de>
Date:   Mon Mar 6 10:04:22 2017 +0100

    Fix CRLF injection in Wget host part
    
    * src/url.c (url_parse): Reject control characters in host part of URL
    
    Reported-by: Orange Tsai

diff --git a/src/url.c b/src/url.c
index 8f8ff0b8..7d36b27d 100644
--- a/src/url.c
+++ b/src/url.c
@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
       url_unescape (u->host);
       host_modified = true;
 
+      /* check for invalid control characters in host name */
+      for (p = u->host; *p; p++)
+        {
+          if (c_iscntrl(*p))
+            {
+              url_free(u);
+              error_code = PE_INVALID_HOST_NAME;
+              goto error;
+            }
+        }
+
       /* Apply IDNA regardless of iri->utf8_encode status */
       if (opt.enable_iri && iri)
         {
