forked from NixOS/nixpkgs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
curl: add patches for CVE-2021-22876, CVE-2021-22890
hand-backported from upstream fixes
- Loading branch information
Showing
3 changed files
with
617 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,139 @@ | ||
Based on upstream 7214288898f5625a6cc196e22a74232eada7861c, adapted by ris to | ||
compensate for lack of 95cbcec8f986492766c4be3922af1e7644e1e7c5 | ||
|
||
--- | ||
lib/transfer.c | 25 ++++++++++++++-- | ||
tests/data/Makefile.inc | 2 +- | ||
tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++ | ||
3 files changed, 90 insertions(+), 3 deletions(-) | ||
create mode 100644 tests/data/test2081 | ||
|
||
diff --git a/lib/transfer.c b/lib/transfer.c | ||
index 1976bc0338bc..a68c021c84d6 100644 | ||
--- a/lib/transfer.c | ||
+++ b/lib/transfer.c | ||
@@ -1581,6 +1581,9 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
data->set.followlocation++; /* count location-followers */ | ||
|
||
if(data->set.http_auto_referer) { | ||
+ CURLU *u; | ||
+ char *referer; | ||
+ | ||
/* We are asked to automatically set the previous URL as the referer | ||
when we get the next URL. We pick the ->url field, which may or may | ||
not be 100% correct */ | ||
@@ -1590,9 +1593,27 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
data->change.referer_alloc = FALSE; | ||
} | ||
|
||
- data->change.referer = strdup(data->change.url); | ||
- if(!data->change.referer) | ||
+ /* Make a copy of the URL without crenditals and fragment */ | ||
+ u = curl_url(); | ||
+ if(!u) | ||
+ return CURLE_OUT_OF_MEMORY; | ||
+ | ||
+ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); | ||
+ if(!uc) | ||
+ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); | ||
+ if(!uc) | ||
+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); | ||
+ if(!uc) | ||
+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); | ||
+ if(!uc) | ||
+ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); | ||
+ | ||
+ curl_url_cleanup(u); | ||
+ | ||
+ if(uc || referer == NULL) | ||
return CURLE_OUT_OF_MEMORY; | ||
+ | ||
+ data->change.referer = referer; | ||
data->change.referer_alloc = TRUE; /* yes, free this later */ | ||
} | ||
} | ||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
index 2c7a0ca89fd8..ea52683d2254 100644 | ||
--- a/tests/data/Makefile.inc | ||
+++ b/tests/data/Makefile.inc | ||
@@ -225,7 +225,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \ | ||
test2064 test2065 test2066 test2067 test2068 test2069 test2070 \ | ||
test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ | ||
test2078 \ | ||
-test2080 \ | ||
+test2080 test2081 \ | ||
test2100 \ | ||
\ | ||
test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \ | ||
diff --git a/tests/data/test2081 b/tests/data/test2081 | ||
new file mode 100644 | ||
index 000000000000..a6733e737beb | ||
--- /dev/null | ||
+++ b/tests/data/test2081 | ||
@@ -0,0 +1,66 @@ | ||
+<testcase> | ||
+<info> | ||
+<keywords> | ||
+HTTP | ||
+HTTP GET | ||
+referer | ||
+followlocation | ||
+--write-out | ||
+</keywords> | ||
+</info> | ||
+ | ||
+# Server-side | ||
+<reply> | ||
+<data nocheck="yes"> | ||
+HTTP/1.1 301 This is a weirdo text message swsclose | ||
+Location: data/%TESTNUMBER0002.txt?coolsite=yes | ||
+Content-Length: 62 | ||
+Connection: close | ||
+ | ||
+This server reply is for testing a simple Location: following | ||
+</data> | ||
+</reply> | ||
+ | ||
+# Client-side | ||
+<client> | ||
+<server> | ||
+http | ||
+</server> | ||
+ <name> | ||
+Automatic referrer credential and anchor stripping check | ||
+ </name> | ||
+ <command> | ||
+http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n' | ||
+</command> | ||
+</client> | ||
+ | ||
+# Verify data after the test has been "shot" | ||
+<verify> | ||
+<errorcode> | ||
+52 | ||
+</errorcode> | ||
+<protocol> | ||
+GET /we/want/our/%TESTNUMBER HTTP/1.1 | ||
+Host: %HOSTIP:%HTTPPORT | ||
+Authorization: Basic dXNlcjpwYXNz | ||
+User-Agent: curl/%VERSION | ||
+Accept: */* | ||
+ | ||
+GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1 | ||
+Host: %HOSTIP:%HTTPPORT | ||
+Authorization: Basic dXNlcjpwYXNz | ||
+User-Agent: curl/%VERSION | ||
+Accept: */* | ||
+Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER | ||
+ | ||
+</protocol> | ||
+<stdout> | ||
+HTTP/1.1 301 This is a weirdo text message swsclose | ||
+Location: data/%TESTNUMBER0002.txt?coolsite=yes | ||
+Content-Length: 62 | ||
+Connection: close | ||
+ | ||
+http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER | ||
+</stdout> | ||
+</verify> | ||
+</testcase> |
Oops, something went wrong.