rpms / curl

Clone
Source Code
GIT

Blame SOURCES/0021-curl-7.76.1-CVE-2022-35252.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   b8439724fcf366bebb298f3131aa93a72ca92572
  2.   SOURCES
  3.   0021-curl-7.76.1-CVE-2022-35252.patch
Blob History Raw
4e3ab8 
From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
4e3ab8 
From: Daniel Stenberg <daniel@haxx.se>
4e3ab8 
Date: Mon, 29 Aug 2022 00:09:17 +0200
4e3ab8 
Subject: [PATCH 1/2] cookie: reject cookies with "control bytes"
4e3ab8
4e3ab8 
Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
4e3ab8
4e3ab8 
Reported-by: Axel Chong
4e3ab8
4e3ab8 
Bug: https://curl.se/docs/CVE-2022-35252.html
4e3ab8
4e3ab8 
CVE-2022-35252
4e3ab8
4e3ab8 
Closes #9381
4e3ab8
4e3ab8 
Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3
4e3ab8 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
4e3ab8 
---
4e3ab8 
 lib/cookie.c | 29 +++++++++++++++++++++++++++++
4e3ab8 
 1 file changed, 29 insertions(+)
4e3ab8
4e3ab8 
diff --git a/lib/cookie.c b/lib/cookie.c
4e3ab8 
index cb0c03b..e0470a1 100644
4e3ab8 
--- a/lib/cookie.c
4e3ab8 
+++ b/lib/cookie.c
4e3ab8 
@@ -383,6 +383,30 @@ static void strstore(char **str, const char *newstr)
4e3ab8 
   *str = strdup(newstr);
4e3ab8 
 }
4e3ab8
4e3ab8 
+/*
4e3ab8 
+  RFC 6265 section 4.1.1 says a server should accept this range:
4e3ab8 
+
4e3ab8 
+  cookie-octet    = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
4e3ab8 
+
4e3ab8 
+  But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
4e3ab8 
+  fine. The prime reason for filtering out control bytes is that some HTTP
4e3ab8 
+  servers return 400 for requests that contain such.
4e3ab8 
+*/
4e3ab8 
+static int invalid_octets(const char *p)
4e3ab8 
+{
4e3ab8 
+  /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
4e3ab8 
+  static const char badoctets[] = {
4e3ab8 
+    "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
4e3ab8 
+    "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
4e3ab8 
+    "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
4e3ab8 
+  };
4e3ab8 
+  size_t vlen, len;
4e3ab8 
+  /* scan for all the octets that are *not* in cookie-octet */
4e3ab8 
+  len = strcspn(p, badoctets);
4e3ab8 
+  vlen = strlen(p);
4e3ab8 
+  return (len != vlen);
4e3ab8 
+}
4e3ab8 
+
4e3ab8 
 /*
4e3ab8 
  * remove_expired() removes expired cookies.
4e3ab8 
  */
4e3ab8 
@@ -567,6 +591,11 @@ Curl_cookie_add(struct Curl_easy *data,
4e3ab8 
             badcookie = TRUE;
4e3ab8 
             break;
4e3ab8 
           }
4e3ab8 
+          if(invalid_octets(whatptr) || invalid_octets(name)) {
4e3ab8 
+            infof(data, "invalid octets in name/value, cookie dropped");
4e3ab8 
+            badcookie = TRUE;
4e3ab8 
+            break;
4e3ab8 
+          }
4e3ab8 
         }
4e3ab8 
         else if(!len) {
4e3ab8 
           /* this was a "<name>=" with no content, and we must allow
4e3ab8 
--
4e3ab8 
2.37.1
4e3ab8
4e3ab8
4e3ab8 
From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
4e3ab8 
From: Daniel Stenberg <daniel@haxx.se>
4e3ab8 
Date: Mon, 29 Aug 2022 00:09:17 +0200
4e3ab8 
Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored
4e3ab8
4e3ab8 
Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
4e3ab8 
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
4e3ab8 
---
4e3ab8 
 tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
4e3ab8 
 1 file changed, 31 insertions(+), 1 deletion(-)
4e3ab8
4e3ab8 
diff --git a/tests/data/test8 b/tests/data/test8
4e3ab8 
index a8548e6..8587611 100644
4e3ab8 
--- a/tests/data/test8
4e3ab8 
+++ b/tests/data/test8
4e3ab8 
@@ -46,6 +46,36 @@ Set-Cookie: trailingspace    = removed; path=/we/want;
4e3ab8 
 Set-Cookie: nocookie=yes; path=/WE;
4e3ab8 
 Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
4e3ab8 
 Set-Cookie: partialip=nono; domain=.0.0.1;
4e3ab8 
+Set-Cookie: cookie1=%hex[%01-junk]hex%
4e3ab8 
+Set-Cookie: cookie2=%hex[%02-junk]hex%
4e3ab8 
+Set-Cookie: cookie3=%hex[%03-junk]hex%
4e3ab8 
+Set-Cookie: cookie4=%hex[%04-junk]hex%
4e3ab8 
+Set-Cookie: cookie5=%hex[%05-junk]hex%
4e3ab8 
+Set-Cookie: cookie6=%hex[%06-junk]hex%
4e3ab8 
+Set-Cookie: cookie7=%hex[%07-junk]hex%
4e3ab8 
+Set-Cookie: cookie8=%hex[%08-junk]hex%
4e3ab8 
+Set-Cookie: cookie9=%hex[junk-%09-]hex%
4e3ab8 
+Set-Cookie: cookie11=%hex[%0b-junk]hex%
4e3ab8 
+Set-Cookie: cookie12=%hex[%0c-junk]hex%
4e3ab8 
+Set-Cookie: cookie14=%hex[%0e-junk]hex%
4e3ab8 
+Set-Cookie: cookie15=%hex[%0f-junk]hex%
4e3ab8 
+Set-Cookie: cookie16=%hex[%10-junk]hex%
4e3ab8 
+Set-Cookie: cookie17=%hex[%11-junk]hex%
4e3ab8 
+Set-Cookie: cookie18=%hex[%12-junk]hex%
4e3ab8 
+Set-Cookie: cookie19=%hex[%13-junk]hex%
4e3ab8 
+Set-Cookie: cookie20=%hex[%14-junk]hex%
4e3ab8 
+Set-Cookie: cookie21=%hex[%15-junk]hex%
4e3ab8 
+Set-Cookie: cookie22=%hex[%16-junk]hex%
4e3ab8 
+Set-Cookie: cookie23=%hex[%17-junk]hex%
4e3ab8 
+Set-Cookie: cookie24=%hex[%18-junk]hex%
4e3ab8 
+Set-Cookie: cookie25=%hex[%19-junk]hex%
4e3ab8 
+Set-Cookie: cookie26=%hex[%1a-junk]hex%
4e3ab8 
+Set-Cookie: cookie27=%hex[%1b-junk]hex%
4e3ab8 
+Set-Cookie: cookie28=%hex[%1c-junk]hex%
4e3ab8 
+Set-Cookie: cookie29=%hex[%1d-junk]hex%
4e3ab8 
+Set-Cookie: cookie30=%hex[%1e-junk]hex%
4e3ab8 
+Set-Cookie: cookie31=%hex[%1f-junk]hex%
4e3ab8 
+Set-Cookie: cookie31=%hex[%7f-junk]hex%
4e3ab8
4e3ab8 
 </file>
4e3ab8 
 <precheck>
4e3ab8 
@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
4e3ab8 
 Host: %HOSTIP:%HTTPPORT
4e3ab8 
 User-Agent: curl/%VERSION
4e3ab8 
 Accept: */*
4e3ab8 
-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
4e3ab8 
+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk-	-
4e3ab8
4e3ab8 
 </protocol>
4e3ab8 
 </verify>
4e3ab8 
--
4e3ab8 
2.37.1
4e3ab8

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation