|
 |
f5da4f |
From 239f8d93866605b05f4e6b551f4327dc7fcb922b Mon Sep 17 00:00:00 2001
|
|
|
f5da4f |
From: Viktor Szakats <commit@vsz.me>
|
|
|
f5da4f |
Date: Tue, 23 Feb 2021 14:54:46 +0100
|
|
|
f5da4f |
Subject: [PATCH 1/2] transfer: strip credentials from the auto-referer header
|
|
|
f5da4f |
field
|
|
|
f5da4f |
|
|
|
f5da4f |
Added test 2081 to verify.
|
|
|
f5da4f |
|
|
|
f5da4f |
CVE-2021-22876
|
|
|
f5da4f |
|
|
|
f5da4f |
Bug: https://curl.se/docs/CVE-2021-22876.html
|
|
|
f5da4f |
|
|
|
f5da4f |
Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c
|
|
|
f5da4f |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
f5da4f |
---
|
|
|
f5da4f |
lib/transfer.c | 25 +++++++++++++++++++++++--
|
|
|
f5da4f |
1 file changed, 23 insertions(+), 2 deletions(-)
|
|
|
f5da4f |
|
|
|
f5da4f |
diff --git a/lib/transfer.c b/lib/transfer.c
|
|
|
f5da4f |
index ecd1063..263b178 100644
|
|
|
f5da4f |
--- a/lib/transfer.c
|
|
|
f5da4f |
+++ b/lib/transfer.c
|
|
|
f5da4f |
@@ -1473,6 +1473,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
|
|
f5da4f |
/* Location: redirect */
|
|
|
f5da4f |
bool disallowport = FALSE;
|
|
|
f5da4f |
bool reachedmax = FALSE;
|
|
|
f5da4f |
+ CURLUcode uc;
|
|
|
f5da4f |
|
|
|
f5da4f |
if(type == FOLLOW_REDIR) {
|
|
|
f5da4f |
if((data->set.maxredirs != -1) &&
|
|
|
f5da4f |
@@ -1488,6 +1489,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
|
|
f5da4f |
data->set.followlocation++; /* count location-followers */
|
|
|
f5da4f |
|
|
|
f5da4f |
if(data->set.http_auto_referer) {
|
|
|
f5da4f |
+ CURLU *u;
|
|
|
f5da4f |
+ char *referer;
|
|
|
f5da4f |
+
|
|
|
f5da4f |
/* We are asked to automatically set the previous URL as the referer
|
|
|
f5da4f |
when we get the next URL. We pick the ->url field, which may or may
|
|
|
f5da4f |
not be 100% correct */
|
|
|
f5da4f |
@@ -1497,9 +1501,26 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
|
|
f5da4f |
data->change.referer_alloc = FALSE;
|
|
|
f5da4f |
}
|
|
|
f5da4f |
|
|
|
f5da4f |
- data->change.referer = strdup(data->change.url);
|
|
|
f5da4f |
- if(!data->change.referer)
|
|
|
f5da4f |
+ /* Make a copy of the URL without crenditals and fragment */
|
|
|
f5da4f |
+ u = curl_url();
|
|
|
f5da4f |
+ if(!u)
|
|
|
f5da4f |
+ return CURLE_OUT_OF_MEMORY;
|
|
|
f5da4f |
+
|
|
|
f5da4f |
+ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
|
|
|
f5da4f |
+ if(!uc)
|
|
|
f5da4f |
+ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
|
|
|
f5da4f |
+ if(!uc)
|
|
|
f5da4f |
+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
|
|
|
f5da4f |
+ if(!uc)
|
|
|
f5da4f |
+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
|
|
|
f5da4f |
+ if(!uc)
|
|
|
f5da4f |
+ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
|
|
|
f5da4f |
+
|
|
|
f5da4f |
+ curl_url_cleanup(u);
|
|
|
f5da4f |
+
|
|
|
f5da4f |
+ if(uc || referer == NULL)
|
|
|
f5da4f |
return CURLE_OUT_OF_MEMORY;
|
|
|
f5da4f |
+ data->change.referer = referer;
|
|
|
f5da4f |
data->change.referer_alloc = TRUE; /* yes, free this later */
|
|
|
f5da4f |
}
|
|
|
f5da4f |
}
|
|
|
f5da4f |
--
|
|
|
f5da4f |
2.30.2
|
|
|
f5da4f |
|
|
|
f5da4f |
|
|
|
f5da4f |
From f7d1d478b87499ce31d6aa3251830b78447ad952 Mon Sep 17 00:00:00 2001
|
|
|
f5da4f |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
f5da4f |
Date: Mon, 29 Mar 2021 09:32:14 +0200
|
|
|
f5da4f |
Subject: [PATCH 2/2] transfer: clear 'referer' in declaration
|
|
|
f5da4f |
|
|
|
f5da4f |
To silence (false positive) compiler warnings about it.
|
|
|
f5da4f |
|
|
|
f5da4f |
Follow-up to 7214288898f5625
|
|
|
f5da4f |
|
|
|
f5da4f |
Reviewed-by: Marcel Raad
|
|
|
f5da4f |
Closes #6810
|
|
|
f5da4f |
|
|
|
f5da4f |
Upstream-commit: 6bb028dbda6cbfe83f66de773544f71e4813160f
|
|
|
f5da4f |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
f5da4f |
---
|
|
|
f5da4f |
lib/transfer.c | 4 ++--
|
|
|
f5da4f |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
f5da4f |
|
|
|
f5da4f |
diff --git a/lib/transfer.c b/lib/transfer.c
|
|
|
f5da4f |
index 263b178..ad5a7ba 100644
|
|
|
f5da4f |
--- a/lib/transfer.c
|
|
|
f5da4f |
+++ b/lib/transfer.c
|
|
|
f5da4f |
@@ -1490,7 +1490,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
|
|
f5da4f |
|
|
|
f5da4f |
if(data->set.http_auto_referer) {
|
|
|
f5da4f |
CURLU *u;
|
|
|
f5da4f |
- char *referer;
|
|
|
f5da4f |
+ char *referer = NULL;
|
|
|
f5da4f |
|
|
|
f5da4f |
/* We are asked to automatically set the previous URL as the referer
|
|
|
f5da4f |
when we get the next URL. We pick the ->url field, which may or may
|
|
|
f5da4f |
@@ -1518,7 +1518,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
|
|
f5da4f |
|
|
|
f5da4f |
curl_url_cleanup(u);
|
|
|
f5da4f |
|
|
|
f5da4f |
- if(uc || referer == NULL)
|
|
|
f5da4f |
+ if(uc || !referer)
|
|
|
f5da4f |
return CURLE_OUT_OF_MEMORY;
|
|
|
f5da4f |
data->change.referer = referer;
|
|
|
f5da4f |
data->change.referer_alloc = TRUE; /* yes, free this later */
|
|
|
f5da4f |
--
|
|
|
f5da4f |
2.30.2
|
|
|
f5da4f |
|