|
 |
01238a |
From 295124c256ed25f097192cfa9a67e460f7bb587f Mon Sep 17 00:00:00 2001
|
|
|
01238a |
From: nao <naost3rn@gmail.com>
|
|
|
01238a |
Date: Tue, 21 Jan 2020 10:30:37 +0100
|
|
|
01238a |
Subject: [PATCH 1/2] http: move "oauth_bearer" from connectdata to Curl_easy
|
|
|
01238a |
|
|
|
01238a |
Fixes the bug where oauth_bearer gets deallocated when we re-use a
|
|
|
01238a |
connection.
|
|
|
01238a |
|
|
|
01238a |
Closes #4824
|
|
|
01238a |
|
|
|
01238a |
Upstream-commit: dea17b519dc1d83265ca6aa9a484a2cf242db3b9
|
|
|
01238a |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
01238a |
---
|
|
|
01238a |
lib/curl_sasl.c | 14 ++++++++------
|
|
|
01238a |
lib/http.c | 12 +++++-------
|
|
|
01238a |
lib/url.c | 9 ---------
|
|
|
01238a |
lib/urldata.h | 2 --
|
|
|
01238a |
4 files changed, 13 insertions(+), 24 deletions(-)
|
|
|
01238a |
|
|
|
01238a |
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
|
|
|
01238a |
index 354bc54..c767bef 100644
|
|
|
01238a |
--- a/lib/curl_sasl.c
|
|
|
01238a |
+++ b/lib/curl_sasl.c
|
|
|
01238a |
@@ -269,6 +269,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
|
|
01238a |
data->set.str[STRING_SERVICE_NAME] :
|
|
|
01238a |
sasl->params->service;
|
|
|
01238a |
#endif
|
|
|
01238a |
+ const char *oauth_bearer = data->set.str[STRING_BEARER];
|
|
|
01238a |
|
|
|
01238a |
sasl->force_ir = force_ir; /* Latch for future use */
|
|
|
01238a |
sasl->authused = 0; /* No mechanism used yet */
|
|
|
01238a |
@@ -339,7 +340,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
|
|
01238a |
}
|
|
|
01238a |
else
|
|
|
01238a |
#endif
|
|
|
01238a |
- if((enabledmechs & SASL_MECH_OAUTHBEARER) && conn->oauth_bearer) {
|
|
|
01238a |
+ if((enabledmechs & SASL_MECH_OAUTHBEARER) && oauth_bearer) {
|
|
|
01238a |
mech = SASL_MECH_STRING_OAUTHBEARER;
|
|
|
01238a |
state1 = SASL_OAUTH2;
|
|
|
01238a |
state2 = SASL_OAUTH2_RESP;
|
|
|
01238a |
@@ -349,10 +350,10 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
|
|
01238a |
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
|
|
01238a |
hostname,
|
|
|
01238a |
port,
|
|
|
01238a |
- conn->oauth_bearer,
|
|
|
01238a |
+ oauth_bearer,
|
|
|
01238a |
&resp, &len;;
|
|
|
01238a |
}
|
|
|
01238a |
- else if((enabledmechs & SASL_MECH_XOAUTH2) && conn->oauth_bearer) {
|
|
|
01238a |
+ else if((enabledmechs & SASL_MECH_XOAUTH2) && oauth_bearer) {
|
|
|
01238a |
mech = SASL_MECH_STRING_XOAUTH2;
|
|
|
01238a |
state1 = SASL_OAUTH2;
|
|
|
01238a |
sasl->authused = SASL_MECH_XOAUTH2;
|
|
|
01238a |
@@ -360,7 +361,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
|
|
01238a |
if(force_ir || data->set.sasl_ir)
|
|
|
01238a |
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
|
|
01238a |
NULL, 0,
|
|
|
01238a |
- conn->oauth_bearer,
|
|
|
01238a |
+ oauth_bearer,
|
|
|
01238a |
&resp, &len;;
|
|
|
01238a |
}
|
|
|
01238a |
else if(enabledmechs & SASL_MECH_PLAIN) {
|
|
|
01238a |
@@ -429,6 +430,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
|
|
|
01238a |
char *serverdata;
|
|
|
01238a |
#endif
|
|
|
01238a |
size_t len = 0;
|
|
|
01238a |
+ const char *oauth_bearer = data->set.str[STRING_BEARER];
|
|
|
01238a |
|
|
|
01238a |
*progress = SASL_INPROGRESS;
|
|
|
01238a |
|
|
|
01238a |
@@ -556,7 +558,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
|
|
|
01238a |
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
|
|
01238a |
hostname,
|
|
|
01238a |
port,
|
|
|
01238a |
- conn->oauth_bearer,
|
|
|
01238a |
+ oauth_bearer,
|
|
|
01238a |
&resp, &len;;
|
|
|
01238a |
|
|
|
01238a |
/* Failures maybe sent by the server as continuations for OAUTHBEARER */
|
|
|
01238a |
@@ -565,7 +567,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
|
|
|
01238a |
else
|
|
|
01238a |
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
|
|
01238a |
NULL, 0,
|
|
|
01238a |
- conn->oauth_bearer,
|
|
|
01238a |
+ oauth_bearer,
|
|
|
01238a |
&resp, &len;;
|
|
|
01238a |
break;
|
|
|
01238a |
|
|
|
01238a |
diff --git a/lib/http.c b/lib/http.c
|
|
|
01238a |
index 26eb52d..bf19077 100644
|
|
|
01238a |
--- a/lib/http.c
|
|
|
01238a |
+++ b/lib/http.c
|
|
|
01238a |
@@ -326,7 +326,7 @@ static CURLcode http_output_bearer(struct connectdata *conn)
|
|
|
01238a |
userp = &conn->allocptr.userpwd;
|
|
|
01238a |
free(*userp);
|
|
|
01238a |
*userp = aprintf("Authorization: Bearer %s\r\n",
|
|
|
01238a |
- conn->oauth_bearer);
|
|
|
01238a |
+ conn->data->set.str[STRING_BEARER]);
|
|
|
01238a |
|
|
|
01238a |
if(!*userp) {
|
|
|
01238a |
result = CURLE_OUT_OF_MEMORY;
|
|
|
01238a |
@@ -510,7 +510,7 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
|
|
|
01238a |
CURLcode result = CURLE_OK;
|
|
|
01238a |
unsigned long authmask = ~0ul;
|
|
|
01238a |
|
|
|
01238a |
- if(!conn->oauth_bearer)
|
|
|
01238a |
+ if(!data->set.str[STRING_BEARER])
|
|
|
01238a |
authmask &= (unsigned long)~CURLAUTH_BEARER;
|
|
|
01238a |
|
|
|
01238a |
if(100 <= data->req.httpcode && 199 >= data->req.httpcode)
|
|
|
01238a |
@@ -520,7 +520,7 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
|
|
|
01238a |
if(data->state.authproblem)
|
|
|
01238a |
return data->set.http_fail_on_error?CURLE_HTTP_RETURNED_ERROR:CURLE_OK;
|
|
|
01238a |
|
|
|
01238a |
- if((conn->bits.user_passwd || conn->oauth_bearer) &&
|
|
|
01238a |
+ if((conn->bits.user_passwd || data->set.str[STRING_BEARER]) &&
|
|
|
01238a |
((data->req.httpcode == 401) ||
|
|
|
01238a |
(conn->bits.authneg && data->req.httpcode < 300))) {
|
|
|
01238a |
pickhost = pickoneauth(&data->state.authhost, authmask);
|
|
|
01238a |
@@ -590,9 +590,7 @@ output_auth_headers(struct connectdata *conn,
|
|
|
01238a |
{
|
|
|
01238a |
const char *auth = NULL;
|
|
|
01238a |
CURLcode result = CURLE_OK;
|
|
|
01238a |
-#if !defined(CURL_DISABLE_VERBOSE_STRINGS) || defined(USE_SPNEGO)
|
|
|
01238a |
struct Curl_easy *data = conn->data;
|
|
|
01238a |
-#endif
|
|
|
01238a |
#ifdef USE_SPNEGO
|
|
|
01238a |
struct negotiatedata *negdata = proxy ?
|
|
|
01238a |
&data->state.proxyneg : &data->state.negotiate;
|
|
|
01238a |
@@ -664,7 +662,7 @@ output_auth_headers(struct connectdata *conn,
|
|
|
01238a |
}
|
|
|
01238a |
if(authstatus->picked == CURLAUTH_BEARER) {
|
|
|
01238a |
/* Bearer */
|
|
|
01238a |
- if((!proxy && conn->oauth_bearer &&
|
|
|
01238a |
+ if((!proxy && data->set.str[STRING_BEARER] &&
|
|
|
01238a |
!Curl_checkheaders(conn, "Authorization:"))) {
|
|
|
01238a |
auth = "Bearer";
|
|
|
01238a |
result = http_output_bearer(conn);
|
|
|
01238a |
@@ -722,7 +720,7 @@ Curl_http_output_auth(struct connectdata *conn,
|
|
|
01238a |
authproxy = &data->state.authproxy;
|
|
|
01238a |
|
|
|
01238a |
if((conn->bits.httpproxy && conn->bits.proxy_user_passwd) ||
|
|
|
01238a |
- conn->bits.user_passwd || conn->oauth_bearer)
|
|
|
01238a |
+ conn->bits.user_passwd || data->set.str[STRING_BEARER])
|
|
|
01238a |
/* continue please */;
|
|
|
01238a |
else {
|
|
|
01238a |
authhost->done = TRUE;
|
|
|
01238a |
diff --git a/lib/url.c b/lib/url.c
|
|
|
01238a |
index 4803653..fca0855 100644
|
|
|
01238a |
--- a/lib/url.c
|
|
|
01238a |
+++ b/lib/url.c
|
|
|
01238a |
@@ -686,7 +686,6 @@ static void conn_free(struct connectdata *conn)
|
|
|
01238a |
|
|
|
01238a |
Curl_safefree(conn->user);
|
|
|
01238a |
Curl_safefree(conn->passwd);
|
|
|
01238a |
- Curl_safefree(conn->oauth_bearer);
|
|
|
01238a |
Curl_safefree(conn->options);
|
|
|
01238a |
Curl_safefree(conn->http_proxy.user);
|
|
|
01238a |
Curl_safefree(conn->socks_proxy.user);
|
|
|
01238a |
@@ -4161,14 +4160,6 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
|
01238a |
}
|
|
|
01238a |
}
|
|
|
01238a |
|
|
|
01238a |
- if(data->set.str[STRING_BEARER]) {
|
|
|
01238a |
- conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
|
|
|
01238a |
- if(!conn->oauth_bearer) {
|
|
|
01238a |
- result = CURLE_OUT_OF_MEMORY;
|
|
|
01238a |
- goto out;
|
|
|
01238a |
- }
|
|
|
01238a |
- }
|
|
|
01238a |
-
|
|
|
01238a |
#ifdef USE_UNIX_SOCKETS
|
|
|
01238a |
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
|
|
|
01238a |
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
|
|
|
01238a |
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
|
01238a |
index 72a36fb..73a185c 100644
|
|
|
01238a |
--- a/lib/urldata.h
|
|
|
01238a |
+++ b/lib/urldata.h
|
|
|
01238a |
@@ -850,8 +850,6 @@ struct connectdata {
|
|
|
01238a |
char *passwd; /* password string, allocated */
|
|
|
01238a |
char *options; /* options string, allocated */
|
|
|
01238a |
|
|
|
01238a |
- char *oauth_bearer; /* bearer token for OAuth 2.0, allocated */
|
|
|
01238a |
-
|
|
|
01238a |
int httpversion; /* the HTTP version*10 reported by the server */
|
|
|
01238a |
int rtspversion; /* the RTSP version*10 reported by the server */
|
|
|
01238a |
|
|
|
01238a |
--
|
|
|
01238a |
2.34.1
|
|
|
01238a |
|
|
|
01238a |
|
|
|
01238a |
From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
|
|
|
01238a |
From: Patrick Monnerat <patrick@monnerat.net>
|
|
|
01238a |
Date: Mon, 25 Apr 2022 11:44:05 +0200
|
|
|
01238a |
Subject: [PATCH 2/2] url: check sasl additional parameters for connection
|
|
|
01238a |
reuse.
|
|
|
01238a |
|
|
|
01238a |
Also move static function safecmp() as non-static Curl_safecmp() since
|
|
|
01238a |
its purpose is needed at several places.
|
|
|
01238a |
|
|
|
01238a |
Bug: https://curl.se/docs/CVE-2022-22576.html
|
|
|
01238a |
|
|
|
01238a |
CVE-2022-22576
|
|
|
01238a |
|
|
|
01238a |
Closes #8746
|
|
|
01238a |
|
|
|
01238a |
Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
|
|
|
01238a |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
01238a |
---
|
|
|
01238a |
lib/strcase.c | 10 ++++++++++
|
|
|
01238a |
lib/strcase.h | 2 ++
|
|
|
01238a |
lib/url.c | 12 +++++++++++-
|
|
|
01238a |
lib/urldata.h | 2 ++
|
|
|
01238a |
lib/vtls/vtls.c | 19 +++++--------------
|
|
|
01238a |
5 files changed, 30 insertions(+), 15 deletions(-)
|
|
|
01238a |
|
|
|
01238a |
diff --git a/lib/strcase.c b/lib/strcase.c
|
|
|
01238a |
index dd46ca1..692a3f1 100644
|
|
|
01238a |
--- a/lib/strcase.c
|
|
|
01238a |
+++ b/lib/strcase.c
|
|
|
01238a |
@@ -165,6 +165,16 @@ void Curl_strntoupper(char *dest, const char *src, size_t n)
|
|
|
01238a |
} while(*src++ && --n);
|
|
|
01238a |
}
|
|
|
01238a |
|
|
|
01238a |
+/* Compare case-sensitive NUL-terminated strings, taking care of possible
|
|
|
01238a |
+ * null pointers. Return true if arguments match.
|
|
|
01238a |
+ */
|
|
|
01238a |
+bool Curl_safecmp(char *a, char *b)
|
|
|
01238a |
+{
|
|
|
01238a |
+ if(a && b)
|
|
|
01238a |
+ return !strcmp(a, b);
|
|
|
01238a |
+ return !a && !b;
|
|
|
01238a |
+}
|
|
|
01238a |
+
|
|
|
01238a |
/* --- public functions --- */
|
|
|
01238a |
|
|
|
01238a |
int curl_strequal(const char *first, const char *second)
|
|
|
01238a |
diff --git a/lib/strcase.h b/lib/strcase.h
|
|
|
01238a |
index b628656..382b80a 100644
|
|
|
01238a |
--- a/lib/strcase.h
|
|
|
01238a |
+++ b/lib/strcase.h
|
|
|
01238a |
@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in);
|
|
|
01238a |
|
|
|
01238a |
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
|
|
01238a |
|
|
|
01238a |
+bool Curl_safecmp(char *a, char *b);
|
|
|
01238a |
+
|
|
|
01238a |
#endif /* HEADER_CURL_STRCASE_H */
|
|
|
01238a |
diff --git a/lib/url.c b/lib/url.c
|
|
|
01238a |
index adef2cd..94e3406 100644
|
|
|
01238a |
--- a/lib/url.c
|
|
|
01238a |
+++ b/lib/url.c
|
|
|
01238a |
@@ -701,6 +701,7 @@ static void conn_free(struct connectdata *conn)
|
|
|
01238a |
Curl_safefree(conn->allocptr.host);
|
|
|
01238a |
Curl_safefree(conn->allocptr.cookiehost);
|
|
|
01238a |
Curl_safefree(conn->allocptr.rtsp_transport);
|
|
|
01238a |
+ Curl_safefree(conn->oauth_bearer);
|
|
|
01238a |
Curl_safefree(conn->trailer);
|
|
|
01238a |
Curl_safefree(conn->host.rawalloc); /* host name buffer */
|
|
|
01238a |
Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
|
|
|
01238a |
@@ -1291,7 +1292,8 @@ ConnectionExists(struct Curl_easy *data,
|
|
|
01238a |
/* This protocol requires credentials per connection,
|
|
|
01238a |
so verify that we're using the same name and password as well */
|
|
|
01238a |
if(strcmp(needle->user, check->user) ||
|
|
|
01238a |
- strcmp(needle->passwd, check->passwd)) {
|
|
|
01238a |
+ strcmp(needle->passwd, check->passwd) ||
|
|
|
01238a |
+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
|
|
|
01238a |
/* one of them was different */
|
|
|
01238a |
continue;
|
|
|
01238a |
}
|
|
|
01238a |
@@ -4160,6 +4162,14 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
|
01238a |
}
|
|
|
01238a |
}
|
|
|
01238a |
|
|
|
01238a |
+ if(data->set.str[STRING_BEARER]) {
|
|
|
01238a |
+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
|
|
|
01238a |
+ if(!conn->oauth_bearer) {
|
|
|
01238a |
+ result = CURLE_OUT_OF_MEMORY;
|
|
|
01238a |
+ goto out;
|
|
|
01238a |
+ }
|
|
|
01238a |
+ }
|
|
|
01238a |
+
|
|
|
01238a |
#ifdef USE_UNIX_SOCKETS
|
|
|
01238a |
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
|
|
|
01238a |
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
|
|
|
01238a |
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
|
01238a |
index cc8a600..03da59a 100644
|
|
|
01238a |
--- a/lib/urldata.h
|
|
|
01238a |
+++ b/lib/urldata.h
|
|
|
01238a |
@@ -850,6 +850,8 @@ struct connectdata {
|
|
|
01238a |
char *passwd; /* password string, allocated */
|
|
|
01238a |
char *options; /* options string, allocated */
|
|
|
01238a |
|
|
|
01238a |
+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
|
|
|
01238a |
+
|
|
|
01238a |
int httpversion; /* the HTTP version*10 reported by the server */
|
|
|
01238a |
int rtspversion; /* the RTSP version*10 reported by the server */
|
|
|
01238a |
|
|
|
01238a |
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
|
|
01238a |
index 03b85ba..a40ac06 100644
|
|
|
01238a |
--- a/lib/vtls/vtls.c
|
|
|
01238a |
+++ b/lib/vtls/vtls.c
|
|
|
01238a |
@@ -82,15 +82,6 @@
|
|
|
01238a |
else \
|
|
|
01238a |
dest->var = NULL;
|
|
|
01238a |
|
|
|
01238a |
-static bool safecmp(char *a, char *b)
|
|
|
01238a |
-{
|
|
|
01238a |
- if(a && b)
|
|
|
01238a |
- return !strcmp(a, b);
|
|
|
01238a |
- else if(!a && !b)
|
|
|
01238a |
- return TRUE; /* match */
|
|
|
01238a |
- return FALSE; /* no match */
|
|
|
01238a |
-}
|
|
|
01238a |
-
|
|
|
01238a |
bool
|
|
|
01238a |
Curl_ssl_config_matches(struct ssl_primary_config* data,
|
|
|
01238a |
struct ssl_primary_config* needle)
|
|
|
01238a |
@@ -100,11 +91,11 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
|
|
|
01238a |
(data->verifypeer == needle->verifypeer) &&
|
|
|
01238a |
(data->verifyhost == needle->verifyhost) &&
|
|
|
01238a |
(data->verifystatus == needle->verifystatus) &&
|
|
|
01238a |
- safecmp(data->CApath, needle->CApath) &&
|
|
|
01238a |
- safecmp(data->CAfile, needle->CAfile) &&
|
|
|
01238a |
- safecmp(data->clientcert, needle->clientcert) &&
|
|
|
01238a |
- safecmp(data->random_file, needle->random_file) &&
|
|
|
01238a |
- safecmp(data->egdsocket, needle->egdsocket) &&
|
|
|
01238a |
+ Curl_safecmp(data->CApath, needle->CApath) &&
|
|
|
01238a |
+ Curl_safecmp(data->CAfile, needle->CAfile) &&
|
|
|
01238a |
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
|
|
|
01238a |
+ Curl_safecmp(data->random_file, needle->random_file) &&
|
|
|
01238a |
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
|
|
01238a |
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
|
|
01238a |
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
|
|
|
01238a |
return TRUE;
|
|
|
01238a |
--
|
|
|
01238a |
2.34.1
|
|
|
01238a |
|