|
|
7d7193 |
From 005d3f387bc5c3b2ee94d0597b5e202644c825f5 Mon Sep 17 00:00:00 2001
|
|
|
7d7193 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
7d7193 |
Date: Wed, 31 Oct 2018 11:08:49 +0100
|
|
|
7d7193 |
Subject: [PATCH 1/3] runtests: use the local curl for verifying
|
|
|
7d7193 |
|
|
|
7d7193 |
... revert the mistaken change brought in commit 8440616f53.
|
|
|
7d7193 |
|
|
|
7d7193 |
Reported-by: Alessandro Ghedini
|
|
|
7d7193 |
Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html
|
|
|
7d7193 |
|
|
|
7d7193 |
Closes #3198
|
|
|
7d7193 |
|
|
|
7d7193 |
Upstream-commit: 8effa8c2b09906a2f00a3f08322dc5da35245b0a
|
|
|
7d7193 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
7d7193 |
---
|
|
|
7d7193 |
tests/runtests.pl | 2 +-
|
|
|
7d7193 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
7d7193 |
|
|
|
7d7193 |
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
|
|
7d7193 |
index 8d8ed81..d62fa40 100755
|
|
|
7d7193 |
--- a/tests/runtests.pl
|
|
|
7d7193 |
+++ b/tests/runtests.pl
|
|
|
7d7193 |
@@ -152,7 +152,7 @@ my $NEGTELNETPORT; # TELNET server port with negotiation
|
|
|
7d7193 |
|
|
|
7d7193 |
my $srcdir = $ENV{'srcdir'} || '.';
|
|
|
7d7193 |
my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests
|
|
|
7d7193 |
-my $VCURL="curl"; # what curl binary to use to verify the servers with
|
|
|
7d7193 |
+my $VCURL=$CURL; # what curl binary to use to verify the servers with
|
|
|
7d7193 |
# VCURL is handy to set to the system one when the one you
|
|
|
7d7193 |
# just built hangs or crashes and thus prevent verification
|
|
|
7d7193 |
my $DBGCURL=$CURL; #"../src/.libs/curl"; # alternative for debugging
|
|
|
7d7193 |
--
|
|
|
7d7193 |
2.37.3
|
|
|
7d7193 |
|
|
|
7d7193 |
|
|
|
7d7193 |
From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
|
|
|
7d7193 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
7d7193 |
Date: Mon, 29 Aug 2022 00:09:17 +0200
|
|
|
7d7193 |
Subject: [PATCH 2/3] cookie: reject cookies with "control bytes"
|
|
|
7d7193 |
|
|
|
7d7193 |
Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
|
|
|
7d7193 |
|
|
|
7d7193 |
Reported-by: Axel Chong
|
|
|
7d7193 |
|
|
|
7d7193 |
Bug: https://curl.se/docs/CVE-2022-35252.html
|
|
|
7d7193 |
|
|
|
7d7193 |
CVE-2022-35252
|
|
|
7d7193 |
|
|
|
7d7193 |
Closes #9381
|
|
|
7d7193 |
|
|
|
7d7193 |
Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3
|
|
|
7d7193 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
7d7193 |
---
|
|
|
7d7193 |
lib/cookie.c | 29 +++++++++++++++++++++++++++++
|
|
|
7d7193 |
1 file changed, 29 insertions(+)
|
|
|
7d7193 |
|
|
|
7d7193 |
diff --git a/lib/cookie.c b/lib/cookie.c
|
|
|
7d7193 |
index cb0c03b..e0470a1 100644
|
|
|
7d7193 |
--- a/lib/cookie.c
|
|
|
7d7193 |
+++ b/lib/cookie.c
|
|
|
7d7193 |
@@ -371,6 +371,30 @@ static void strstore(char **str, const char *newstr)
|
|
|
7d7193 |
*str = strdup(newstr);
|
|
|
7d7193 |
}
|
|
|
7d7193 |
|
|
|
7d7193 |
+/*
|
|
|
7d7193 |
+ RFC 6265 section 4.1.1 says a server should accept this range:
|
|
|
7d7193 |
+
|
|
|
7d7193 |
+ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
|
|
|
7d7193 |
+
|
|
|
7d7193 |
+ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
|
|
|
7d7193 |
+ fine. The prime reason for filtering out control bytes is that some HTTP
|
|
|
7d7193 |
+ servers return 400 for requests that contain such.
|
|
|
7d7193 |
+*/
|
|
|
7d7193 |
+static int invalid_octets(const char *p)
|
|
|
7d7193 |
+{
|
|
|
7d7193 |
+ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
|
|
|
7d7193 |
+ static const char badoctets[] = {
|
|
|
7d7193 |
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
|
|
|
7d7193 |
+ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
|
|
|
7d7193 |
+ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
|
|
|
7d7193 |
+ };
|
|
|
7d7193 |
+ size_t vlen, len;
|
|
|
7d7193 |
+ /* scan for all the octets that are *not* in cookie-octet */
|
|
|
7d7193 |
+ len = strcspn(p, badoctets);
|
|
|
7d7193 |
+ vlen = strlen(p);
|
|
|
7d7193 |
+ return (len != vlen);
|
|
|
7d7193 |
+}
|
|
|
7d7193 |
+
|
|
|
7d7193 |
/*
|
|
|
7d7193 |
* remove_expired() removes expired cookies.
|
|
|
7d7193 |
*/
|
|
|
7d7193 |
@@ -541,6 +565,11 @@ Curl_cookie_add(struct Curl_easy *data,
|
|
|
7d7193 |
badcookie = TRUE;
|
|
|
7d7193 |
break;
|
|
|
7d7193 |
}
|
|
|
7d7193 |
+ if(invalid_octets(whatptr) || invalid_octets(name)) {
|
|
|
7d7193 |
+ infof(data, "invalid octets in name/value, cookie dropped");
|
|
|
7d7193 |
+ badcookie = TRUE;
|
|
|
7d7193 |
+ break;
|
|
|
7d7193 |
+ }
|
|
|
7d7193 |
}
|
|
|
7d7193 |
else if(!len) {
|
|
|
7d7193 |
/* this was a "<name>=" with no content, and we must allow
|
|
|
7d7193 |
--
|
|
|
7d7193 |
2.37.1
|
|
|
7d7193 |
|
|
|
7d7193 |
|
|
|
7d7193 |
From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
|
|
|
7d7193 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
7d7193 |
Date: Mon, 29 Aug 2022 00:09:17 +0200
|
|
|
7d7193 |
Subject: [PATCH 3/3] test8: verify that "ctrl-byte cookies" are ignored
|
|
|
7d7193 |
|
|
|
7d7193 |
Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
|
|
|
7d7193 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
7d7193 |
---
|
|
|
7d7193 |
tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
|
|
|
7d7193 |
1 file changed, 31 insertions(+), 1 deletion(-)
|
|
|
7d7193 |
|
|
|
7d7193 |
diff --git a/tests/data/test8 b/tests/data/test8
|
|
|
7d7193 |
index a8548e6..8587611 100644
|
|
|
7d7193 |
--- a/tests/data/test8
|
|
|
7d7193 |
+++ b/tests/data/test8
|
|
|
7d7193 |
@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want;
|
|
|
7d7193 |
Set-Cookie: nocookie=yes; path=/WE;
|
|
|
7d7193 |
Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
|
|
|
7d7193 |
Set-Cookie: partialip=nono; domain=.0.0.1;
|
|
|
7d7193 |
+Set-Cookie: cookie1=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie2=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie3=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie4=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie5=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie6=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie7=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie8=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie9=junk- -
|
|
|
7d7193 |
+Set-Cookie: cookie11=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie12=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie14=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie15=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie16=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie17=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie18=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie19=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie20=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie21=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie22=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie23=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie24=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie25=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie26=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie27=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie28=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie29=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie30=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie31=?-junk
|
|
|
7d7193 |
+Set-Cookie: cookie31=-junk
|
|
|
7d7193 |
|
|
|
7d7193 |
</file>
|
|
|
7d7193 |
<precheck>
|
|
|
7d7193 |
@@ -62,7 +92,7 @@ perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs endi
|
|
|
7d7193 |
GET /we/want/8 HTTP/1.1
|
|
|
7d7193 |
Host: %HOSTIP:%HTTPPORT
|
|
|
7d7193 |
Accept: */*
|
|
|
7d7193 |
-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
|
|
|
7d7193 |
+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- -
|
|
|
7d7193 |
|
|
|
7d7193 |
</protocol>
|
|
|
7d7193 |
</verify>
|
|
|
7d7193 |
--
|
|
|
7d7193 |
2.37.1
|
|
|
7d7193 |
|