transfer: strip credentials from the auto-referer header field (CVE-2021-22876)

Closes: #986269
author: Salvatore Bonaccorso <carnil@debian.org> 2021-04-02 08:51:47 +0200
committer: Salvatore Bonaccorso <carnil@debian.org> 2021-04-03 14:58:43 +0200
commit: 2ce993e0d1686f3f593c4ac1130db000066e715c (patch)
tree: c91e1bfae907464a9d06ec509ec9692d1fa04ba0
parent: 4c763143767e46cb91069e496ff385810336e520 (diff)
2 files changed, 141 insertions, 0 deletions
diff --git a/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch b/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch
new file mode 100644
index 00000000..126e05ec
--- /dev/null
+++ b/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch
@@ -0,0 +1,140 @@
+From: Viktor Szakats <commit@vsz.me>
+Date: Tue, 23 Feb 2021 14:54:46 +0100
+Subject: transfer: strip credentials from the auto-referer header field
+Origin: https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-22876
+
+Added test 2081 to verify.
+
+CVE-2021-22876
+
+Bug: https://curl.se/docs/CVE-2021-22876.html
+---
+ lib/transfer.c          | 25 ++++++++++++++--
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test2081     | 66 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 90 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test2081
+
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1588,6 +1588,9 @@ CURLcode Curl_follow(struct Curl_easy *d
+       data->set.followlocation++; /* count location-followers */
+ 
+       if(data->set.http_auto_referer) {
++        CURLU *u;
++        char *referer;
++
+         /* We are asked to automatically set the previous URL as the referer
+            when we get the next URL. We pick the ->url field, which may or may
+            not be 100% correct */
+@@ -1597,9 +1600,27 @@ CURLcode Curl_follow(struct Curl_easy *d
+           data->change.referer_alloc = FALSE;
+         }
+ 
+-        data->change.referer = strdup(data->change.url);
+-        if(!data->change.referer)
++        /* Make a copy of the URL without crenditals and fragment */
++        u = curl_url();
++        if(!u)
++          return CURLE_OUT_OF_MEMORY;
++
++        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
++        if(!uc)
++          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
++        if(!uc)
++          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
++
++        curl_url_cleanup(u);
++
++        if(uc || referer == NULL)
+           return CURLE_OUT_OF_MEMORY;
++
++        data->change.referer = referer;
+         data->change.referer_alloc = TRUE; /* yes, free this later */
+       }
+     }
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -218,7 +218,7 @@ test2064 test2065 test2066 test2067 test
+ test2064 test2065 test2066 test2067 test2068 test2069 test2070 \
+          test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
+ test2078 \
+-test2080 \
++test2080 test2081 \
+ test2100 \
+ \
+ test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \
+--- /dev/null
++++ b/tests/data/test2081
+@@ -0,0 +1,66 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP GET
++referer
++followlocation
++--write-out
++</keywords>
++</info>
++
++# Server-side
++<reply>
++<data nocheck="yes">
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++This server reply is for testing a simple Location: following
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Automatic referrer credential and anchor stripping check
++ </name>
++ <command>
++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n'
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++<errorcode>
++52
++</errorcode>
++<protocol>
++GET /we/want/our/%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++
++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic dXNlcjpwYXNz
++User-Agent: curl/%VERSION
++Accept: */*
++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++
++</protocol>
++<stdout>
++HTTP/1.1 301 This is a weirdo text message swsclose
++Location: data/%TESTNUMBER0002.txt?coolsite=yes
++Content-Length: 62
++Connection: close
++
++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
++</stdout>
++</verify>
++</testcase>
diff --git a/debian/patches/series b/debian/patches/series
index 07778406..0c2a66e5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,6 +5,7 @@
 11_omit-directories-from-config.patch
 12_use-python3-in-tests.patch
 13_fix-man-formatting.patch
+14_transfer-strip-credentials-from-the-auto-referer-hea.patch
 
 # do not add patches below
 90_gnutls.patch
author	Salvatore Bonaccorso <carnil@debian.org>	2021-04-02 08:51:47 +0200
committer	Salvatore Bonaccorso <carnil@debian.org>	2021-04-03 14:58:43 +0200
commit	2ce993e0d1686f3f593c4ac1130db000066e715c (patch)
tree	c91e1bfae907464a9d06ec509ec9692d1fa04ba0
parent	4c763143767e46cb91069e496ff385810336e520 (diff)