diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-04-02 08:51:47 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-04-03 14:58:43 +0200 |
commit | 2ce993e0d1686f3f593c4ac1130db000066e715c (patch) | |
tree | c91e1bfae907464a9d06ec509ec9692d1fa04ba0 | |
parent | 4c763143767e46cb91069e496ff385810336e520 (diff) |
transfer: strip credentials from the auto-referer header field (CVE-2021-22876)
Closes: #986269
-rw-r--r-- | debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch | 140 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 141 insertions, 0 deletions
diff --git a/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch b/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch new file mode 100644 index 00000000..126e05ec --- /dev/null +++ b/debian/patches/14_transfer-strip-credentials-from-the-auto-referer-hea.patch @@ -0,0 +1,140 @@ +From: Viktor Szakats <commit@vsz.me> +Date: Tue, 23 Feb 2021 14:54:46 +0100 +Subject: transfer: strip credentials from the auto-referer header field +Origin: https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-22876 + +Added test 2081 to verify. + +CVE-2021-22876 + +Bug: https://curl.se/docs/CVE-2021-22876.html +--- + lib/transfer.c | 25 ++++++++++++++-- + tests/data/Makefile.inc | 2 +- + tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 90 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test2081 + +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1588,6 +1588,9 @@ CURLcode Curl_follow(struct Curl_easy *d + data->set.followlocation++; /* count location-followers */ + + if(data->set.http_auto_referer) { ++ CURLU *u; ++ char *referer; ++ + /* We are asked to automatically set the previous URL as the referer + when we get the next URL. We pick the ->url field, which may or may + not be 100% correct */ +@@ -1597,9 +1600,27 @@ CURLcode Curl_follow(struct Curl_easy *d + data->change.referer_alloc = FALSE; + } + +- data->change.referer = strdup(data->change.url); +- if(!data->change.referer) ++ /* Make a copy of the URL without crenditals and fragment */ ++ u = curl_url(); ++ if(!u) ++ return CURLE_OUT_OF_MEMORY; ++ ++ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); ++ if(!uc) ++ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); ++ if(!uc) ++ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); ++ ++ curl_url_cleanup(u); ++ ++ if(uc || referer == NULL) + return CURLE_OUT_OF_MEMORY; ++ ++ data->change.referer = referer; + data->change.referer_alloc = TRUE; /* yes, free this later */ + } + } +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -218,7 +218,7 @@ test2064 test2065 test2066 test2067 test + test2064 test2065 test2066 test2067 test2068 test2069 test2070 \ + test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ + test2078 \ +-test2080 \ ++test2080 test2081 \ + test2100 \ + \ + test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \ +--- /dev/null ++++ b/tests/data/test2081 +@@ -0,0 +1,66 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP GET ++referer ++followlocation ++--write-out ++</keywords> ++</info> ++ ++# Server-side ++<reply> ++<data nocheck="yes"> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++This server reply is for testing a simple Location: following ++</data> ++</reply> ++ ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++Automatic referrer credential and anchor stripping check ++ </name> ++ <command> ++http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n' ++</command> ++</client> ++ ++# Verify data after the test has been "shot" ++<verify> ++<errorcode> ++52 ++</errorcode> ++<protocol> ++GET /we/want/our/%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++ ++GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic dXNlcjpwYXNz ++User-Agent: curl/%VERSION ++Accept: */* ++Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++ ++</protocol> ++<stdout> ++HTTP/1.1 301 This is a weirdo text message swsclose ++Location: data/%TESTNUMBER0002.txt?coolsite=yes ++Content-Length: 62 ++Connection: close ++ ++http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER ++</stdout> ++</verify> ++</testcase> diff --git a/debian/patches/series b/debian/patches/series index 07778406..0c2a66e5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,6 +5,7 @@ 11_omit-directories-from-config.patch 12_use-python3-in-tests.patch 13_fix-man-formatting.patch +14_transfer-strip-credentials-from-the-auto-referer-hea.patch # do not add patches below 90_gnutls.patch |