1 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
new file mode 100644
index 0000000000..fc396aabef
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
@@ -0,0 +1,59 @@
+transfer: strip credentials from the auto-referer header field
+CVE-2021-22876
+Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
+Bug: https://curl.se/docs/CVE-2021-22876.html
+Upstream-Status: backport
+---
+ lib/transfer.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+diff --git a/lib/transfer.c b/lib/transfer.c
+index e76834eb3..744e1c00b 100644
+--- a/lib/transfer.c
+++ b/lib/transfer.c
+@@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
+       data->set.followlocation++; /* count location-followers */
+ 
+       if(data->set.http_auto_referer) {
+        CURLU *u;
+        char *referer;
+
+         /* We are asked to automatically set the previous URL as the referer
+            when we get the next URL. We pick the ->url field, which may or may
+            not be 100% correct */
+@@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
+           data->change.referer_alloc = FALSE;
+         }
+ 
+-        data->change.referer = strdup(data->change.url);
+-        if(!data->change.referer)
+        /* Make a copy of the URL without crenditals and fragment */
+        u = curl_url();
+        if(!u)
+          return CURLE_OUT_OF_MEMORY;
+
+        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
+        if(!uc)
+          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
+
+        curl_url_cleanup(u);
+
+        if(uc || referer == NULL)
+           return CURLE_OUT_OF_MEMORY;
+
+        data->change.referer = referer;
+         data->change.referer_alloc = TRUE; /* yes, free this later */
+       }
+     }
+-- 
+2.20.1

diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch b/meta/recipes-support/curl/curl/CVE-2021-22876.patch new file mode 100644 index 0000000000..fc396aabef --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch
@@ -0,0 +1,59 @@
	1	transfer: strip credentials from the auto-referer header field
	2
	3	CVE-2021-22876
	4
	5	Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.
	6
	7	Bug: https://curl.se/docs/CVE-2021-22876.html
	8	Upstream-Status: backport
	9	---
	10	lib/transfer.c \| 25 +++++++++++++++++++++++--
	11	1 file changed, 23 insertions(+), 2 deletions(-)
	12
	13	diff --git a/lib/transfer.c b/lib/transfer.c
	14	index e76834eb3..744e1c00b 100644
	15	--- a/lib/transfer.c
	16	+++ b/lib/transfer.c
	17	@@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
	18	data->set.followlocation++; /* count location-followers */
	19
	20	if(data->set.http_auto_referer) {
	21	+ CURLU *u;
	22	+ char *referer;
	23	+
	24	/* We are asked to automatically set the previous URL as the referer
	25	when we get the next URL. We pick the ->url field, which may or may
	26	not be 100% correct */
	27	@@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
	28	data->change.referer_alloc = FALSE;
	29	}
	30
	31	- data->change.referer = strdup(data->change.url);
	32	- if(!data->change.referer)
	33	+ /* Make a copy of the URL without crenditals and fragment */
	34	+ u = curl_url();
	35	+ if(!u)
	36	+ return CURLE_OUT_OF_MEMORY;
	37	+
	38	+ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
	39	+ if(!uc)
	40	+ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
	41	+ if(!uc)
	42	+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
	43	+ if(!uc)
	44	+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
	45	+ if(!uc)
	46	+ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
	47	+
	48	+ curl_url_cleanup(u);
	49	+
	50	+ if(uc \|\| referer == NULL)
	51	return CURLE_OUT_OF_MEMORY;
	52	+
	53	+ data->change.referer = referer;
	54	data->change.referer_alloc = TRUE; /* yes, free this later */
	55	}
	56	}
	57	--
	58	2.20.1
	59