diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2021-22876.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22876.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22876.patch b/meta/recipes-support/curl/curl/CVE-2021-22876.patch new file mode 100644 index 0000000000..fc396aabef --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22876.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | transfer: strip credentials from the auto-referer header field | ||
2 | |||
3 | CVE-2021-22876 | ||
4 | |||
5 | Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5. | ||
6 | |||
7 | Bug: https://curl.se/docs/CVE-2021-22876.html | ||
8 | Upstream-Status: backport | ||
9 | --- | ||
10 | lib/transfer.c | 25 +++++++++++++++++++++++-- | ||
11 | 1 file changed, 23 insertions(+), 2 deletions(-) | ||
12 | |||
13 | diff --git a/lib/transfer.c b/lib/transfer.c | ||
14 | index e76834eb3..744e1c00b 100644 | ||
15 | --- a/lib/transfer.c | ||
16 | +++ b/lib/transfer.c | ||
17 | @@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
18 | data->set.followlocation++; /* count location-followers */ | ||
19 | |||
20 | if(data->set.http_auto_referer) { | ||
21 | + CURLU *u; | ||
22 | + char *referer; | ||
23 | + | ||
24 | /* We are asked to automatically set the previous URL as the referer | ||
25 | when we get the next URL. We pick the ->url field, which may or may | ||
26 | not be 100% correct */ | ||
27 | @@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data, | ||
28 | data->change.referer_alloc = FALSE; | ||
29 | } | ||
30 | |||
31 | - data->change.referer = strdup(data->change.url); | ||
32 | - if(!data->change.referer) | ||
33 | + /* Make a copy of the URL without crenditals and fragment */ | ||
34 | + u = curl_url(); | ||
35 | + if(!u) | ||
36 | + return CURLE_OUT_OF_MEMORY; | ||
37 | + | ||
38 | + uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); | ||
39 | + if(!uc) | ||
40 | + uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); | ||
41 | + if(!uc) | ||
42 | + uc = curl_url_set(u, CURLUPART_USER, NULL, 0); | ||
43 | + if(!uc) | ||
44 | + uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); | ||
45 | + if(!uc) | ||
46 | + uc = curl_url_get(u, CURLUPART_URL, &referer, 0); | ||
47 | + | ||
48 | + curl_url_cleanup(u); | ||
49 | + | ||
50 | + if(uc || referer == NULL) | ||
51 | return CURLE_OUT_OF_MEMORY; | ||
52 | + | ||
53 | + data->change.referer = referer; | ||
54 | data->change.referer_alloc = TRUE; /* yes, free this later */ | ||
55 | } | ||
56 | } | ||
57 | -- | ||
58 | 2.20.1 | ||
59 | |||