diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2022-27776.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-27776.patch | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch new file mode 100644 index 0000000000..1a13df2d95 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch | |||
@@ -0,0 +1,114 @@ | |||
1 | From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 25 Apr 2022 13:05:40 +0200 | ||
4 | Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port | ||
5 | |||
6 | CVE-2022-27776 | ||
7 | |||
8 | Reported-by: Harry Sintonen | ||
9 | Bug: https://curl.se/docs/CVE-2022-27776.html | ||
10 | Closes #8749 | ||
11 | --- | ||
12 | lib/http.c | 34 ++++++++++++++++++++++------------ | ||
13 | lib/urldata.h | 16 +++++++++------- | ||
14 | 2 files changed, 31 insertions(+), 19 deletions(-) | ||
15 | |||
16 | CVE: CVE-2022-27776 | ||
17 | Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch] | ||
18 | Comment: Refreshed patch | ||
19 | Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> | ||
20 | |||
21 | diff --git a/lib/http.c b/lib/http.c | ||
22 | index ce79fc4e31c8..f0476f3b9272 100644 | ||
23 | --- a/lib/http.c | ||
24 | +++ b/lib/http.c | ||
25 | @@ -731,6 +731,21 @@ | ||
26 | return CURLE_OK; | ||
27 | } | ||
28 | |||
29 | +/* | ||
30 | + * allow_auth_to_host() tells if autentication, cookies or other "sensitive | ||
31 | + * data" can (still) be sent to this host. | ||
32 | + */ | ||
33 | +static bool allow_auth_to_host(struct Curl_easy *data) | ||
34 | +{ | ||
35 | + struct connectdata *conn = data->conn; | ||
36 | + return (!data->state.this_is_a_follow || | ||
37 | + data->set.allow_auth_to_other_hosts || | ||
38 | + (data->state.first_host && | ||
39 | + strcasecompare(data->state.first_host, conn->host.name) && | ||
40 | + (data->state.first_remote_port == conn->remote_port) && | ||
41 | + (data->state.first_remote_protocol == conn->handler->protocol))); | ||
42 | +} | ||
43 | + | ||
44 | /** | ||
45 | * Curl_http_output_auth() setups the authentication headers for the | ||
46 | * host/proxy and the correct authentication | ||
47 | @@ -799,15 +799,12 @@ | ||
48 | with it */ | ||
49 | authproxy->done = TRUE; | ||
50 | |||
51 | - /* To prevent the user+password to get sent to other than the original | ||
52 | - host due to a location-follow, we do some weirdo checks here */ | ||
53 | - if(!data->state.this_is_a_follow || | ||
54 | - conn->bits.netrc || | ||
55 | - !data->state.first_host || | ||
56 | - data->set.allow_auth_to_other_hosts || | ||
57 | - strcasecompare(data->state.first_host, conn->host.name)) { | ||
58 | + /* To prevent the user+password to get sent to other than the original host | ||
59 | + due to a location-follow */ | ||
60 | + if(allow_auth_to_host(data) | ||
61 | + || conn->bits.netrc | ||
62 | + ) | ||
63 | result = output_auth_headers(conn, authhost, request, path, FALSE); | ||
64 | - } | ||
65 | else | ||
66 | authhost->done = TRUE; | ||
67 | |||
68 | @@ -1879,10 +1891,7 @@ | ||
69 | checkprefix("Cookie:", compare)) && | ||
70 | /* be careful of sending this potentially sensitive header to | ||
71 | other hosts */ | ||
72 | - (data->state.this_is_a_follow && | ||
73 | - data->state.first_host && | ||
74 | - !data->set.allow_auth_to_other_hosts && | ||
75 | - !strcasecompare(data->state.first_host, conn->host.name))) | ||
76 | + !allow_auth_to_host(data)) | ||
77 | ; | ||
78 | else { | ||
79 | result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare); | ||
80 | @@ -2065,6 +2074,7 @@ | ||
81 | return CURLE_OUT_OF_MEMORY; | ||
82 | |||
83 | data->state.first_remote_port = conn->remote_port; | ||
84 | + data->state.first_remote_protocol = conn->handler->protocol; | ||
85 | } | ||
86 | |||
87 | if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && | ||
88 | diff --git a/lib/urldata.h b/lib/urldata.h | ||
89 | index 1d89b8d7fa68..ef2174d9e727 100644 | ||
90 | --- a/lib/urldata.h | ||
91 | +++ b/lib/urldata.h | ||
92 | @@ -1342,13 +1342,15 @@ | ||
93 | char *ulbuf; /* allocated upload buffer or NULL */ | ||
94 | curl_off_t current_speed; /* the ProgressShow() function sets this, | ||
95 | bytes / second */ | ||
96 | - char *first_host; /* host name of the first (not followed) request. | ||
97 | - if set, this should be the host name that we will | ||
98 | - sent authorization to, no else. Used to make Location: | ||
99 | - following not keep sending user+password... This is | ||
100 | - strdup() data. | ||
101 | - */ | ||
102 | - int first_remote_port; /* remote port of the first (not followed) request */ | ||
103 | + | ||
104 | + /* host name, port number and protocol of the first (not followed) request. | ||
105 | + if set, this should be the host name that we will sent authorization to, | ||
106 | + no else. Used to make Location: following not keep sending user+password. | ||
107 | + This is strdup()ed data. */ | ||
108 | + char *first_host; | ||
109 | + int first_remote_port; | ||
110 | + unsigned int first_remote_protocol; | ||
111 | + | ||
112 | struct curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ | ||
113 | long sessionage; /* number of the most recent session */ | ||
114 | unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */ | ||