meta/recipes-support/curl/curl/CVE-2022-27774-3.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

From 5dccf21ad49eed925e8f76b0cb844877239ce23d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Apr 2022 17:59:15 +0200
Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either

Follow-up to 620ea21410030

Reported-by: Harry Sintonen
Closes #8751

Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08]
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
 lib/http.c         | 10 +++++-----
 lib/http.h         |  6 ++++++
 lib/vtls/openssl.c |  3 ++-
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/lib/http.c b/lib/http.c
index 8b16c09..5291c07 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -732,10 +732,10 @@ output_auth_headers(struct connectdata *conn,
 }
 
 /*
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
- * data" can (still) be sent to this host.
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
  */
-static bool allow_auth_to_host(struct Curl_easy *data)
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
 {
   struct connectdata *conn = data->conn;
   return (!data->state.this_is_a_follow ||
@@ -816,7 +816,7 @@ Curl_http_output_auth(struct connectdata *conn,
 
   /* To prevent the user+password to get sent to other than the original host
      due to a location-follow */
-  if(allow_auth_to_host(data)
+  if(Curl_allow_auth_to_host(data)
      || conn->bits.netrc
     )
     result = output_auth_headers(conn, authhost, request, path, FALSE);
@@ -1891,7 +1891,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
                    checkprefix("Cookie:", compare)) &&
                   /* be careful of sending this potentially sensitive header to
                      other hosts */
-                  !allow_auth_to_host(data))			  
+                  !Curl_allow_auth_to_host(data))			  
             ;
           else {
             result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare);
diff --git a/lib/http.h b/lib/http.h
index 4c1825f..4fbae1d 100644
--- a/lib/http.h
+++ b/lib/http.h
@@ -273,4 +273,10 @@ Curl_http_output_auth(struct connectdata *conn,
                       bool proxytunnel); /* TRUE if this is the request setting
                                             up the proxy tunnel */
 
+/*
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
+ * "sensitive data" can (still) be sent to this host.
+ */
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
+
 #endif /* HEADER_CURL_HTTP_H */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 006a8c8..a14cecc 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2739,7 +2739,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
 #endif
 
 #ifdef USE_TLS_SRP
-  if(ssl_authtype == CURL_TLSAUTH_SRP) {
+  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
+     Curl_allow_auth_to_host(data)) {
     char * const ssl_username = SSL_SET_OPTION(username);
 
     infof(data, "Using TLS-SRP username: %s\n", ssl_username);