You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
711 lines
21 KiB
711 lines
21 KiB
2 years ago
|
From 24ff6b126726201cf778038c332b3b921c7f5b2f Mon Sep 17 00:00:00 2001
|
||
|
From: Katsuhiko YOSHIDA <claddvd@gmail.com>
|
||
|
Date: Sun, 30 Dec 2018 09:44:30 +0900
|
||
|
Subject: [PATCH 1/6] cookies: skip custom cookies when redirecting cross-site
|
||
|
|
||
|
Closes #3417
|
||
|
|
||
|
Upstream-commit: 1f30dc886d1a4a6e81599a9f5f5e9f60d97801d4
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 4 ++
|
||
|
lib/http.c | 3 +-
|
||
|
tests/data/Makefile.inc | 2 +-
|
||
|
tests/data/test330 | 90 ++++++++++++++++++++++++++
|
||
|
4 files changed, 97 insertions(+), 2 deletions(-)
|
||
|
create mode 100644 tests/data/test330
|
||
|
|
||
|
diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
|
||
|
index f5826e1..4af69f4 100644
|
||
|
--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
|
||
|
+++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
|
||
|
@@ -88,6 +88,10 @@ those servers will get all the contents of your custom headers too.
|
||
|
Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
|
||
|
from being sent to other hosts than the first used one, unless specifically
|
||
|
permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option.
|
||
|
+
|
||
|
+Starting in 7.64.0, libcurl will specifically prevent "Cookie:" headers
|
||
|
+from being sent to other hosts than the first used one, unless specifically
|
||
|
+permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option.
|
||
|
.SH DEFAULT
|
||
|
NULL
|
||
|
.SH PROTOCOLS
|
||
|
diff --git a/lib/http.c b/lib/http.c
|
||
|
index bf19077..0b5e476 100644
|
||
|
--- a/lib/http.c
|
||
|
+++ b/lib/http.c
|
||
|
@@ -1774,7 +1774,8 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
|
||
|
checkprefix("Transfer-Encoding:", headers->data))
|
||
|
/* HTTP/2 doesn't support chunked requests */
|
||
|
;
|
||
|
- else if(checkprefix("Authorization:", headers->data) &&
|
||
|
+ else if((checkprefix("Authorization:", headers->data) ||
|
||
|
+ checkprefix("Cookie:", headers->data)) &&
|
||
|
/* be careful of sending this potentially sensitive header to
|
||
|
other hosts */
|
||
|
(data->state.this_is_a_follow &&
|
||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||
|
index e0f1ef4..77e85fd 100644
|
||
|
--- a/tests/data/Makefile.inc
|
||
|
+++ b/tests/data/Makefile.inc
|
||
|
@@ -56,7 +56,7 @@ test289 test290 test291 test292 test293 test294 test295 test296 test297 \
|
||
|
test298 test299 test300 test301 test302 test303 test304 test305 test306 \
|
||
|
test307 test308 test309 test310 test311 test312 test313 test314 test315 \
|
||
|
test316 test317 test318 test319 test320 test321 test322 test323 test324 \
|
||
|
-test325 test326 \
|
||
|
+test325 test326 test330 \
|
||
|
\
|
||
|
test340 \
|
||
|
\
|
||
|
diff --git a/tests/data/test330 b/tests/data/test330
|
||
|
new file mode 100644
|
||
|
index 0000000..74607d5
|
||
|
--- /dev/null
|
||
|
+++ b/tests/data/test330
|
||
|
@@ -0,0 +1,90 @@
|
||
|
+<testcase>
|
||
|
+<info>
|
||
|
+<keywords>
|
||
|
+HTTP
|
||
|
+followlocation
|
||
|
+cookies
|
||
|
+</keywords>
|
||
|
+</info>
|
||
|
+#
|
||
|
+# Server-side
|
||
|
+<reply>
|
||
|
+<data>
|
||
|
+HTTP/1.1 302 OK
|
||
|
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake swsclose
|
||
|
+Content-Type: text/html
|
||
|
+Funny-head: yesyes
|
||
|
+Location: http://goto.second.host.now/3170002
|
||
|
+Content-Length: 8
|
||
|
+Connection: close
|
||
|
+
|
||
|
+contents
|
||
|
+</data>
|
||
|
+<data2>
|
||
|
+HTTP/1.1 200 OK
|
||
|
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake swsclose
|
||
|
+Content-Type: text/html
|
||
|
+Funny-head: yesyes
|
||
|
+Content-Length: 9
|
||
|
+
|
||
|
+contents
|
||
|
+</data2>
|
||
|
+
|
||
|
+<datacheck>
|
||
|
+HTTP/1.1 302 OK
|
||
|
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake swsclose
|
||
|
+Content-Type: text/html
|
||
|
+Funny-head: yesyes
|
||
|
+Location: http://goto.second.host.now/3170002
|
||
|
+Content-Length: 8
|
||
|
+Connection: close
|
||
|
+
|
||
|
+HTTP/1.1 200 OK
|
||
|
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake swsclose
|
||
|
+Content-Type: text/html
|
||
|
+Funny-head: yesyes
|
||
|
+Content-Length: 9
|
||
|
+
|
||
|
+contents
|
||
|
+</datacheck>
|
||
|
+</reply>
|
||
|
+
|
||
|
+#
|
||
|
+# Client-side
|
||
|
+<client>
|
||
|
+<server>
|
||
|
+http
|
||
|
+</server>
|
||
|
+ <name>
|
||
|
+HTTP with custom Cookie: and redirect to new host
|
||
|
+ </name>
|
||
|
+ <command>
|
||
|
+http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Cookie: test=yes" --location
|
||
|
+</command>
|
||
|
+</client>
|
||
|
+
|
||
|
+#
|
||
|
+# Verify data after the test has been "shot"
|
||
|
+<verify>
|
||
|
+<strip>
|
||
|
+^User-Agent:.*
|
||
|
+</strip>
|
||
|
+<protocol>
|
||
|
+GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1
|
||
|
+Host: first.host.it.is
|
||
|
+Accept: */*
|
||
|
+Proxy-Connection: Keep-Alive
|
||
|
+Cookie: test=yes
|
||
|
+
|
||
|
+GET http://goto.second.host.now/3170002 HTTP/1.1
|
||
|
+Host: goto.second.host.now
|
||
|
+Accept: */*
|
||
|
+Proxy-Connection: Keep-Alive
|
||
|
+
|
||
|
+</protocol>
|
||
|
+</verify>
|
||
|
+</testcase>
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From a3f3855c8bf3a39ef0d86ef04087c200bca765f1 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Thu, 19 Dec 2019 16:45:53 +0100
|
||
|
Subject: [PATCH 2/6] sws: search for "Testno:" header uncondtionally if no
|
||
|
testno
|
||
|
|
||
|
Even if the initial request line wasn't found. With the fix to 1455, the
|
||
|
test number is now detected correctly.
|
||
|
|
||
|
(Problem found when running tests in random order.)
|
||
|
|
||
|
Closes #4744
|
||
|
|
||
|
Upstream-commit: 25b69c482f45c7acd817920bd8fdf68887be51a2
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
tests/data/test1455 | 3 ++-
|
||
|
tests/server/sws.c | 40 +++++++++++++++++++++++-----------------
|
||
|
2 files changed, 25 insertions(+), 18 deletions(-)
|
||
|
|
||
|
diff --git a/tests/data/test1455 b/tests/data/test1455
|
||
|
index 0b77dc4..25f742e 100644
|
||
|
--- a/tests/data/test1455
|
||
|
+++ b/tests/data/test1455
|
||
|
@@ -35,7 +35,7 @@ http
|
||
|
HTTP GET when PROXY Protocol enabled
|
||
|
</name>
|
||
|
<command>
|
||
|
-http://%HOSTIP:%HTTPPORT/1455 --haproxy-protocol
|
||
|
+http://%HOSTIP:%HTTPPORT/1455 --haproxy-protocol -H "Testno: 1455"
|
||
|
</command>
|
||
|
</client>
|
||
|
|
||
|
@@ -53,6 +53,7 @@ proxy-line
|
||
|
GET /1455 HTTP/1.1
|
||
|
Host: %HOSTIP:%HTTPPORT
|
||
|
Accept: */*
|
||
|
+Testno: 1455
|
||
|
|
||
|
</protocol>
|
||
|
</verify>
|
||
|
diff --git a/tests/server/sws.c b/tests/server/sws.c
|
||
|
index fbe7761..4ece830 100644
|
||
|
--- a/tests/server/sws.c
|
||
|
+++ b/tests/server/sws.c
|
||
|
@@ -367,6 +367,8 @@ static int parse_servercmd(struct httprequest *req)
|
||
|
|
||
|
filename = test2file(req->testno);
|
||
|
req->close = FALSE;
|
||
|
+ req->connmon = FALSE;
|
||
|
+
|
||
|
stream = fopen(filename, "rb");
|
||
|
if(!stream) {
|
||
|
error = errno;
|
||
|
@@ -391,8 +393,6 @@ static int parse_servercmd(struct httprequest *req)
|
||
|
return 1; /* done */
|
||
|
}
|
||
|
|
||
|
- req->connmon = FALSE;
|
||
|
-
|
||
|
cmd = orgcmd;
|
||
|
while(cmd && cmdsize) {
|
||
|
char *check;
|
||
|
@@ -548,12 +548,11 @@ static int ProcessRequest(struct httprequest *req)
|
||
|
snprintf(logbuf, sizeof(logbuf), "Requested test number %ld part %ld",
|
||
|
req->testno, req->partno);
|
||
|
logmsg("%s", logbuf);
|
||
|
-
|
||
|
- /* find and parse <servercmd> for this test */
|
||
|
- parse_servercmd(req);
|
||
|
}
|
||
|
- else
|
||
|
+ else {
|
||
|
+ logmsg("No test number");
|
||
|
req->testno = DOCNUMBER_NOTHING;
|
||
|
+ }
|
||
|
|
||
|
}
|
||
|
|
||
|
@@ -613,14 +612,6 @@ static int ProcessRequest(struct httprequest *req)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
- if(req->testno == DOCNUMBER_NOTHING) {
|
||
|
- /* check for a Testno: header with the test case number */
|
||
|
- char *testno = strstr(line, "\nTestno: ");
|
||
|
- if(testno) {
|
||
|
- req->testno = strtol(&testno[9], NULL, 10);
|
||
|
- logmsg("Found test number %d in Testno: header!", req->testno);
|
||
|
- }
|
||
|
- }
|
||
|
if(req->testno == DOCNUMBER_NOTHING) {
|
||
|
/* Still no test case number. Try to get the the number off the last dot
|
||
|
instead, IE we consider the TLD to be the test number. Test 123 can
|
||
|
@@ -661,8 +652,8 @@ static int ProcessRequest(struct httprequest *req)
|
||
|
}
|
||
|
}
|
||
|
else if((req->offset >= 3) && (req->testno == DOCNUMBER_NOTHING)) {
|
||
|
- logmsg("** Unusual request. Starts with %02x %02x %02x",
|
||
|
- line[0], line[1], line[2]);
|
||
|
+ logmsg("** Unusual request. Starts with %02x %02x %02x (%c%c%c)",
|
||
|
+ line[0], line[1], line[2], line[0], line[1], line[2]);
|
||
|
}
|
||
|
|
||
|
if(!end) {
|
||
|
@@ -670,7 +661,22 @@ static int ProcessRequest(struct httprequest *req)
|
||
|
logmsg("request not complete yet");
|
||
|
return 0; /* not complete yet */
|
||
|
}
|
||
|
- logmsg("- request found to be complete");
|
||
|
+ logmsg("- request found to be complete (%d)", req->testno);
|
||
|
+
|
||
|
+ if(req->testno == DOCNUMBER_NOTHING) {
|
||
|
+ /* check for a Testno: header with the test case number */
|
||
|
+ char *testno = strstr(line, "\nTestno: ");
|
||
|
+ if(testno) {
|
||
|
+ req->testno = strtol(&testno[9], NULL, 10);
|
||
|
+ logmsg("Found test number %d in Testno: header!", req->testno);
|
||
|
+ }
|
||
|
+ else {
|
||
|
+ logmsg("No Testno: header");
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
+ /* find and parse <servercmd> for this test */
|
||
|
+ parse_servercmd(req);
|
||
|
|
||
|
if(use_gopher) {
|
||
|
/* when using gopher we cannot check the request until the entire
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From 3772ea764c05a1cf37b96c091ae266138e8a2867 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Thu, 16 Apr 2020 14:16:22 +0200
|
||
|
Subject: [PATCH 3/6] runtests: always put test number in servercmd file
|
||
|
|
||
|
Upstream-commit: d1a2816b4128faa8ebc50ce93285c7364652856e
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
tests/runtests.pl | 10 +++-------
|
||
|
1 file changed, 3 insertions(+), 7 deletions(-)
|
||
|
|
||
|
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
||
|
index a0fd991..8d8ed81 100755
|
||
|
--- a/tests/runtests.pl
|
||
|
+++ b/tests/runtests.pl
|
||
|
@@ -3878,10 +3878,9 @@ sub singletest {
|
||
|
unlink($SERVER2IN);
|
||
|
unlink($PROXYIN);
|
||
|
|
||
|
- if(@ftpservercmd) {
|
||
|
- # write the instructions to file
|
||
|
- writearray($FTPDCMD, \@ftpservercmd);
|
||
|
- }
|
||
|
+ push @ftpservercmd, "Testnum $testnum\n";
|
||
|
+ # write the instructions to file
|
||
|
+ writearray($FTPDCMD, \@ftpservercmd);
|
||
|
|
||
|
# get the command line options to use
|
||
|
my @blaha;
|
||
|
@@ -4222,9 +4221,6 @@ sub singletest {
|
||
|
}
|
||
|
}
|
||
|
|
||
|
- # remove the test server commands file after each test
|
||
|
- unlink($FTPDCMD) if(-f $FTPDCMD);
|
||
|
-
|
||
|
# run the postcheck command
|
||
|
my @postcheck= getpart("client", "postcheck");
|
||
|
if(@postcheck) {
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From ac04f6feaa19c636aa09a1b50643d70a77be4465 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Thu, 14 May 2020 17:45:40 +0200
|
||
|
Subject: [PATCH 4/6] sws: as last resort, get test number from server cmd file
|
||
|
|
||
|
If it can't be found in the request. Also support --cmdfile to set it to
|
||
|
a custom file name.
|
||
|
|
||
|
runtests.pl always writes this file with the test number in it since a
|
||
|
while back.
|
||
|
|
||
|
Upstream-commit: a3b0699d5c110270f09ac51b5b465ca8753b35a9
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
tests/server/sws.c | 68 ++++++++++++++++++++++++++++++++++------------
|
||
|
1 file changed, 51 insertions(+), 17 deletions(-)
|
||
|
|
||
|
diff --git a/tests/server/sws.c b/tests/server/sws.c
|
||
|
index 4ece830..2696872 100644
|
||
|
--- a/tests/server/sws.c
|
||
|
+++ b/tests/server/sws.c
|
||
|
@@ -155,6 +155,10 @@ const char *serverlogfile = DEFAULT_LOGFILE;
|
||
|
#define REQUEST_PROXY_DUMP "log/proxy.input"
|
||
|
#define RESPONSE_PROXY_DUMP "log/proxy.response"
|
||
|
|
||
|
+/* file in which additional instructions may be found */
|
||
|
+#define DEFAULT_CMDFILE "log/ftpserver.cmd"
|
||
|
+const char *cmdfile = DEFAULT_CMDFILE;
|
||
|
+
|
||
|
/* very-big-path support */
|
||
|
#define MAXDOCNAMELEN 140000
|
||
|
#define MAXDOCNAMELEN_TXT "139999"
|
||
|
@@ -358,6 +362,24 @@ static bool socket_domain_is_ip(void)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
+/* parse the file on disk that might have a test number for us */
|
||
|
+static int parse_cmdfile(struct httprequest *req)
|
||
|
+{
|
||
|
+ int testnum = DOCNUMBER_NOTHING;
|
||
|
+ char buf[256];
|
||
|
+ FILE *f = fopen(cmdfile, FOPEN_READTEXT);
|
||
|
+ if(f) {
|
||
|
+ while(fgets(buf, sizeof(buf), f)) {
|
||
|
+ if(1 == sscanf(buf, "Testnum %d", &testnum)) {
|
||
|
+ logmsg("[%s] cmdfile says testnum %d", cmdfile, testnum);
|
||
|
+ req->testno = testnum;
|
||
|
+ }
|
||
|
+ }
|
||
|
+ fclose(f);
|
||
|
+ }
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
/* based on the testno, parse the correct server commands */
|
||
|
static int parse_servercmd(struct httprequest *req)
|
||
|
{
|
||
|
@@ -622,34 +644,41 @@ static int ProcessRequest(struct httprequest *req)
|
||
|
|
||
|
/* get the number after it */
|
||
|
if(ptr) {
|
||
|
+ long num;
|
||
|
ptr++; /* skip the dot */
|
||
|
|
||
|
- req->testno = strtol(ptr, &ptr, 10);
|
||
|
+ num = strtol(ptr, &ptr, 10);
|
||
|
|
||
|
- if(req->testno > 10000) {
|
||
|
- req->partno = req->testno % 10000;
|
||
|
- req->testno /= 10000;
|
||
|
+ if(num) {
|
||
|
+ req->testno = num;
|
||
|
+ if(req->testno > 10000) {
|
||
|
+ req->partno = req->testno % 10000;
|
||
|
+ req->testno /= 10000;
|
||
|
|
||
|
- logmsg("found test %d in requested host name", req->testno);
|
||
|
+ logmsg("found test %d in requested host name", req->testno);
|
||
|
|
||
|
+ }
|
||
|
+ else
|
||
|
+ req->partno = 0;
|
||
|
}
|
||
|
- else
|
||
|
- req->partno = 0;
|
||
|
|
||
|
- snprintf(logbuf, sizeof(logbuf),
|
||
|
- "Requested test number %ld part %ld (from host name)",
|
||
|
+ if(req->testno != DOCNUMBER_NOTHING) {
|
||
|
+ logmsg("Requested test number %ld part %ld (from host name)",
|
||
|
req->testno, req->partno);
|
||
|
- logmsg("%s", logbuf);
|
||
|
-
|
||
|
+ }
|
||
|
}
|
||
|
+ }
|
||
|
|
||
|
- if(!req->testno) {
|
||
|
- logmsg("Did not find test number in PATH");
|
||
|
- req->testno = DOCNUMBER_404;
|
||
|
- }
|
||
|
- else
|
||
|
- parse_servercmd(req);
|
||
|
+ if(req->testno == DOCNUMBER_NOTHING)
|
||
|
+ /* might get the test number */
|
||
|
+ parse_cmdfile(req);
|
||
|
+
|
||
|
+ if(req->testno == DOCNUMBER_NOTHING) {
|
||
|
+ logmsg("Did not find test number in PATH");
|
||
|
+ req->testno = DOCNUMBER_404;
|
||
|
}
|
||
|
+ else
|
||
|
+ parse_servercmd(req);
|
||
|
}
|
||
|
else if((req->offset >= 3) && (req->testno == DOCNUMBER_NOTHING)) {
|
||
|
logmsg("** Unusual request. Starts with %02x %02x %02x (%c%c%c)",
|
||
|
@@ -2038,6 +2067,11 @@ int main(int argc, char *argv[])
|
||
|
if(argc>arg)
|
||
|
serverlogfile = argv[arg++];
|
||
|
}
|
||
|
+ else if(!strcmp("--cmdfile", argv[arg])) {
|
||
|
+ arg++;
|
||
|
+ if(argc>arg)
|
||
|
+ cmdfile = argv[arg++];
|
||
|
+ }
|
||
|
else if(!strcmp("--gopher", argv[arg])) {
|
||
|
arg++;
|
||
|
use_gopher = TRUE;
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From 9fa56a1e3ae7feff14668d8abd892fa028a9f32e Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Mon, 25 Apr 2022 13:05:40 +0200
|
||
|
Subject: [PATCH 5/6] http: avoid auth/cookie on redirects same host diff port
|
||
|
|
||
|
CVE-2022-27776
|
||
|
|
||
|
Reported-by: Harry Sintonen
|
||
|
Bug: https://curl.se/docs/CVE-2022-27776.html
|
||
|
Closes #8749
|
||
|
|
||
|
Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
lib/http.c | 33 +++++++++++++++++++++------------
|
||
|
lib/urldata.h | 16 +++++++++-------
|
||
|
2 files changed, 30 insertions(+), 19 deletions(-)
|
||
|
|
||
|
diff --git a/lib/http.c b/lib/http.c
|
||
|
index 0b5e476..39fc7aa 100644
|
||
|
--- a/lib/http.c
|
||
|
+++ b/lib/http.c
|
||
|
@@ -688,6 +688,21 @@ output_auth_headers(struct connectdata *conn,
|
||
|
return CURLE_OK;
|
||
|
}
|
||
|
|
||
|
+/*
|
||
|
+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
|
||
|
+ * data" can (still) be sent to this host.
|
||
|
+ */
|
||
|
+static bool allow_auth_to_host(struct connectdata *conn)
|
||
|
+{
|
||
|
+ struct Curl_easy *data = conn->data;
|
||
|
+ return (!data->state.this_is_a_follow ||
|
||
|
+ data->set.allow_auth_to_other_hosts ||
|
||
|
+ (data->state.first_host &&
|
||
|
+ strcasecompare(data->state.first_host, conn->host.name) &&
|
||
|
+ (data->state.first_remote_port == conn->remote_port) &&
|
||
|
+ (data->state.first_remote_protocol == conn->handler->protocol)));
|
||
|
+}
|
||
|
+
|
||
|
/**
|
||
|
* Curl_http_output_auth() setups the authentication headers for the
|
||
|
* host/proxy and the correct authentication
|
||
|
@@ -756,15 +771,11 @@ Curl_http_output_auth(struct connectdata *conn,
|
||
|
with it */
|
||
|
authproxy->done = TRUE;
|
||
|
|
||
|
- /* To prevent the user+password to get sent to other than the original
|
||
|
- host due to a location-follow, we do some weirdo checks here */
|
||
|
- if(!data->state.this_is_a_follow ||
|
||
|
- conn->bits.netrc ||
|
||
|
- !data->state.first_host ||
|
||
|
- data->set.allow_auth_to_other_hosts ||
|
||
|
- strcasecompare(data->state.first_host, conn->host.name)) {
|
||
|
+ /* To prevent the user+password to get sent to other than the original host
|
||
|
+ due to a location-follow */
|
||
|
+ if(allow_auth_to_host(conn)
|
||
|
+ || conn->bits.netrc)
|
||
|
result = output_auth_headers(conn, authhost, request, path, FALSE);
|
||
|
- }
|
||
|
else
|
||
|
authhost->done = TRUE;
|
||
|
|
||
|
@@ -1778,10 +1789,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
|
||
|
checkprefix("Cookie:", headers->data)) &&
|
||
|
/* be careful of sending this potentially sensitive header to
|
||
|
other hosts */
|
||
|
- (data->state.this_is_a_follow &&
|
||
|
- data->state.first_host &&
|
||
|
- !data->set.allow_auth_to_other_hosts &&
|
||
|
- !strcasecompare(data->state.first_host, conn->host.name)))
|
||
|
+ !allow_auth_to_host(conn))
|
||
|
;
|
||
|
else {
|
||
|
result = Curl_add_bufferf(req_buffer, "%s\r\n", headers->data);
|
||
|
@@ -1937,6 +1945,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
|
||
|
return CURLE_OUT_OF_MEMORY;
|
||
|
|
||
|
data->state.first_remote_port = conn->remote_port;
|
||
|
+ data->state.first_remote_protocol = conn->handler->protocol;
|
||
|
}
|
||
|
http->writebytecount = http->readbytecount = 0;
|
||
|
|
||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||
|
index d3b971c..4bb0a84 100644
|
||
|
--- a/lib/urldata.h
|
||
|
+++ b/lib/urldata.h
|
||
|
@@ -1231,13 +1231,15 @@ struct UrlState {
|
||
|
bytes / second */
|
||
|
bool this_is_a_follow; /* this is a followed Location: request */
|
||
|
bool refused_stream; /* this was refused, try again */
|
||
|
- char *first_host; /* host name of the first (not followed) request.
|
||
|
- if set, this should be the host name that we will
|
||
|
- sent authorization to, no else. Used to make Location:
|
||
|
- following not keep sending user+password... This is
|
||
|
- strdup() data.
|
||
|
- */
|
||
|
- int first_remote_port; /* remote port of the first (not followed) request */
|
||
|
+
|
||
|
+ /* host name, port number and protocol of the first (not followed) request.
|
||
|
+ if set, this should be the host name that we will sent authorization to,
|
||
|
+ no else. Used to make Location: following not keep sending user+password.
|
||
|
+ This is strdup()ed data. */
|
||
|
+ char *first_host;
|
||
|
+ int first_remote_port;
|
||
|
+ unsigned int first_remote_protocol;
|
||
|
+
|
||
|
struct curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
|
||
|
long sessionage; /* number of the most recent session */
|
||
|
unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From a8bb1e37e22788abaca37c59cf447d690fdcdfa4 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Mon, 25 Apr 2022 13:05:47 +0200
|
||
|
Subject: [PATCH 6/6] test898: verify the fix for CVE-2022-27776
|
||
|
|
||
|
Do not pass on Authorization headers on redirects to another port
|
||
|
|
||
|
Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
tests/data/Makefile.inc | 2 +-
|
||
|
tests/data/test898 | 91 +++++++++++++++++++++++++++++++++++++++++
|
||
|
2 files changed, 92 insertions(+), 1 deletion(-)
|
||
|
create mode 100644 tests/data/test898
|
||
|
|
||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||
|
index 77e85fd..58c9e31 100644
|
||
|
--- a/tests/data/Makefile.inc
|
||
|
+++ b/tests/data/Makefile.inc
|
||
|
@@ -99,7 +99,7 @@ test850 test851 test852 test853 test854 test855 test856 test857 test858 \
|
||
|
test859 test860 test861 test862 test863 test864 test865 test866 test867 \
|
||
|
test868 test869 test870 test871 test872 test873 test874 test875 test876 \
|
||
|
test877 test878 test879 test880 test881 test882 test883 test884 test885 \
|
||
|
-test886 test887 test888 test889 test890 test891 \
|
||
|
+test886 test887 test888 test889 test890 test891 test898 \
|
||
|
\
|
||
|
test900 test901 test902 test903 test904 test905 test906 test907 test908 \
|
||
|
test909 test910 test911 test912 test913 test914 test915 test916 test917 \
|
||
|
diff --git a/tests/data/test898 b/tests/data/test898
|
||
|
new file mode 100644
|
||
|
index 0000000..e295c26
|
||
|
--- /dev/null
|
||
|
+++ b/tests/data/test898
|
||
|
@@ -0,0 +1,91 @@
|
||
|
+<testcase>
|
||
|
+<info>
|
||
|
+<keywords>
|
||
|
+HTTP
|
||
|
+--location
|
||
|
+Authorization
|
||
|
+Cookie
|
||
|
+</keywords>
|
||
|
+</info>
|
||
|
+
|
||
|
+#
|
||
|
+# Server-side
|
||
|
+<reply>
|
||
|
+<data>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: http://firsthost.com:9999/a/path/8980002
|
||
|
+
|
||
|
+</data>
|
||
|
+<data2>
|
||
|
+HTTP/1.1 200 OK
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 4
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+
|
||
|
+hey
|
||
|
+</data2>
|
||
|
+
|
||
|
+<datacheck>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: http://firsthost.com:9999/a/path/8980002
|
||
|
+
|
||
|
+HTTP/1.1 200 OK
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 4
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+
|
||
|
+hey
|
||
|
+</datacheck>
|
||
|
+
|
||
|
+</reply>
|
||
|
+
|
||
|
+#
|
||
|
+# Client-side
|
||
|
+<client>
|
||
|
+<server>
|
||
|
+http
|
||
|
+</server>
|
||
|
+ <name>
|
||
|
+HTTP with custom auth and cookies redirected to HTTP on a diff port
|
||
|
+ </name>
|
||
|
+ <command>
|
||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
|
||
|
+</command>
|
||
|
+</client>
|
||
|
+
|
||
|
+#
|
||
|
+# Verify data after the test has been "shot"
|
||
|
+<verify>
|
||
|
+<strip>
|
||
|
+^User-Agent:.*
|
||
|
+</strip>
|
||
|
+<protocol>
|
||
|
+GET http://firsthost.com/ HTTP/1.1
|
||
|
+Host: firsthost.com
|
||
|
+Accept: */*
|
||
|
+Proxy-Connection: Keep-Alive
|
||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||
|
+Cookie: userpwd=am9lOnNlY3JldA==
|
||
|
+
|
||
|
+GET http://firsthost.com:9999/a/path/8980002 HTTP/1.1
|
||
|
+Host: firsthost.com:9999
|
||
|
+Accept: */*
|
||
|
+Proxy-Connection: Keep-Alive
|
||
|
+
|
||
|
+</protocol>
|
||
|
+</verify>
|
||
|
+</testcase>
|
||
|
--
|
||
|
2.34.1
|
||
|
|