Overview

File curl-CVE-2020-8284.patch of Package curl.26475

From 20ceeeeb6df4ad7444d0ac6f080557954e05ec1d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 24 Nov 2020 14:56:57 +0100
Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default

The command line tool also independently sets --ftp-skip-pasv-ip by
default.

Ten test cases updated to adapt the modified --libcurl output.

Bug: https://curl.se/docs/CVE-2020-8284.html
CVE-2020-8284

Reported-by: Varnavas Papaioannou
---
 lib/url.c                                    |   1 +
 src/tool_cfgable.c                           |   1 +
 tests/data/test1400                          |   1 +
 tests/data/test1401                          |   1 +
 tests/data/test1402                          |   1 +
 tests/data/test1403                          |   1 +
 tests/data/test1404                          |   1 +
 tests/data/test1405                          |   1 +
 tests/data/test1406                          |   1 +
 tests/data/test1407                          |   1 +

Index: curl-7.37.0/lib/url.c
===================================================================
--- curl-7.37.0.orig/lib/url.c
+++ curl-7.37.0/lib/url.c
@@ -510,6 +510,7 @@ CURLcode Curl_init_userdefined(struct Us
   set->ftp_use_eprt = TRUE;   /* FTP defaults to EPRT operations */
   set->ftp_use_pret = FALSE;  /* mainly useful for drftpd servers */
   set->ftp_filemethod = FTPFILE_MULTICWD;
+  set->ftp_skip_ip = TRUE;    /* skip PASV IP by default */
 
   set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
 
Index: curl-7.37.0/src/tool_cfgable.c
===================================================================
--- curl-7.37.0.orig/src/tool_cfgable.c
+++ curl-7.37.0/src/tool_cfgable.c
@@ -39,6 +39,7 @@ void config_init(struct OperationConfig*
   config->proto_redir =
     CURLPROTO_ALL & ~(CURLPROTO_FILE|CURLPROTO_SCP); /* not FILE or SCP */
   config->proto_redir_present = FALSE;
+  config->ftp_skip_ip = TRUE;
 }
 
 static void free_config_fields(struct OperationConfig *config)
Index: curl-7.37.0/tests/data/test1400
===================================================================
--- curl-7.37.0.orig/tests/data/test1400
+++ curl-7.37.0/tests/data/test1400
@@ -69,6 +69,7 @@ int main(int argc, char *argv[])
   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
 
   /* Here is a list of options the curl code used that cannot get generated
Index: curl-7.37.0/tests/data/test1401
===================================================================
--- curl-7.37.0.orig/tests/data/test1401
+++ curl-7.37.0/tests/data/test1401
@@ -85,6 +85,7 @@ int main(int argc, char *argv[])
   curl_easy_setopt(hnd, CURLOPT_HTTPAUTH, (long)CURLAUTH_BASIC);
   curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
   curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
                                            (long)CURLPROTO_FTP |
Index: curl-7.37.0/tests/data/test1402
===================================================================
--- curl-7.37.0.orig/tests/data/test1402
+++ curl-7.37.0/tests/data/test1402
@@ -76,6 +76,7 @@ int main(int argc, char *argv[])
   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
 
   /* Here is a list of options the curl code used that cannot get generated
Index: curl-7.37.0/tests/data/test1403
===================================================================
--- curl-7.37.0.orig/tests/data/test1403
+++ curl-7.37.0/tests/data/test1403
@@ -71,6 +71,7 @@ int main(int argc, char *argv[])
   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
 
   /* Here is a list of options the curl code used that cannot get generated
Index: curl-7.37.0/tests/data/test1404
===================================================================
--- curl-7.37.0.orig/tests/data/test1404
+++ curl-7.37.0/tests/data/test1404
@@ -125,6 +125,7 @@ int main(int argc, char *argv[])
   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
 
   /* Here is a list of options the curl code used that cannot get generated
Index: curl-7.37.0/tests/data/test1405
===================================================================
--- curl-7.37.0.orig/tests/data/test1405
+++ curl-7.37.0/tests/data/test1405
@@ -86,6 +86,7 @@ int main(int argc, char *argv[])
   curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
   curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
 
   /* Here is a list of options the curl code used that cannot get generated
Index: curl-7.37.0/tests/data/test1406
===================================================================
--- curl-7.37.0.orig/tests/data/test1406
+++ curl-7.37.0/tests/data/test1406
@@ -79,6 +79,7 @@ int main(int argc, char *argv[])
   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
   curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
   curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
Index: curl-7.37.0/tests/data/test1407
===================================================================
--- curl-7.37.0.orig/tests/data/test1407
+++ curl-7.37.0/tests/data/test1407
@@ -60,6 +60,7 @@ int main(int argc, char *argv[])
   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
 
   /* Here is a list of options the curl code used that cannot get generated
openSUSE Build Service is sponsored by
Places