File curl-CVE-2024-11053.patch of Package curl.37304
From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 15 Nov 2024 11:06:36 +0100
Subject: [PATCH] netrc: address several netrc parser flaws
- make sure that a match that returns a username also returns a
password, that should be blank if no password is found
- fix handling of multiple logins for same host where the password/login
order might be reversed.
- reject credentials provided in the .netrc if they contain ASCII control
codes - if the used protocol does not support such (like HTTP and WS do)
Reported-by: Harry Sintonen
Add test 478, 479 and 480 to verify. Updated unit 1304.
Closes #15586
---
lib/netrc.c | 113 +++++++++++++++++++++++------------------
lib/url.c | 60 +++++++++++++++-------
lib/urldata.h | 2 ++
Index: curl-7.37.0/lib/netrc.c
===================================================================
--- curl-7.37.0.orig/lib/netrc.c
+++ curl-7.37.0/lib/netrc.c
@@ -174,6 +174,13 @@ int Curl_parsenetrc(const char *host,
state = HOSTFOUND;
state_our_login = FALSE;
}
+ else if(Curl_raw_equal("default", tok)) {
+ state = HOSTVALID;
+ retcode = 0; /* we did find our host */
+ free(*passwordp);
+ if(!specific_login)
+ free(*loginp);
+ }
break;
} /* switch (state) */
@@ -182,6 +189,12 @@ int Curl_parsenetrc(const char *host,
} /* while fgets() */
out:
+ if(!retcode && !passwordp && state_our_login) {
+ /* success without a password, set a blank one */
+ *passwordp = strdup("");
+ if(!*passwordp)
+ retcode = 1; /* out of memory */
+ }
fclose(file);
}
Index: curl-7.37.0/lib/url.c
===================================================================
--- curl-7.37.0.orig/lib/url.c
+++ curl-7.37.0/lib/url.c
@@ -4972,6 +4972,17 @@ static CURLcode parse_remote_port(struct
return CURLE_OK;
}
+static bool str_has_ctrl(const char *input)
+{
+ const unsigned char *str = (const unsigned char *)input;
+ while(*str) {
+ if(*str < 0x20)
+ return TRUE;
+ str++;
+ }
+ return FALSE;
+}
+
/*
* Override the login details from the URL with that in the CURLOPT_USERPWD
* option or a .netrc file, if applicable.
@@ -5015,11 +5026,18 @@ static CURLcode override_login(struct Se
return CURLE_OUT_OF_MEMORY;
}
else {
+ if(!(conn->handler->flags & PROTOPT_USERPWDCTRL)) {
+ /* if the protocol can't handle control codes in credentials, make
+ sure there are none */
+ if(str_has_ctrl(*userp) || str_has_ctrl(*passwdp)) {
+ failf(data, "control code detected in .netrc credentials");
+ return CURLE_READ_ERROR;
+ }
+ }
/* set bits.netrc TRUE to remember that we got the name from a .netrc
file, so that it is safe to use even if we followed a Location: to a
different host or similar. */
conn->bits.netrc = TRUE;
-
conn->bits.user_passwd = TRUE; /* enable user+password */
}
}
Index: curl-7.37.0/lib/urldata.h
===================================================================
--- curl-7.37.0.orig/lib/urldata.h
+++ curl-7.37.0/lib/urldata.h
@@ -815,6 +815,8 @@ struct Curl_handler {
#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login credentials per
request instead of per connection */
+#define PROTOPT_USERPWDCTRL (1<<13) /* Allow "control bytes" (< 32 ascii) in
+ user name and password */
/* return the count of bytes sent, or -1 on error */
typedef ssize_t (Curl_send)(struct connectdata *conn, /* connection data */
