File curl-CVE-2021-22876.patch of Package curl.21972

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2021-22876.patch of Package curl.21972

From 3dec1183be112e587f89edc059c1c11cf8fdc0ae Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 23 Feb 2021 14:54:46 +0100
Subject: [PATCH] transfer: strip credentials from the auto-referer header field

---

From f65d7889b5c8eeefbb9f41c7588199be18b38a20 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Fri, 19 Feb 2021 16:17:44 +0000
Subject: [PATCH] http: add new files missed from referrer commit

---

From 6bb028dbda6cbfe83f66de773544f71e4813160f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 29 Mar 2021 09:32:14 +0200
Subject: [PATCH] transfer: clear 'referer' in declaration

---

From fb30ac5a2d63773c529c19259754e2b306ac2e2e Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 5 Aug 2018 11:51:07 +0200
Subject: [PATCH] URL-API

Index: curl-7.60.0/lib/transfer.c
===================================================================
--- curl-7.60.0.orig/lib/transfer.c
+++ curl-7.60.0/lib/transfer.c
@@ -1757,6 +1757,10 @@ CURLcode Curl_follow(struct Curl_easy *d
       data->set.followlocation++; /* count location-followers */
 
       if(data->set.http_auto_referer) {
+        CURLU *u;
+        CURLUcode uc;
+        char *referer = NULL;
+
         /* We are asked to automatically set the previous URL as the referer
            when we get the next URL. We pick the ->url field, which may or may
            not be 100% correct */
@@ -1766,9 +1770,27 @@ CURLcode Curl_follow(struct Curl_easy *d
           data->change.referer_alloc = FALSE;
         }
 
-        data->change.referer = strdup(data->change.url);
-        if(!data->change.referer)
+        /* Make a copy of the URL without crenditals and fragment */
+        u = curl_url();
+        if(!u)
+          return CURLE_OUT_OF_MEMORY;
+
+        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
+        if(!uc)
+          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
+
+        curl_url_cleanup(u);
+
+        if(uc != CURLUE_OK || !referer)
           return CURLE_OUT_OF_MEMORY;
+
+        data->change.referer = referer;
         data->change.referer_alloc = TRUE; /* yes, free this later */
       }
     }
Index: curl-7.60.0/tests/data/Makefile.inc
===================================================================
--- curl-7.60.0.orig/tests/data/Makefile.inc
+++ curl-7.60.0/tests/data/Makefile.inc
@@ -196,5 +196,5 @@ test2056 test2057 test2058 test2059 test
 test2064 test2065 test2066 test2067 test2068 test2069 \
 \
 test2070 test2071 test2072 test2073 \
-\
+test2081 \
 test3000 test3001
Index: curl-7.60.0/tests/data/test2081
===================================================================
--- /dev/null
+++ curl-7.60.0/tests/data/test2081
@@ -0,0 +1,69 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+referer
+followlocation
+--write-out
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 301 This is a weirdo text message swsclose
+Location: data/20810002.txt?coolsite=yes
+Content-Length: 62
+Connection: close
+
+This server reply is for testing a simple Location: following
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+Automatic referrer credential and anchor stripping check
+ </name>
+ <command>
+http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/2081#anchor --location --referer ';auto'
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<errorcode>
+52
+</errorcode>
+<protocol>
+GET /we/want/our/2081 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic dXNlcjpwYXNz
+User-Agent: curl/%VERSION
+Accept: */*
+Referer: 
+
+GET /we/want/our/data/20810002.txt?coolsite=yes HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic dXNlcjpwYXNz
+User-Agent: curl/%VERSION
+Accept: */*
+Referer: http://%HOSTIP:%HTTPPORT/we/want/our/2081
+
+</protocol>
+<stdout>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Location: data/20810002.txt?coolsite=yes
+Content-Length: 62
+Connection: close
+
+</stdout>
+</verify>
+</testcase>

Places

File curl-CVE-2021-22876.patch of Package curl.21972

Places