Overview

File curl-CVE-2015-3153.patch of Package curl.5786

From 66efef4ebd1a51a3782028ae46bc83909f49e0f9 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 23 Apr 2015 15:58:21 +0200
Subject: [PATCH] CURLOPT_HEADEROPT: default to separate

Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.

Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
---
 lib/url.c               | 1 +
 tests/data/test1527     | 2 +-
 tests/data/test287      | 2 +-
 tests/libtest/lib1527.c | 1 +
 4 files changed, 4 insertions(+), 2 deletions(-)

Index: curl-7.37.0/lib/url.c
===================================================================
--- curl-7.37.0.orig/lib/url.c	2015-04-29 10:54:11.331036557 +0200
+++ curl-7.37.0/lib/url.c	2015-04-29 10:55:04.481764011 +0200
@@ -580,6 +580,7 @@ CURLcode Curl_init_userdefined(struct Us
   set->ssl_enable_alpn = TRUE;
 
   set->expect_100_timeout = 1000L; /* Wait for a second by default. */
+  set->sep_headers = TRUE; /* separatated header lists by default */
   return res;
 }
 
Index: curl-7.37.0/tests/data/test1527
===================================================================
--- curl-7.37.0.orig/tests/data/test1527	2015-04-29 10:54:10.218021326 +0200
+++ curl-7.37.0/tests/data/test1527	2015-04-29 10:54:11.331036557 +0200
@@ -45,7 +45,7 @@ http-proxy
 lib1527
 </tool>
  <name>
-Check same headers are generated without CURLOPT_PROXYHEADER
+Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED
  </name>
  <command>
  http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT
Index: curl-7.37.0/tests/data/test287
===================================================================
--- curl-7.37.0.orig/tests/data/test287	2015-04-29 10:54:10.218021326 +0200
+++ curl-7.37.0/tests/data/test287	2015-04-29 10:54:11.331036557 +0200
@@ -28,7 +28,7 @@ http
 HTTP proxy CONNECT with custom User-Agent header
  </name>
  <command>
-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel
+http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007"
 </command>
 </client>
 
Index: curl-7.37.0/tests/libtest/lib1527.c
===================================================================
--- curl-7.37.0.orig/tests/libtest/lib1527.c	2015-04-29 10:54:10.218021326 +0200
+++ curl-7.37.0/tests/libtest/lib1527.c	2015-04-29 10:54:11.331036557 +0200
@@ -83,6 +83,7 @@ int test(char *URL)
   test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
   test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
   test_setopt(curl, CURLOPT_INFILESIZE, strlen(data));
+  test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED);
 
   res = curl_easy_perform(curl);
openSUSE Build Service is sponsored by
Places