File curl-CVE-2021-22876.patch of Package curl.25570

From 3dec1183be112e587f89edc059c1c11cf8fdc0ae Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 23 Feb 2021 14:54:46 +0100
Subject: [PATCH] transfer: strip credentials from the auto-referer header
 field

CVE-2021-22876
Bug: https://curl.se/docs/CVE-2021-22876.html

Index: curl-7.66.0/lib/transfer.c
===================================================================
--- curl-7.66.0.orig/lib/transfer.c
+++ curl-7.66.0/lib/transfer.c
@@ -1568,6 +1568,9 @@ CURLcode Curl_follow(struct Curl_easy *d
       data->set.followlocation++; /* count location-followers */
 
       if(data->set.http_auto_referer) {
+        CURLU *u;
+        char *referer = NULL;
+
         /* We are asked to automatically set the previous URL as the referer
            when we get the next URL. We pick the ->url field, which may or may
            not be 100% correct */
@@ -1577,9 +1580,27 @@ CURLcode Curl_follow(struct Curl_easy *d
           data->change.referer_alloc = FALSE;
         }
 
-        data->change.referer = strdup(data->change.url);
-        if(!data->change.referer)
+        /* Make a copy of the URL without crenditals and fragment */
+        u = curl_url();
+        if(!u)
+          return CURLE_OUT_OF_MEMORY;
+
+        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
+        if(!uc)
+          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
+
+        curl_url_cleanup(u);
+
+        if(uc || !referer)
           return CURLE_OUT_OF_MEMORY;
+
+        data->change.referer = referer;
         data->change.referer_alloc = TRUE; /* yes, free this later */
       }
     }
openSUSE Build Service is sponsored by