File curl-CVE-2021-22876.patch of Package curl.25570
From 3dec1183be112e587f89edc059c1c11cf8fdc0ae Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 23 Feb 2021 14:54:46 +0100
Subject: [PATCH] transfer: strip credentials from the auto-referer header
field
CVE-2021-22876
Bug: https://curl.se/docs/CVE-2021-22876.html
Index: curl-7.66.0/lib/transfer.c
===================================================================
--- curl-7.66.0.orig/lib/transfer.c
+++ curl-7.66.0/lib/transfer.c
@@ -1568,6 +1568,9 @@ CURLcode Curl_follow(struct Curl_easy *d
data->set.followlocation++; /* count location-followers */
if(data->set.http_auto_referer) {
+ CURLU *u;
+ char *referer = NULL;
+
/* We are asked to automatically set the previous URL as the referer
when we get the next URL. We pick the ->url field, which may or may
not be 100% correct */
@@ -1577,9 +1580,27 @@ CURLcode Curl_follow(struct Curl_easy *d
data->change.referer_alloc = FALSE;
}
- data->change.referer = strdup(data->change.url);
- if(!data->change.referer)
+ /* Make a copy of the URL without crenditals and fragment */
+ u = curl_url();
+ if(!u)
+ return CURLE_OUT_OF_MEMORY;
+
+ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
+ if(!uc)
+ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
+ if(!uc)
+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
+ if(!uc)
+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
+ if(!uc)
+ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
+
+ curl_url_cleanup(u);
+
+ if(uc || !referer)
return CURLE_OUT_OF_MEMORY;
+
+ data->change.referer = referer;
data->change.referer_alloc = TRUE; /* yes, free this later */
}
}