File curl-CVE-2023-28322.patch of Package curl.28980
From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 25 Apr 2023 08:28:01 +0200
Subject: [PATCH] lib: unify the upload/method handling
By making sure we set state.upload based on the set.method value and not
independently as set.upload, we reduce confusion and mixup risks, both
internally and externally.
Closes #11017
---
 lib/curl_rtmp.c    | 4 ++--
 lib/file.c         | 4 ++--
 lib/ftp.c          | 8 ++++----
 lib/http.c         | 4 ++--
 lib/imap.c         | 6 +++---
 lib/rtsp.c         | 4 ++--
 lib/setopt.c       | 6 ++----
 lib/smb.c          | 6 +++---
 lib/smtp.c         | 4 ++--
 lib/tftp.c         | 8 ++++----
 lib/transfer.c     | 4 ++--
 lib/urldata.h      | 2 +-
 lib/vssh/libssh.c  | 6 +++---
 lib/vssh/libssh2.c | 6 +++---
 lib/vssh/wolfssh.c | 2 +-
 15 files changed, 36 insertions(+), 38 deletions(-)
Index: curl-7.66.0/lib/curl_rtmp.c
===================================================================
--- curl-7.66.0.orig/lib/curl_rtmp.c
+++ curl-7.66.0/lib/curl_rtmp.c
@@ -213,7 +213,7 @@ static CURLcode rtmp_connect(struct conn
   /* We have to know if it's a write before we send the
    * connect request packet
    */
-  if(conn->data->set.upload)
+  if(conn->data->state.upload)
     r->Link.protocol |= RTMP_FEATURE_WRITE;
 
   /* For plain streams, use the buffer toggle trick to keep data flowing */
@@ -245,7 +245,7 @@ static CURLcode rtmp_do(struct connectda
   if(!RTMP_ConnectStream(r, 0))
     return CURLE_FAILED_INIT;
 
-  if(conn->data->set.upload) {
+  if(conn->data->state.upload) {
     Curl_pgrsSetUploadSize(data, data->state.infilesize);
     Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET);
   }
Index: curl-7.66.0/lib/file.c
===================================================================
--- curl-7.66.0.orig/lib/file.c
+++ curl-7.66.0/lib/file.c
@@ -196,7 +196,7 @@ static CURLcode file_connect(struct conn
   file->freepath = real_path; /* free this when done */
 
   file->fd = fd;
-  if(!data->set.upload && (fd == -1)) {
+  if(!data->state.upload && (fd == -1)) {
     failf(data, "Couldn't open file %s", data->state.up.path);
     file_done(conn, CURLE_FILE_COULDNT_READ_FILE, FALSE);
     return CURLE_FILE_COULDNT_READ_FILE;
@@ -388,7 +388,7 @@ static CURLcode file_do(struct connectda
 
   Curl_pgrsStartNow(data);
 
-  if(data->set.upload)
+  if(data->state.upload)
     return file_upload(conn);
 
   file = conn->data->req.protop;
Index: curl-7.66.0/lib/ftp.c
===================================================================
--- curl-7.66.0.orig/lib/ftp.c
+++ curl-7.66.0/lib/ftp.c
@@ -1368,7 +1368,7 @@ static CURLcode ftp_state_prepare_transf
                 data->set.str[STRING_CUSTOMREQUEST]:
                 (data->set.ftp_list_only?"NLST":"LIST"));
       }
-      else if(data->set.upload) {
+      else if(data->state.upload) {
         PPSENDF(&conn->proto.ftpc.pp, "PRET STOR %s", conn->proto.ftpc.file);
       }
       else {
@@ -3286,7 +3286,7 @@ static CURLcode ftp_done(struct connectd
     /* the response code from the transfer showed an error already so no
        use checking further */
     ;
-  else if(data->set.upload) {
+  else if(data->state.upload) {
     if((-1 != data->state.infilesize) &&
        (data->state.infilesize != data->req.writebytecount) &&
        !data->set.crlf &&
@@ -3554,7 +3554,7 @@ static CURLcode ftp_do_more(struct conne
                            connected back to us */
       }
     }
-    else if(data->set.upload) {
+    else if(data->state.upload) {
       result = ftp_nb_type(conn, data->set.prefer_ascii, FTP_STOR_TYPE);
       if(result)
         return result;
@@ -4240,7 +4240,7 @@ CURLcode ftp_parse_url_path(struct conne
     ftpc->file = NULL; /* instead of point to a zero byte, we make it a NULL
                           pointer */
 
-  if(data->set.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
+  if(data->state.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
     /* We need a file name when uploading. Return error! */
     failf(data, "Uploading to a URL without a file name!");
     return CURLE_URL_MALFORMAT;
Index: curl-7.66.0/lib/http.c
===================================================================
--- curl-7.66.0.orig/lib/http.c
+++ curl-7.66.0/lib/http.c
@@ -2084,7 +2084,7 @@ CURLcode Curl_http(struct connectdata *c
   }
 
   if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
-     data->set.upload) {
+     data->state.upload) {
     httpreq = HTTPREQ_PUT;
   }
 
@@ -2265,7 +2265,7 @@ CURLcode Curl_http(struct connectdata *c
     if((conn->handler->protocol & PROTO_FAMILY_HTTP) &&
        (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) &&
          http->postsize < 0) ||
-        ((data->set.upload || httpreq == HTTPREQ_POST) &&
+        ((data->state.upload || httpreq == HTTPREQ_POST) &&
          data->state.infilesize == -1))) {
       if(conn->bits.authneg)
         /* don't enable chunked during auth neg */
Index: curl-7.66.0/lib/imap.c
===================================================================
--- curl-7.66.0.orig/lib/imap.c
+++ curl-7.66.0/lib/imap.c
@@ -1472,11 +1472,11 @@ static CURLcode imap_done(struct connect
     result = status;         /* use the already set error code */
   }
   else if(!data->set.connect_only && !imap->custom &&
-          (imap->uid || imap->mindex || data->set.upload ||
+          (imap->uid || imap->mindex || data->state.upload ||
           data->set.mimepost.kind != MIMEKIND_NONE)) {
     /* Handle responses after FETCH or APPEND transfer has finished */
 
-    if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE)
+    if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE)
       state(conn, IMAP_FETCH_FINAL);
     else {
       /* End the APPEND command first by sending an empty line */
@@ -1542,7 +1542,7 @@ static CURLcode imap_perform(struct conn
     selected = TRUE;
 
   /* Start the first command in the DO phase */
-  if(conn->data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE)
+  if(conn->data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE)
     /* APPEND can be executed directly */
     result = imap_perform_append(conn);
   else if(imap->custom && (selected || !imap->mailbox))
Index: curl-7.66.0/lib/rtsp.c
===================================================================
--- curl-7.66.0.orig/lib/rtsp.c
+++ curl-7.66.0/lib/rtsp.c
@@ -499,7 +499,7 @@ static CURLcode rtsp_do(struct connectda
      rtspreq == RTSPREQ_SET_PARAMETER ||
      rtspreq == RTSPREQ_GET_PARAMETER) {
 
-    if(data->set.upload) {
+    if(data->state.upload) {
       putsize = data->state.infilesize;
       data->set.httpreq = HTTPREQ_PUT;
 
@@ -518,7 +518,7 @@ static CURLcode rtsp_do(struct connectda
         result =
           Curl_add_bufferf(&req_buffer,
                            "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
-                           (data->set.upload ? putsize : postsize));
+                           (data->state.upload ? putsize : postsize));
         if(result)
           return result;
       }
Index: curl-7.66.0/lib/setopt.c
===================================================================
--- curl-7.66.0.orig/lib/setopt.c
+++ curl-7.66.0/lib/setopt.c
@@ -258,8 +258,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *
      * We want to sent data to the remote host. If this is HTTP, that equals
      * using the PUT request.
      */
-    data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE;
-    if(data->set.upload) {
+    arg = va_arg(param, long);
+    if(arg) {
       /* If this is HTTP, PUT is what's needed to "upload" */
       data->set.httpreq = HTTPREQ_PUT;
       data->set.opt_no_body = FALSE; /* this is implied */
@@ -486,7 +486,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *
     }
     else
       data->set.httpreq = HTTPREQ_GET;
-    data->set.upload = FALSE;
     break;
 
   case CURLOPT_COPYPOSTFIELDS:
@@ -797,7 +796,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *
      */
     if(va_arg(param, long)) {
       data->set.httpreq = HTTPREQ_GET;
-      data->set.upload = FALSE; /* switch off upload */
       data->set.opt_no_body = FALSE; /* this is implied */
     }
     break;
Index: curl-7.66.0/lib/smb.c
===================================================================
--- curl-7.66.0.orig/lib/smb.c
+++ curl-7.66.0/lib/smb.c
@@ -516,7 +516,7 @@ static CURLcode smb_send_open(struct con
   byte_count = strlen(req->path);
   msg.name_length = smb_swap16((unsigned short)byte_count);
   msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
-  if(conn->data->set.upload) {
+  if(conn->data->state.upload) {
     msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
     msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
   }
@@ -791,7 +791,7 @@ static CURLcode smb_request_state(struct
     smb_m = (const struct smb_nt_create_response*) msg;
     req->fid = smb_swap16(smb_m->fid);
     conn->data->req.offset = 0;
-    if(conn->data->set.upload) {
+    if(conn->data->state.upload) {
       conn->data->req.size = conn->data->state.infilesize;
       Curl_pgrsSetUploadSize(conn->data, conn->data->req.size);
       next_state = SMB_UPLOAD;
Index: curl-7.66.0/lib/smtp.c
===================================================================
--- curl-7.66.0.orig/lib/smtp.c
+++ curl-7.66.0/lib/smtp.c
@@ -1210,7 +1210,7 @@ static CURLcode smtp_done(struct connect
     result = status;         /* use the already set error code */
   }
   else if(!data->set.connect_only && data->set.mail_rcpt &&
-          (data->set.upload || data->set.mimepost.kind)) {
+          (data->state.upload || data->set.mimepost.kind)) {
     /* Calculate the EOB taking into account any terminating CRLF from the
        previous line of the email or the CRLF of the DATA command when there
        is "no mail data". RFC-5321, sect. 4.1.1.4.
@@ -1297,7 +1297,7 @@ static CURLcode smtp_perform(struct conn
   smtp->eob = 2;
 
   /* Start the first command in the DO phase */
-  if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
+  if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
     /* MAIL transfer */
     result = smtp_perform_mail(conn);
   else
Index: curl-7.66.0/lib/tftp.c
===================================================================
--- curl-7.66.0.orig/lib/tftp.c
+++ curl-7.66.0/lib/tftp.c
@@ -390,7 +390,7 @@ static CURLcode tftp_parse_option_ack(tf
 
       /* tsize should be ignored on upload: Who cares about the size of the
          remote file? */
-      if(!data->set.upload) {
+      if(!data->state.upload) {
         if(!tsize) {
           failf(data, "invalid tsize -:%s:- value in OACK packet", value);
           return CURLE_TFTP_ILLEGAL;
@@ -470,7 +470,7 @@ static CURLcode tftp_send_first(tftp_sta
       return result;
     }
 
-    if(data->set.upload) {
+    if(data->state.upload) {
       /* If we are uploading, send an WRQ */
       setpacketevent(&state->spacket, TFTP_EVENT_WRQ);
       state->conn->data->req.upload_fromhere =
@@ -505,7 +505,7 @@ static CURLcode tftp_send_first(tftp_sta
     if(!data->set.tftp_no_options) {
       char buf[64];
       /* add tsize option */
-      if(data->set.upload && (data->state.infilesize != -1))
+      if(data->state.upload && (data->state.infilesize != -1))
         msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
                   data->state.infilesize);
       else
@@ -559,7 +559,7 @@ static CURLcode tftp_send_first(tftp_sta
     break;
 
   case TFTP_EVENT_OACK:
-    if(data->set.upload) {
+    if(data->state.upload) {
       result = tftp_connect_for_tx(state, event);
     }
     else {
Index: curl-7.66.0/lib/transfer.c
===================================================================
--- curl-7.66.0.orig/lib/transfer.c
+++ curl-7.66.0/lib/transfer.c
@@ -1402,6 +1402,7 @@ void Curl_init_CONNECT(struct Curl_easy
 {
   data->state.fread_func = data->set.fread_func_set;
   data->state.in = data->set.in_set;
+  data->state.upload = (data->set.httpreq == HTTPREQ_PUT);
 }
 
 /*
@@ -1768,7 +1769,7 @@ CURLcode Curl_retry_request(struct conne
 
   /* if we're talking upload, we can't do the checks below, unless the protocol
      is HTTP as when uploading over HTTP we will still get a response */
-  if(data->set.upload &&
+  if(data->state.upload &&
      !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)))
     return CURLE_OK;
 
Index: curl-7.66.0/lib/urldata.h
===================================================================
--- curl-7.66.0.orig/lib/urldata.h
+++ curl-7.66.0/lib/urldata.h
@@ -1395,6 +1395,7 @@ struct UrlState {
                   invoked twice when the multi interface is used. */
   bit stream_depends_e:1; /* set or don't set the Exclusive bit */
   bit previouslypending:1; /* this transfer WAS in the multi->pending queue */
+  bit upload:1;         /* upload request */
 };
 
 
@@ -1733,7 +1734,6 @@ struct UserDefined {
   bit http_auto_referer:1; /* set "correct" referer when following
                                location: */
   bit opt_no_body:1;    /* as set with CURLOPT_NOBODY */
-  bit upload:1;         /* upload request */
   bit verbose:1;        /* output verbosity */
   bit krb:1;            /* Kerberos connection requested */
   bit reuse_forbid:1;   /* forbidden to be reused, close after use */
Index: curl-7.66.0/lib/vssh/libssh.c
===================================================================
--- curl-7.66.0.orig/lib/vssh/libssh.c
+++ curl-7.66.0/lib/vssh/libssh.c
@@ -1072,7 +1072,7 @@ static CURLcode myssh_statemach_act(stru
     }
 
     case SSH_SFTP_TRANS_INIT:
-      if(data->set.upload)
+      if(data->state.upload)
         state(conn, SSH_SFTP_UPLOAD_INIT);
       else {
         if(protop->path[strlen(protop->path)-1] == '/')
@@ -1682,7 +1682,7 @@ static CURLcode myssh_statemach_act(stru
       /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */
       ssh_set_blocking(sshc->ssh_session, 1);
 
-      if(data->set.upload) {
+      if(data->state.upload) {
         if(data->state.infilesize < 0) {
           failf(data, "SCP requires a known file size for upload");
           sshc->actualcode = CURLE_UPLOAD_FAILED;
@@ -1783,7 +1783,7 @@ static CURLcode myssh_statemach_act(stru
         break;
       }
     case SSH_SCP_DONE:
-      if(data->set.upload)
+      if(data->state.upload)
         state(conn, SSH_SCP_SEND_EOF);
       else
         state(conn, SSH_SCP_CHANNEL_FREE);
Index: curl-7.66.0/lib/vssh/libssh2.c
===================================================================
--- curl-7.66.0.orig/lib/vssh/libssh2.c
+++ curl-7.66.0/lib/vssh/libssh2.c
@@ -1630,7 +1630,7 @@ static CURLcode ssh_statemach_act(struct
     }
 
     case SSH_SFTP_TRANS_INIT:
-      if(data->set.upload)
+      if(data->state.upload)
         state(conn, SSH_SFTP_UPLOAD_INIT);
       else {
         if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')
@@ -2332,7 +2332,7 @@ static CURLcode ssh_statemach_act(struct
         break;
       }
 
-      if(data->set.upload) {
+      if(data->state.upload) {
         if(data->state.infilesize < 0) {
           failf(data, "SCP requires a known file size for upload");
           sshc->actualcode = CURLE_UPLOAD_FAILED;
@@ -2470,7 +2470,7 @@ static CURLcode ssh_statemach_act(struct
     break;
 
     case SSH_SCP_DONE:
-      if(data->set.upload)
+      if(data->state.upload)
         state(conn, SSH_SCP_SEND_EOF);
       else
         state(conn, SSH_SCP_CHANNEL_FREE);