File curl-CVE-2020-8284.patch of Package curl.25399
From 20ceeeeb6df4ad7444d0ac6f080557954e05ec1d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 24 Nov 2020 14:56:57 +0100
Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
The command line tool also independently sets --ftp-skip-pasv-ip by
default.
Ten test cases updated to adapt the modified --libcurl output.
Bug: https://curl.se/docs/CVE-2020-8284.html
CVE-2020-8284
Reported-by: Varnavas Papaioannou
---
docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++
docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
lib/url.c | 1 +
src/tool_cfgable.c | 1 +
tests/data/test1400 | 1 +
tests/data/test1401 | 1 +
tests/data/test1402 | 1 +
tests/data/test1403 | 1 +
tests/data/test1404 | 1 +
tests/data/test1405 | 1 +
tests/data/test1406 | 1 +
tests/data/test1407 | 1 +
tests/data/test1420 | 1 +
Index: curl-7.60.0/docs/cmdline-opts/ftp-skip-pasv-ip.d
===================================================================
--- curl-7.60.0.orig/docs/cmdline-opts/ftp-skip-pasv-ip.d
+++ curl-7.60.0/docs/cmdline-opts/ftp-skip-pasv-ip.d
@@ -9,4 +9,6 @@ to curl's PASV command when curl connect
will re-use the same IP address it already uses for the control
connection.
+Since curl 7.74.0 this option is enabled by default.
+
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
Index: curl-7.60.0/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
===================================================================
--- curl-7.60.0.orig/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
+++ curl-7.60.0/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
@@ -5,7 +5,7 @@
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
@@ -36,11 +36,13 @@ address it already uses for the control
number from the 227-response.
This option thus allows libcurl to work around broken server installations
-that due to NATs, firewalls or incompetence report the wrong IP address back.
+that due to NATs, firewalls or incompetence report the wrong IP address
+back. Setting the option also reduces the risk for various sorts of client
+abuse by malicious servers.
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
.SH DEFAULT
-0
+1 since 7.74.0, was 0 before then.
.SH PROTOCOLS
FTP
.SH EXAMPLE
Index: curl-7.60.0/lib/url.c
===================================================================
--- curl-7.60.0.orig/lib/url.c
+++ curl-7.60.0/lib/url.c
@@ -437,6 +437,7 @@ CURLcode Curl_init_userdefined(struct Cu
set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */
set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */
set->ftp_filemethod = FTPFILE_MULTICWD;
+ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */
set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
Index: curl-7.60.0/src/tool_cfgable.c
===================================================================
--- curl-7.60.0.orig/src/tool_cfgable.c
+++ curl-7.60.0/src/tool_cfgable.c
@@ -43,6 +43,7 @@ void config_init(struct OperationConfig*
config->proto_default = NULL;
config->tcp_nodelay = TRUE; /* enabled by default */
config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
+ config->ftp_skip_ip = TRUE;
}
static void free_config_fields(struct OperationConfig *config)
Index: curl-7.60.0/tests/data/test1400
===================================================================
--- curl-7.60.0.orig/tests/data/test1400
+++ curl-7.60.0/tests/data/test1400
@@ -74,6 +74,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
Index: curl-7.60.0/tests/data/test1401
===================================================================
--- curl-7.60.0.orig/tests/data/test1401
+++ curl-7.60.0/tests/data/test1401
@@ -90,6 +90,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
(long)CURLPROTO_FTP |
Index: curl-7.60.0/tests/data/test1402
===================================================================
--- curl-7.60.0.orig/tests/data/test1402
+++ curl-7.60.0/tests/data/test1402
@@ -81,6 +81,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
Index: curl-7.60.0/tests/data/test1403
===================================================================
--- curl-7.60.0.orig/tests/data/test1403
+++ curl-7.60.0/tests/data/test1403
@@ -76,6 +76,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
Index: curl-7.60.0/tests/data/test1404
===================================================================
--- curl-7.60.0.orig/tests/data/test1404
+++ curl-7.60.0/tests/data/test1404
@@ -145,6 +145,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
Index: curl-7.60.0/tests/data/test1405
===================================================================
--- curl-7.60.0.orig/tests/data/test1405
+++ curl-7.60.0/tests/data/test1405
@@ -90,6 +90,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
Index: curl-7.60.0/tests/data/test1406
===================================================================
--- curl-7.60.0.orig/tests/data/test1406
+++ curl-7.60.0/tests/data/test1406
@@ -81,6 +81,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_HEADER, 1L);
curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
Index: curl-7.60.0/tests/data/test1407
===================================================================
--- curl-7.60.0.orig/tests/data/test1407
+++ curl-7.60.0/tests/data/test1407
@@ -63,6 +63,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
Index: curl-7.60.0/tests/data/test1420
===================================================================
--- curl-7.60.0.orig/tests/data/test1420
+++ curl-7.60.0/tests/data/test1420
@@ -68,6 +68,7 @@ int main(int argc, char *argv[])
curl_easy_setopt(hnd, CURLOPT_HEADER, 1L);
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
/* Here is a list of options the curl code used that cannot get generated
Index: curl-7.60.0/tests/data/test1139
===================================================================
--- curl-7.60.0.orig/tests/data/test1139
+++ curl-7.60.0/tests/data/test1139
@@ -15,13 +15,19 @@ documentation
none
</server>
- <name>
+<name>
Verify that all libcurl options have man pages
- </name>
+</name>
<command type="perl">
%SRCDIR/manpage-scan.pl %SRCDIR/.. %PWD/..
</command>
</client>
+<verify>
+<stderr>
+0
+</stderr>
+</verify>
+
</testcase>
Index: curl-7.60.0/tests/manpage-scan.pl
===================================================================
--- curl-7.60.0.orig/tests/manpage-scan.pl
+++ curl-7.60.0/tests/manpage-scan.pl
@@ -286,4 +286,4 @@ foreach my $o (keys %opts) {
}
}
-exit $errors;
+print STDERR "$errors\n";