Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
curl.25569
curl-CVE-2022-32205.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2022-32205.patch of Package curl.25569
From 48d7064a49148f03942380967da739dcde1cdc24 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Sun, 26 Jun 2022 11:00:48 +0200 Subject: [PATCH] cookie: apply limits - Send no more than 150 cookies per request - Cap the max length used for a cookie: header to 8K - Cap the max number of received Set-Cookie: headers to 50 Bug: https://curl.se/docs/CVE-2022-32205.html CVE-2022-32205 Reported-by: Harry Sintonen Closes #9048 --- lib/cookie.c | 14 ++++++++++++-- lib/cookie.h | 21 +++++++++++++++++++-- lib/http.c | 13 +++++++++++-- lib/urldata.h | 1 + 4 files changed, 43 insertions(+), 6 deletions(-) Index: curl-7.79.1/lib/cookie.c =================================================================== --- curl-7.79.1.orig/lib/cookie.c +++ curl-7.79.1/lib/cookie.c @@ -469,6 +469,10 @@ Curl_cookie_add(struct Curl_easy *data, (void)data; #endif + DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ + if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) + return NULL; + /* First, alloc and init a new struct for it */ co = calloc(1, sizeof(struct Cookie)); if(!co) @@ -808,7 +812,7 @@ Curl_cookie_add(struct Curl_easy *data, freecookie(co); return NULL; } - + data->req.setcookies++; } else { /* @@ -1346,7 +1350,8 @@ static struct Cookie *dup_cookie(struct * * It shall only return cookies that haven't expired. */ -struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, +struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, + struct CookieInfo *c, const char *host, const char *path, bool secure) { @@ -1401,6 +1406,11 @@ struct Cookie *Curl_cookie_getlist(struc mainco = newco; matches++; + if(matches >= MAX_COOKIE_SEND_AMOUNT) { + infof(data, "Included max number of cookies (%u) in request!", + matches); + break; + } } else goto fail; Index: curl-7.79.1/lib/cookie.h =================================================================== --- curl-7.79.1.orig/lib/cookie.h +++ curl-7.79.1/lib/cookie.h @@ -81,10 +81,26 @@ struct CookieInfo { */ #define MAX_COOKIE_LINE 5000 -/* This is the maximum length of a cookie name or content we deal with: */ +/* Maximum length of an incoming cookie name or content we deal with. Longer + cookies are ignored. */ #define MAX_NAME 4096 #define MAX_NAME_TXT "4095" +/* Maximum size for an outgoing cookie line libcurl will use in an http + request. This is the default maximum length used in some versions of Apache + httpd. */ +#define MAX_COOKIE_HEADER_LEN 8190 + +/* Maximum number of cookies libcurl will send in a single request, even if + there might be more cookies that match. One reason to cap the number is to + keep the maximum HTTP request within the maximum allowed size. */ +#define MAX_COOKIE_SEND_AMOUNT 150 + +/* Maximum number of Set-Cookie: lines accepted in a single response. If more + such header lines are received, they are ignored. This value must be less + than 256 since an unsigned char is used to count. */ +#define MAX_SET_COOKIE_AMOUNT 50 + struct Curl_easy; /* * Add a cookie to the internal list of cookies. The domain and path arguments @@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Cu const char *domain, const char *path, bool secure); -struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, +struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, + struct CookieInfo *c, const char *host, const char *path, bool secure); void Curl_cookie_freelist(struct Cookie *cookies); void Curl_cookie_clearall(struct CookieInfo *cookies); Index: curl-7.79.1/lib/http.c =================================================================== --- curl-7.79.1.orig/lib/http.c +++ curl-7.79.1/lib/http.c @@ -2713,6 +2713,7 @@ CURLcode Curl_http_cookies(struct Curl_e { CURLcode result = CURLE_OK; char *addcookies = NULL; + bool linecap = FALSE; if(data->set.str[STRING_COOKIE] && !Curl_checkheaders(data, "Cookie")) addcookies = data->set.str[STRING_COOKIE]; @@ -2729,7 +2730,7 @@ CURLcode Curl_http_cookies(struct Curl_e !strcmp(host, "127.0.0.1") || !strcmp(host, "[::1]") ? TRUE : FALSE; Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); - co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, + co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, secure_context); Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); } @@ -2743,6 +2744,13 @@ CURLcode Curl_http_cookies(struct Curl_e if(result) break; } + if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= + MAX_COOKIE_HEADER_LEN) { + infof(data, "Restricted outgoing cookies due to header size, " + "'%s' not sent", co->name); + linecap = TRUE; + break; + } result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", co->name, co->value); if(result) @@ -2753,7 +2761,7 @@ CURLcode Curl_http_cookies(struct Curl_e } Curl_cookie_freelist(store); } - if(addcookies && !result) { + if(addcookies && !result && !linecap) { if(!count) result = Curl_dyn_add(r, "Cookie: "); if(!result) { Index: curl-7.79.1/lib/urldata.h =================================================================== --- curl-7.79.1.orig/lib/urldata.h +++ curl-7.79.1/lib/urldata.h @@ -705,6 +705,7 @@ struct SingleRequest { #ifndef CURL_DISABLE_DOH struct dohdata *doh; /* DoH specific data for this request */ #endif + unsigned char setcookies; BIT(header); /* incoming data has HTTP header */ BIT(content_range); /* set TRUE if Content-Range: was found */ BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
