packages/curl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-22876

Browse Source
This commit is contained in:
xielhxie 2021-04-08 18:41:52 +08:00
parent 6ff617a2a0
commit b9e8f11e55
2 changed files with 158 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
backport-CVE-2021-22876.patch Normal file
View File

@ -0,0 +1,150 @@
From 7214288898f5625a6cc196e22a74232eada7861c Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 23 Feb 2021 14:54:46 +0100
Subject: [PATCH] transfer: strip credentials from the auto-referer header
field
Added test 2081 to verify.
CVE-2021-22876
Bug: https://curl.se/docs/CVE-2021-22876.html
---
lib/transfer.c | 25 ++++++++++++++--
tests/data/Makefile.inc | 2 +-
tests/data/test2081 | 66 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 90 insertions(+), 3 deletions(-)
create mode 100644 tests/data/test2081
diff --git a/lib/transfer.c b/lib/transfer.c
index 1976bc033..a68c021c8 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1582,6 +1582,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
data->set.followlocation++; /* count location-followers */
if(data->set.http_auto_referer) {
+ CURLU *u;
+ char *referer;
+
/* We are asked to automatically set the previous URL as the referer
when we get the next URL. We pick the ->url field, which may or may
not be 100% correct */
@@ -1591,9 +1594,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
data->change.referer_alloc = FALSE;
}
- data->change.referer = strdup(data->change.url);
- if(!data->change.referer)
+ /* Make a copy of the URL without crenditals and fragment */
+ u = curl_url();
+ if(!u)
+ return CURLE_OUT_OF_MEMORY;
+
+ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
+ if(!uc)
+ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
+ if(!uc)
+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
+ if(!uc)
+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
+ if(!uc)
+ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
+
+ curl_url_cleanup(u);
+
+ if(uc || referer == NULL)
return CURLE_OUT_OF_MEMORY;
+
+ data->change.referer = referer;
data->change.referer_alloc = TRUE; /* yes, free this later */
}
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 2c7a0ca89..ea52683d2 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -221,7 +221,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \
test2064 test2065 test2066 test2067 test2068 test2069 test2070 \
test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
test2078 \
-test2080 \
+test2080 test2081 \
test2100 \
\
test3000 test3001 \
diff --git a/tests/data/test2081 b/tests/data/test2081
new file mode 100644
index 000000000..a6733e737
--- /dev/null
+++ b/tests/data/test2081
@@ -0,0 +1,66 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+referer
+followlocation
+--write-out
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 301 This is a weirdo text message swsclose
+Location: data/%TESTNUMBER0002.txt?coolsite=yes
+Content-Length: 62
+Connection: close
+
+This server reply is for testing a simple Location: following
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+Automatic referrer credential and anchor stripping check
+ </name>
+ <command>
+http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n'
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+52
+</errorcode>
+<protocol>
+GET /we/want/our/%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic dXNlcjpwYXNz
+User-Agent: curl/%VERSION
+Accept: */*
+
+GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic dXNlcjpwYXNz
+User-Agent: curl/%VERSION
+Accept: */*
+Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
+
+</protocol>
+<stdout>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Location: data/%TESTNUMBER0002.txt?coolsite=yes
+Content-Length: 62
+Connection: close
+
+http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
+</stdout>
+</verify>
+</testcase>
--
2.23.0

9
curl.spec
View File

@ -6,7 +6,7 @@
Name: curl Name: curl
Version: 7.71.1 Version: 7.71.1
Release: 6 Release: 7
Summary: Curl is used in command lines or scripts to transfer data Summary: Curl is used in command lines or scripts to transfer data
License: MIT License: MIT
URL: https://curl.haxx.se/ URL: https://curl.haxx.se/
@ -22,6 +22,7 @@ Patch108: 0108-curl-fix-CVE-2020-8231.patch
Patch109: backport-CVE-2020-8284.patch Patch109: backport-CVE-2020-8284.patch
Patch110: backport-CVE-2020-8285.patch Patch110: backport-CVE-2020-8285.patch
Patch111: backport-CVE-2020-8286.patch Patch111: backport-CVE-2020-8286.patch
Patch112: backport-CVE-2021-22876.patch
BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel
BuildRequires: libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel BuildRequires: libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel
@ -163,6 +164,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_mandir}/man3/* %{_mandir}/man3/*
%changelog %changelog
* Thu Apr 8 2021 xieliuhua <xieliuhua@huawei.com> - 7.71.1-7
- Type:CVE
- CVE:CVE-2021-22876
- SUG:NA
- DESC:fix CVE-2021-22876
* Tue Jan 26 2021 wangxiaopeng <wangxiaopeng7@huawei.com> - 7.71.1-6 * Tue Jan 26 2021 wangxiaopeng <wangxiaopeng7@huawei.com> - 7.71.1-6
- Type:CVE - Type:CVE
- CVE:CVE-2020-8285 - CVE:CVE-2020-8285