50 lines
1.5 KiB
Diff
50 lines
1.5 KiB
Diff
Description: Fix CVE-2021-38165
|
|
CVE-2021-38165: If Lynx is given an HTTPS URL which included username
|
|
and password, e.g. https://username:password@www.example.org/,
|
|
username and password were sent over the wire in clear text if the
|
|
TLS 1.2 Server Name Indication (SNI) extension was used.
|
|
.
|
|
This patch is extracted from upstream's patch from 2.9.0dev.8 to
|
|
2.9.0dev.9 to fix this issue.
|
|
Origin: https://invisible-mirror.net/archives/lynx/patches/lynx2.9.0dev.9.patch.gz
|
|
Author: Thomas E. Dickey <dickey@invisible-island.net>
|
|
Reviewed-By: Axel Beckert <abe@debian.org>
|
|
Bug-Debian: https://bugs.debian.org/991971
|
|
Bug: https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html
|
|
Bug: https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
|
|
|
|
--- a/WWW/Library/Implementation/HTTP.c
|
|
+++ b/WWW/Library/Implementation/HTTP.c
|
|
@@ -762,6 +762,23 @@
|
|
}
|
|
#endif
|
|
|
|
+/*
|
|
+ * Remove user/password, if any, from the given host-string.
|
|
+ */
|
|
+#ifdef USE_SSL
|
|
+static char *StripUserAuthents(char *host)
|
|
+{
|
|
+ char *p = strchr(host, '@');
|
|
+
|
|
+ if (p != NULL) {
|
|
+ char *q = host;
|
|
+
|
|
+ while ((*q++ = *++p) != '\0') ;
|
|
+ }
|
|
+ return host;
|
|
+}
|
|
+#endif
|
|
+
|
|
/* Load Document from HTTP Server HTLoadHTTP()
|
|
* ==============================
|
|
*
|
|
@@ -957,6 +974,7 @@
|
|
/* get host we're connecting to */
|
|
ssl_host = HTParse(url, "", PARSE_HOST);
|
|
ssl_host = StripIpv6Brackets(ssl_host);
|
|
+ ssl_host = StripUserAuthents(ssl_host);
|
|
#if defined(USE_GNUTLS_FUNCS)
|
|
ret = gnutls_server_name_set(handle->gnutls_state,
|
|
GNUTLS_NAME_DNS,
|