!32 fix CVE-2020-25097

From: @eaglegai Reviewed-by: @zengwefeng Signed-off-by: @zengwefeng
2021-04-01 10:13:07 +08:00 · 2021-04-01 10:13:07 +08:00 · 3445986d53
commit 3445986d53
parent f676e32d1a df7193611e
2 changed files with 68 additions and 1 deletions
--- a/backport-CVE-2020-25097.patch
+++ b/backport-CVE-2020-25097.patch
@ -0,0 +1,60 @@
+From dfd818595b54942cb1adc45f6aed95c9b706e3a8 Mon Sep 17 00:00:00 2001
+From: Amos Jeffries <yadij@users.noreply.github.com>
+Date: Fri, 4 Sep 2020 17:38:30 +1200
+Subject: [PATCH] Merge pull request from GHSA-jvf6-h9gj-pmj6
+
+* Add slash prefix to path-rootless or path-noscheme URLs
+
+* Update src/anyp/Uri.cc
+
+Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
+
+* restore file trailer GH auto-removes
+
+* Remove redundant path-empty check
+
+* Removed stale comment left behind by b2ab59a
+
+Many things imply a leading `/` in a URI. Their enumeration is likely to
+(and did) become stale, misleading the reader.
+
+* fixup: Remind that the `src` iterator may be at its end
+
+We are dereferencing `src` without comparing it to `\0`.
+To many readers that (incorrectly) implies that we are not done iterating yet.
+
+Also fixed branch-added comment indentation.
+
+Co-authored-by: Alex Rousskov <rousskov@measurement-factory.com>
+---
+ src/anyp/Uri.cc | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
+index 72dddb64aa..88fd83ee2d 100644
+--- a/src/anyp/Uri.cc
+++ b/src/anyp/Uri.cc
+@@ -343,8 +343,9 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl)
+                 return false;
+             *dst = '\0';
+ 
+-            // bug 3074: received 'path' starting with '?', '#', or '\0' implies '/'
+-            if (*src == '?' || *src == '#' || *src == '\0') {
+            // We are looking at path-abempty.
+            if (*src != '/') {
+                // path-empty, including the end of the `src` c-string cases
+                 urlpath[0] = '/';
+                 dst = &urlpath[1];
+             } else {
+@@ -358,11 +359,6 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl)
+             /* We -could- be at the end of the buffer here */
+             if (i > l)
+                 return false;
+-            /* If the URL path is empty we set it to be "/" */
+-            if (dst == urlpath) {
+-                *dst = '/';
+-                ++dst;
+-            }
+             *dst = '\0';
+ 
+             foundPort = scheme.defaultPort(); // may be reset later
--- a/squid.spec
+++ b/squid.spec
@ -2,7 +2,7 @@

 Name:     squid
 Version:  4.9
-Release:  6
+Release:  7
 Summary:  The Squid proxy caching server
 Epoch:    7
 License:  GPLv2+ and (LGPLv2+ and MIT and BSD and Public Domain)
@ -33,6 +33,7 @@ Patch12:CVE-2020-15049.patch
 Patch13:CVE-2020-15810.patch
 Patch14:CVE-2020-15811.patch
 Patch15:CVE-2020-24606.patch
+Patch16:backport-CVE-2020-25097.patch

 Buildroot: %{_tmppath}/squid-4.9-1-root-%(%{__id_u} -n)
 Requires: bash >= 2.0
@ -211,6 +212,12 @@ fi
    chgrp squid /var/cache/samba/winbindd_privileged >/dev/null 2>&1 || :

 %changelog
+* Wed Mar 31 2021 gaihuiying <gaihuiying1@huawei.com> - 4.9-7
+- Type:cves
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2020-25097 
+
 * Wed Mar 17 2021 openEuler Buildteam <buildteam@openeuler.org> - 4.9-6
 - Type:cves
 - ID:CVE-2020-14058, CVE-2020-15049, CVE-2020-15810, CVE-2020-15811, CVE-2020-24606