Resolves: CVE-2016-8624 - urlparse: accept '#' as end of host name
This commit is contained in:
parent
6c0c913605
commit
8cc82f17a1
162
0013-curl-7.47.1-CVE-2016-8624.patch
Normal file
162
0013-curl-7.47.1-CVE-2016-8624.patch
Normal file
@ -0,0 +1,162 @@
|
|||||||
|
From 0eefde2bae1576ec5a4eca30bd1abbe0fc1be3ea Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Tue, 11 Oct 2016 00:48:35 +0200
|
||||||
|
Subject: [PATCH 1/2] urlparse: accept '#' as end of host name
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
|
||||||
|
for the '/' document with the rest of the URL being a fragment.
|
||||||
|
|
||||||
|
CVE-2016-8624
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/adv_20161102J.html
|
||||||
|
Reported-by: Fernando Muñoz
|
||||||
|
|
||||||
|
Upstream-commit: 3bb273db7e40ebc284cff45f3ce3f0475c8339c2
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/url.c | 10 +++++-----
|
||||||
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index ff99c58..ff14dad 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -4086,7 +4086,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
|
||||||
|
path[0]=0;
|
||||||
|
|
||||||
|
if(2 > sscanf(data->change.url,
|
||||||
|
- "%15[^\n:]://%[^\n/?]%[^\n]",
|
||||||
|
+ "%15[^\n:]://%[^\n/?#]%[^\n]",
|
||||||
|
protobuf,
|
||||||
|
conn->host.name, path)) {
|
||||||
|
|
||||||
|
@@ -4094,7 +4094,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
|
||||||
|
* The URL was badly formatted, let's try the browser-style _without_
|
||||||
|
* protocol specified like 'http://'.
|
||||||
|
*/
|
||||||
|
- rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path);
|
||||||
|
+ rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path);
|
||||||
|
if(1 > rc) {
|
||||||
|
/*
|
||||||
|
* We couldn't even get this format.
|
||||||
|
@@ -4184,10 +4184,10 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If the URL is malformatted (missing a '/' after hostname before path) we
|
||||||
|
- * insert a slash here. The only letter except '/' we accept to start a path
|
||||||
|
- * is '?'.
|
||||||
|
+ * insert a slash here. The only letters except '/' that can start a path is
|
||||||
|
+ * '?' and '#' - as controlled by the two sscanf() patterns above.
|
||||||
|
*/
|
||||||
|
- if(path[0] == '?') {
|
||||||
|
+ if(path[0] != '/') {
|
||||||
|
/* We need this function to deal with overlapping memory areas. We know
|
||||||
|
that the memory area 'path' points to is 'urllen' bytes big and that
|
||||||
|
is bigger than the path. Use +1 to move the zero byte too. */
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
||||||
|
|
||||||
|
From c0304cbed088744f3c72a93b29bb58c8bc92d48a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Tue, 11 Oct 2016 00:54:51 +0200
|
||||||
|
Subject: [PATCH 2/2] test1246: verify URL parsing with host name ending with
|
||||||
|
'#'
|
||||||
|
|
||||||
|
Upstream-commit: 42b650b9ea5f26b2f5347af3072eaf690658ed62
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test1246 | 64 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 65 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/data/test1246
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 7321ad5..b4bec03 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -126,7 +126,7 @@ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
|
||||||
|
test1216 test1217 test1218 test1219 \
|
||||||
|
test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
|
||||||
|
test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
|
||||||
|
-test1236 test1237 test1238 test1239 test1240 test1241 \
|
||||||
|
+test1236 test1237 test1238 test1239 test1240 test1241 test1246 \
|
||||||
|
\
|
||||||
|
test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
|
||||||
|
test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \
|
||||||
|
diff --git a/tests/data/test1246 b/tests/data/test1246
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..6565929
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test1246
|
||||||
|
@@ -0,0 +1,64 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+# verify URL with hostname ending in pound sign
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+HTTP GET
|
||||||
|
+HTTP proxy
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Content-Length: 6
|
||||||
|
+Connection: close
|
||||||
|
+
|
||||||
|
+-foo-
|
||||||
|
+</data>
|
||||||
|
+
|
||||||
|
+<data1>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Content-Length: 7
|
||||||
|
+Connection: close
|
||||||
|
+
|
||||||
|
+-cool-
|
||||||
|
+</data1>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+URL with '#' at end of host name instead of '/'
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+--proxy http://%HOSTIP:%HTTPPORT http://test.remote.haxx.se.1246:%HTTPPORT#@127.0.0.1/tricked.html no-scheme-url.com.1246:%HTTPPORT#@127.127.127.127/again.html
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<strip>
|
||||||
|
+^User-Agent:.*
|
||||||
|
+</strip>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://test.remote.haxx.se.1246:%HTTPPORT/ HTTP/1.1
|
||||||
|
+Host: test.remote.haxx.se.1246:%HTTPPORT
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+GET http://no-scheme-url.com.1246:%HTTPPORT/ HTTP/1.1
|
||||||
|
+Host: no-scheme-url.com.1246:%HTTPPORT
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
@ -28,6 +28,9 @@ Patch11: 0011-curl-7.47.1-find-slot-race.patch
|
|||||||
# reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)
|
# reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)
|
||||||
Patch12: 0012-curl-7.47.1-CVE-2016-7167.patch
|
Patch12: 0012-curl-7.47.1-CVE-2016-7167.patch
|
||||||
|
|
||||||
|
# urlparse: accept '#' as end of host name (CVE-2016-8624)
|
||||||
|
Patch13: 0013-curl-7.47.1-CVE-2016-8624.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -148,6 +151,7 @@ documentation of the library, too.
|
|||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
|
%patch13 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -264,6 +268,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
|
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
|
||||||
|
- urlparse: accept '#' as end of host name (CVE-2016-8624)
|
||||||
- run autoreconf in %%prep to avoid patching Makefile.in files from now on
|
- run autoreconf in %%prep to avoid patching Makefile.in files from now on
|
||||||
|
|
||||||
* Wed Sep 14 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-8
|
* Wed Sep 14 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-8
|
||||||
|
Loading…
Reference in New Issue
Block a user