Resolves: CVE-2016-8624 - urlparse: accept '#' as end of host name
This commit is contained in:
parent
6c0c913605
commit
8cc82f17a1
|
@ -0,0 +1,162 @@
|
|||
From 0eefde2bae1576ec5a4eca30bd1abbe0fc1be3ea Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 11 Oct 2016 00:48:35 +0200
|
||||
Subject: [PATCH 1/2] urlparse: accept '#' as end of host name
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com
|
||||
for the '/' document with the rest of the URL being a fragment.
|
||||
|
||||
CVE-2016-8624
|
||||
|
||||
Bug: https://curl.haxx.se/docs/adv_20161102J.html
|
||||
Reported-by: Fernando Muñoz
|
||||
|
||||
Upstream-commit: 3bb273db7e40ebc284cff45f3ce3f0475c8339c2
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/url.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index ff99c58..ff14dad 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -4086,7 +4086,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
|
||||
path[0]=0;
|
||||
|
||||
if(2 > sscanf(data->change.url,
|
||||
- "%15[^\n:]://%[^\n/?]%[^\n]",
|
||||
+ "%15[^\n:]://%[^\n/?#]%[^\n]",
|
||||
protobuf,
|
||||
conn->host.name, path)) {
|
||||
|
||||
@@ -4094,7 +4094,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
|
||||
* The URL was badly formatted, let's try the browser-style _without_
|
||||
* protocol specified like 'http://'.
|
||||
*/
|
||||
- rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path);
|
||||
+ rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path);
|
||||
if(1 > rc) {
|
||||
/*
|
||||
* We couldn't even get this format.
|
||||
@@ -4184,10 +4184,10 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
|
||||
}
|
||||
|
||||
/* If the URL is malformatted (missing a '/' after hostname before path) we
|
||||
- * insert a slash here. The only letter except '/' we accept to start a path
|
||||
- * is '?'.
|
||||
+ * insert a slash here. The only letters except '/' that can start a path is
|
||||
+ * '?' and '#' - as controlled by the two sscanf() patterns above.
|
||||
*/
|
||||
- if(path[0] == '?') {
|
||||
+ if(path[0] != '/') {
|
||||
/* We need this function to deal with overlapping memory areas. We know
|
||||
that the memory area 'path' points to is 'urllen' bytes big and that
|
||||
is bigger than the path. Use +1 to move the zero byte too. */
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
||||
From c0304cbed088744f3c72a93b29bb58c8bc92d48a Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 11 Oct 2016 00:54:51 +0200
|
||||
Subject: [PATCH 2/2] test1246: verify URL parsing with host name ending with
|
||||
'#'
|
||||
|
||||
Upstream-commit: 42b650b9ea5f26b2f5347af3072eaf690658ed62
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
tests/data/Makefile.inc | 2 +-
|
||||
tests/data/test1246 | 64 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 65 insertions(+), 1 deletion(-)
|
||||
create mode 100644 tests/data/test1246
|
||||
|
||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||
index 7321ad5..b4bec03 100644
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -126,7 +126,7 @@ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
|
||||
test1216 test1217 test1218 test1219 \
|
||||
test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
|
||||
test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
|
||||
-test1236 test1237 test1238 test1239 test1240 test1241 \
|
||||
+test1236 test1237 test1238 test1239 test1240 test1241 test1246 \
|
||||
\
|
||||
test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
|
||||
test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \
|
||||
diff --git a/tests/data/test1246 b/tests/data/test1246
|
||||
new file mode 100644
|
||||
index 0000000..6565929
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test1246
|
||||
@@ -0,0 +1,64 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+# verify URL with hostname ending in pound sign
|
||||
+<keywords>
|
||||
+HTTP
|
||||
+HTTP GET
|
||||
+HTTP proxy
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<data>
|
||||
+HTTP/1.1 200 OK
|
||||
+Content-Length: 6
|
||||
+Connection: close
|
||||
+
|
||||
+-foo-
|
||||
+</data>
|
||||
+
|
||||
+<data1>
|
||||
+HTTP/1.1 200 OK
|
||||
+Content-Length: 7
|
||||
+Connection: close
|
||||
+
|
||||
+-cool-
|
||||
+</data1>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<server>
|
||||
+http
|
||||
+</server>
|
||||
+ <name>
|
||||
+URL with '#' at end of host name instead of '/'
|
||||
+ </name>
|
||||
+ <command>
|
||||
+--proxy http://%HOSTIP:%HTTPPORT http://test.remote.haxx.se.1246:%HTTPPORT#@127.0.0.1/tricked.html no-scheme-url.com.1246:%HTTPPORT#@127.127.127.127/again.html
|
||||
+</command>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+<strip>
|
||||
+^User-Agent:.*
|
||||
+</strip>
|
||||
+<protocol>
|
||||
+GET http://test.remote.haxx.se.1246:%HTTPPORT/ HTTP/1.1
|
||||
+Host: test.remote.haxx.se.1246:%HTTPPORT
|
||||
+Accept: */*
|
||||
+Proxy-Connection: Keep-Alive
|
||||
+
|
||||
+GET http://no-scheme-url.com.1246:%HTTPPORT/ HTTP/1.1
|
||||
+Host: no-scheme-url.com.1246:%HTTPPORT
|
||||
+Accept: */*
|
||||
+Proxy-Connection: Keep-Alive
|
||||
+
|
||||
+</protocol>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -28,6 +28,9 @@ Patch11: 0011-curl-7.47.1-find-slot-race.patch
|
|||
# reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)
|
||||
Patch12: 0012-curl-7.47.1-CVE-2016-7167.patch
|
||||
|
||||
# urlparse: accept '#' as end of host name (CVE-2016-8624)
|
||||
Patch13: 0013-curl-7.47.1-CVE-2016-8624.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
|
@ -148,6 +151,7 @@ documentation of the library, too.
|
|||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
%patch13 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
|
@ -264,6 +268,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||
|
||||
%changelog
|
||||
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
|
||||
- urlparse: accept '#' as end of host name (CVE-2016-8624)
|
||||
- run autoreconf in %%prep to avoid patching Makefile.in files from now on
|
||||
|
||||
* Wed Sep 14 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-8
|
||||
|
|
Loading…
Reference in New Issue