Compare commits
85 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
0bb496969f | ||
|
f5e5013744 | ||
|
9b08152998 | ||
|
45b18a48b4 | ||
|
c76b2a1a9f | ||
|
424d9c193f | ||
|
c637ed663b | ||
|
a28fa4e5f0 | ||
|
bd1119154c | ||
|
d8e56f956c | ||
|
f35a1d48bb | ||
|
43690cb3af | ||
|
02810cd68e | ||
|
ee9c88927d | ||
|
159cab915b | ||
|
fd4baaca6f | ||
|
321dbf8171 | ||
|
c8f5ee33a6 | ||
|
c3286199cb | ||
|
3e801a6f9f | ||
|
503307b687 | ||
|
ef0743b641 | ||
|
ac00a5bac0 | ||
|
94a3e807dd | ||
|
1b982b367e | ||
|
a0acb0cc77 | ||
|
d4c5b54bf3 | ||
|
5ebead952b | ||
|
54117120e4 | ||
|
c2f61abc1c | ||
|
407e3960e4 | ||
|
e2155b2695 | ||
|
f97c73e9d7 | ||
|
31329d9443 | ||
|
25f443ae12 | ||
|
287da1ceec | ||
|
d02617d325 | ||
|
62e2b8d564 | ||
|
f964aefff3 | ||
|
adeb2cb476 | ||
|
85619bdba3 | ||
|
0ac0b6fbd1 | ||
|
c921b2c69d | ||
|
ef5a5be78e | ||
|
64bcb4bcc1 | ||
|
ece67bdd2f | ||
|
ddaf41062c | ||
|
4c89d92ee7 | ||
|
4b7b124d75 | ||
|
bf8bb4b5b4 | ||
|
a0d250c162 | ||
|
25676e54ef | ||
|
b57f5589af | ||
|
742526c048 | ||
|
bd924f90f2 | ||
|
d781733304 | ||
|
7dada590f2 | ||
|
1cfc0aeb3b | ||
|
3613691251 | ||
|
182c2a8bbb | ||
|
c829072f9f | ||
|
9ef73a22d0 | ||
|
3c950d5541 | ||
|
a15dd89aaa | ||
|
89714e3b24 | ||
|
4226c316c7 | ||
|
e7a12a6b7b | ||
|
840be82e6f | ||
|
b740a1ecc6 | ||
|
407d32e00a | ||
|
df63713984 | ||
|
87d774717a | ||
|
6071e0dd16 | ||
|
8c661bb9d7 | ||
|
c74a58b095 | ||
|
ce4949188b | ||
|
c88a6aff30 | ||
|
6a752013d0 | ||
|
53c8c93125 | ||
|
ac5c236f18 | ||
|
fbcad9a3a0 | ||
|
249d0aea51 | ||
|
83181bd6d3 | ||
|
dfb411a0a2 | ||
|
13f70ceee2 |
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
|||||||
|
1
|
@ -1,316 +0,0 @@
|
|||||||
From 37a36231c5e34ae31b1968481fad2e8d76613fbd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Wed, 13 Nov 2019 11:33:29 +0100
|
|
||||||
Subject: [PATCH] curl: fix -T globbing
|
|
||||||
|
|
||||||
Regression from e59371a4936f8 (7.67.0)
|
|
||||||
|
|
||||||
Added test 490, 491 and 492 to verify the functionality.
|
|
||||||
|
|
||||||
Reported-by: Kamil Dudka
|
|
||||||
Reported-by: Anderson Sasaki
|
|
||||||
|
|
||||||
Fixes #4588
|
|
||||||
Closes #4591
|
|
||||||
|
|
||||||
Upstream-commit: 7a46aeb0be3fa00826b0c47a8bc06eddff448659
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
src/tool_operate.c | 15 ++++---
|
|
||||||
tests/data/Makefile.inc | 2 +
|
|
||||||
tests/data/test490 | 68 +++++++++++++++++++++++++++++++
|
|
||||||
tests/data/test491 | 64 +++++++++++++++++++++++++++++
|
|
||||||
tests/data/test492 | 89 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
5 files changed, 232 insertions(+), 6 deletions(-)
|
|
||||||
create mode 100644 tests/data/test490
|
|
||||||
create mode 100644 tests/data/test491
|
|
||||||
create mode 100644 tests/data/test492
|
|
||||||
|
|
||||||
diff --git a/src/tool_operate.c b/src/tool_operate.c
|
|
||||||
index 3087d2d..4ecb1ed 100644
|
|
||||||
--- a/src/tool_operate.c
|
|
||||||
+++ b/src/tool_operate.c
|
|
||||||
@@ -829,12 +829,6 @@ static CURLcode single_transfer(struct GlobalConfig *global,
|
|
||||||
separator = ((!state->outfiles ||
|
|
||||||
!strcmp(state->outfiles, "-")) && urlnum > 1);
|
|
||||||
|
|
||||||
- /* Here's looping around each globbed URL */
|
|
||||||
-
|
|
||||||
- if(state->li >= urlnum) {
|
|
||||||
- state->li = 0;
|
|
||||||
- state->up++;
|
|
||||||
- }
|
|
||||||
if(state->up < state->infilenum) {
|
|
||||||
struct per_transfer *per;
|
|
||||||
struct OutStruct *outs;
|
|
||||||
@@ -1908,6 +1902,15 @@ static CURLcode single_transfer(struct GlobalConfig *global,
|
|
||||||
per->retrystart = tvnow();
|
|
||||||
|
|
||||||
state->li++;
|
|
||||||
+ /* Here's looping around each globbed URL */
|
|
||||||
+ if(state->li >= urlnum) {
|
|
||||||
+ state->li = 0;
|
|
||||||
+ state->urlnum = 0; /* forced reglob of URLs */
|
|
||||||
+ glob_cleanup(state->urls);
|
|
||||||
+ state->urls = NULL;
|
|
||||||
+ state->up++;
|
|
||||||
+ Curl_safefree(state->uploadfile); /* clear it to get the next */
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
/* Free this URL node data without destroying the
|
|
||||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
||||||
index 557f928..212900e 100644
|
|
||||||
--- a/tests/data/Makefile.inc
|
|
||||||
+++ b/tests/data/Makefile.inc
|
|
||||||
@@ -66,6 +66,8 @@ test393 test394 test395 \
|
|
||||||
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
|
|
||||||
test409 \
|
|
||||||
\
|
|
||||||
+test490 test491 test492 \
|
|
||||||
+\
|
|
||||||
test500 test501 test502 test503 test504 test505 test506 test507 test508 \
|
|
||||||
test509 test510 test511 test512 test513 test514 test515 test516 test517 \
|
|
||||||
test518 test519 test520 test521 test522 test523 test524 test525 test526 \
|
|
||||||
diff --git a/tests/data/test490 b/tests/data/test490
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..a3383a9
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test490
|
|
||||||
@@ -0,0 +1,68 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+HTTP
|
|
||||||
+HTTP PUT
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Server-side
|
|
||||||
+<reply>
|
|
||||||
+<data>
|
|
||||||
+HTTP/1.1 200 OK
|
|
||||||
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
||||||
+Server: test-server/fake
|
|
||||||
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
|
||||||
+ETag: "21025-dc7-39462498"
|
|
||||||
+Accept-Ranges: bytes
|
|
||||||
+Content-Length: 6
|
|
||||||
+Connection: close
|
|
||||||
+Content-Type: text/html
|
|
||||||
+Funny-head: yesyes
|
|
||||||
+
|
|
||||||
+-foo-
|
|
||||||
+</data>
|
|
||||||
+</reply>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<server>
|
|
||||||
+http
|
|
||||||
+</server>
|
|
||||||
+ <name>
|
|
||||||
+Two globbed HTTP PUTs
|
|
||||||
+ </name>
|
|
||||||
+ <command>
|
|
||||||
+http://%HOSTIP:%HTTPPORT/490 -T '{log/in490,log/in490}'
|
|
||||||
+</command>
|
|
||||||
+<file name="log/in490">
|
|
||||||
+surprise!
|
|
||||||
+</file>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Verify data after the test has been "shot"
|
|
||||||
+<verify>
|
|
||||||
+<strip>
|
|
||||||
+^User-Agent:.*
|
|
||||||
+</strip>
|
|
||||||
+<protocol>
|
|
||||||
+PUT /490 HTTP/1.1
|
|
||||||
+Host: 127.0.0.1:8990
|
|
||||||
+Accept: */*
|
|
||||||
+Content-Length: 10
|
|
||||||
+Expect: 100-continue
|
|
||||||
+
|
|
||||||
+surprise!
|
|
||||||
+PUT /490 HTTP/1.1
|
|
||||||
+Host: 127.0.0.1:8990
|
|
||||||
+Accept: */*
|
|
||||||
+Content-Length: 10
|
|
||||||
+Expect: 100-continue
|
|
||||||
+
|
|
||||||
+surprise!
|
|
||||||
+</protocol>
|
|
||||||
+</verify>
|
|
||||||
+</testcase>
|
|
||||||
diff --git a/tests/data/test491 b/tests/data/test491
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..b49c06c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test491
|
|
||||||
@@ -0,0 +1,64 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+HTTP
|
|
||||||
+HTTP PUT
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Server-side
|
|
||||||
+<reply>
|
|
||||||
+<data>
|
|
||||||
+HTTP/1.1 200 OK
|
|
||||||
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
||||||
+Server: test-server/fake
|
|
||||||
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
|
||||||
+ETag: "21025-dc7-39462498"
|
|
||||||
+Accept-Ranges: bytes
|
|
||||||
+Content-Length: 6
|
|
||||||
+Connection: close
|
|
||||||
+Content-Type: text/html
|
|
||||||
+Funny-head: yesyes
|
|
||||||
+
|
|
||||||
+-foo-
|
|
||||||
+</data>
|
|
||||||
+</reply>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<server>
|
|
||||||
+http
|
|
||||||
+</server>
|
|
||||||
+ <name>
|
|
||||||
+Two globbed HTTP PUTs, the second upload file is missing
|
|
||||||
+ </name>
|
|
||||||
+ <command>
|
|
||||||
+http://%HOSTIP:%HTTPPORT/491 -T '{log/in491,log/bad491}'
|
|
||||||
+</command>
|
|
||||||
+<file name="log/in491">
|
|
||||||
+surprise!
|
|
||||||
+</file>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Verify data after the test has been "shot"
|
|
||||||
+<verify>
|
|
||||||
+<strip>
|
|
||||||
+^User-Agent:.*
|
|
||||||
+</strip>
|
|
||||||
+<protocol>
|
|
||||||
+PUT /491 HTTP/1.1
|
|
||||||
+Host: 127.0.0.1:8990
|
|
||||||
+Accept: */*
|
|
||||||
+Content-Length: 10
|
|
||||||
+Expect: 100-continue
|
|
||||||
+
|
|
||||||
+surprise!
|
|
||||||
+</protocol>
|
|
||||||
+<errorcode>
|
|
||||||
+26
|
|
||||||
+</errorcode>
|
|
||||||
+</verify>
|
|
||||||
+</testcase>
|
|
||||||
diff --git a/tests/data/test492 b/tests/data/test492
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..12edd8b
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test492
|
|
||||||
@@ -0,0 +1,89 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+HTTP
|
|
||||||
+HTTP PUT
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Server-side
|
|
||||||
+<reply>
|
|
||||||
+<data>
|
|
||||||
+HTTP/1.1 200 OK
|
|
||||||
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
||||||
+Server: test-server/fake
|
|
||||||
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
|
||||||
+ETag: "21025-dc7-39462498"
|
|
||||||
+Accept-Ranges: bytes
|
|
||||||
+Content-Length: 6
|
|
||||||
+Connection: close
|
|
||||||
+Content-Type: text/html
|
|
||||||
+Funny-head: yesyes
|
|
||||||
+
|
|
||||||
+-foo-
|
|
||||||
+</data>
|
|
||||||
+</reply>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<server>
|
|
||||||
+http
|
|
||||||
+</server>
|
|
||||||
+ <name>
|
|
||||||
+Two globbed HTTP PUTs to two globbed URLs
|
|
||||||
+ </name>
|
|
||||||
+ <command>
|
|
||||||
+'http://%HOSTIP:%HTTPPORT/{one,two}/' -T '{log/first492,log/second492}' -H "Testno: 492"
|
|
||||||
+</command>
|
|
||||||
+<file name="log/first492">
|
|
||||||
+first 492 contents
|
|
||||||
+</file>
|
|
||||||
+<file1 name="log/second492">
|
|
||||||
+second 492 contents
|
|
||||||
+</file1>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Verify data after the test has been "shot"
|
|
||||||
+<verify>
|
|
||||||
+<strip>
|
|
||||||
+^User-Agent:.*
|
|
||||||
+</strip>
|
|
||||||
+<protocol>
|
|
||||||
+PUT /one/first492 HTTP/1.1
|
|
||||||
+Host: 127.0.0.1:8990
|
|
||||||
+Accept: */*
|
|
||||||
+Testno: 492
|
|
||||||
+Content-Length: 19
|
|
||||||
+Expect: 100-continue
|
|
||||||
+
|
|
||||||
+first 492 contents
|
|
||||||
+PUT /two/first492 HTTP/1.1
|
|
||||||
+Host: 127.0.0.1:8990
|
|
||||||
+Accept: */*
|
|
||||||
+Testno: 492
|
|
||||||
+Content-Length: 19
|
|
||||||
+Expect: 100-continue
|
|
||||||
+
|
|
||||||
+first 492 contents
|
|
||||||
+PUT /one/second492 HTTP/1.1
|
|
||||||
+Host: 127.0.0.1:8990
|
|
||||||
+Accept: */*
|
|
||||||
+Testno: 492
|
|
||||||
+Content-Length: 20
|
|
||||||
+Expect: 100-continue
|
|
||||||
+
|
|
||||||
+second 492 contents
|
|
||||||
+PUT /two/second492 HTTP/1.1
|
|
||||||
+Host: 127.0.0.1:8990
|
|
||||||
+Accept: */*
|
|
||||||
+Testno: 492
|
|
||||||
+Content-Length: 20
|
|
||||||
+Expect: 100-continue
|
|
||||||
+
|
|
||||||
+second 492 contents
|
|
||||||
+</protocol>
|
|
||||||
+</verify>
|
|
||||||
+</testcase>
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
36
0001-curl-7.82.0-openssl-spurious-oom.patch
Normal file
36
0001-curl-7.82.0-openssl-spurious-oom.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From 58781adaaff911303f69876236918b9049dde926 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Tue, 8 Mar 2022 13:38:13 +0100
|
||||||
|
Subject: [PATCH] openssl: fix CN check error code
|
||||||
|
|
||||||
|
Due to a missing 'else' this returns error too easily.
|
||||||
|
|
||||||
|
Regressed in: d15692ebb
|
||||||
|
|
||||||
|
Reported-by: Kristoffer Gleditsch
|
||||||
|
Fixes #8559
|
||||||
|
Closes #8560
|
||||||
|
|
||||||
|
Upstream-commit: 911714d617c106ed5d553bf003e34ec94ab6a136
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/openssl.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 616a510..1bafe96 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -1808,7 +1808,8 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
|
||||||
|
peer_CN[peerlen] = '\0';
|
||||||
|
}
|
||||||
|
- result = CURLE_OUT_OF_MEMORY;
|
||||||
|
+ else
|
||||||
|
+ result = CURLE_OUT_OF_MEMORY;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else /* not a UTF8 name */
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
148
0002-curl-7.82.0-CVE-2022-22576.patch
Normal file
148
0002-curl-7.82.0-CVE-2022-22576.patch
Normal file
@ -0,0 +1,148 @@
|
|||||||
|
From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Monnerat <patrick@monnerat.net>
|
||||||
|
Date: Mon, 25 Apr 2022 11:44:05 +0200
|
||||||
|
Subject: [PATCH] url: check sasl additional parameters for connection reuse.
|
||||||
|
|
||||||
|
Also move static function safecmp() as non-static Curl_safecmp() since
|
||||||
|
its purpose is needed at several places.
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-22576.html
|
||||||
|
|
||||||
|
CVE-2022-22576
|
||||||
|
|
||||||
|
Closes #8746
|
||||||
|
|
||||||
|
Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/strcase.c | 10 ++++++++++
|
||||||
|
lib/strcase.h | 2 ++
|
||||||
|
lib/url.c | 13 ++++++++++++-
|
||||||
|
lib/urldata.h | 1 +
|
||||||
|
lib/vtls/vtls.c | 21 ++++++---------------
|
||||||
|
5 files changed, 31 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/strcase.c b/lib/strcase.c
|
||||||
|
index dd46ca1..692a3f1 100644
|
||||||
|
--- a/lib/strcase.c
|
||||||
|
+++ b/lib/strcase.c
|
||||||
|
@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
|
||||||
|
} while(*src++ && --n);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Compare case-sensitive NUL-terminated strings, taking care of possible
|
||||||
|
+ * null pointers. Return true if arguments match.
|
||||||
|
+ */
|
||||||
|
+bool Curl_safecmp(char *a, char *b)
|
||||||
|
+{
|
||||||
|
+ if(a && b)
|
||||||
|
+ return !strcmp(a, b);
|
||||||
|
+ return !a && !b;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* --- public functions --- */
|
||||||
|
|
||||||
|
int curl_strequal(const char *first, const char *second)
|
||||||
|
diff --git a/lib/strcase.h b/lib/strcase.h
|
||||||
|
index b628656..382b80a 100644
|
||||||
|
--- a/lib/strcase.h
|
||||||
|
+++ b/lib/strcase.h
|
||||||
|
@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in);
|
||||||
|
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
||||||
|
void Curl_strntolower(char *dest, const char *src, size_t n);
|
||||||
|
|
||||||
|
+bool Curl_safecmp(char *a, char *b);
|
||||||
|
+
|
||||||
|
#endif /* HEADER_CURL_STRCASE_H */
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index adef2cd..94e3406 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn)
|
||||||
|
Curl_safefree(conn->passwd);
|
||||||
|
Curl_safefree(conn->sasl_authzid);
|
||||||
|
Curl_safefree(conn->options);
|
||||||
|
+ Curl_safefree(conn->oauth_bearer);
|
||||||
|
Curl_dyn_free(&conn->trailer);
|
||||||
|
Curl_safefree(conn->host.rawalloc); /* host name buffer */
|
||||||
|
Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
|
||||||
|
@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data,
|
||||||
|
/* This protocol requires credentials per connection,
|
||||||
|
so verify that we're using the same name and password as well */
|
||||||
|
if(strcmp(needle->user, check->user) ||
|
||||||
|
- strcmp(needle->passwd, check->passwd)) {
|
||||||
|
+ strcmp(needle->passwd, check->passwd) ||
|
||||||
|
+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
|
||||||
|
+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
|
||||||
|
/* one of them was different */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if(data->set.str[STRING_BEARER]) {
|
||||||
|
+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
|
||||||
|
+ if(!conn->oauth_bearer) {
|
||||||
|
+ result = CURLE_OUT_OF_MEMORY;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#ifdef USE_UNIX_SOCKETS
|
||||||
|
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
|
||||||
|
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index cc8a600..03da59a 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -984,6 +984,7 @@ struct connectdata {
|
||||||
|
char *passwd; /* password string, allocated */
|
||||||
|
char *options; /* options string, allocated */
|
||||||
|
char *sasl_authzid; /* authorisation identity string, allocated */
|
||||||
|
+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
|
||||||
|
unsigned char httpversion; /* the HTTP version*10 reported by the server */
|
||||||
|
struct curltime now; /* "current" time */
|
||||||
|
struct curltime created; /* creation time */
|
||||||
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||||
|
index 03b85ba..a40ac06 100644
|
||||||
|
--- a/lib/vtls/vtls.c
|
||||||
|
+++ b/lib/vtls/vtls.c
|
||||||
|
@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
|
||||||
|
return !memcmp(first->data, second->data, first->len); /* same data */
|
||||||
|
}
|
||||||
|
|
||||||
|
-static bool safecmp(char *a, char *b)
|
||||||
|
-{
|
||||||
|
- if(a && b)
|
||||||
|
- return !strcmp(a, b);
|
||||||
|
- else if(!a && !b)
|
||||||
|
- return TRUE; /* match */
|
||||||
|
- return FALSE; /* no match */
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
|
||||||
|
bool
|
||||||
|
Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
blobcmp(data->cert_blob, needle->cert_blob) &&
|
||||||
|
blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
|
||||||
|
blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
|
||||||
|
- safecmp(data->CApath, needle->CApath) &&
|
||||||
|
- safecmp(data->CAfile, needle->CAfile) &&
|
||||||
|
- safecmp(data->issuercert, needle->issuercert) &&
|
||||||
|
- safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
- safecmp(data->random_file, needle->random_file) &&
|
||||||
|
- safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
+ Curl_safecmp(data->CApath, needle->CApath) &&
|
||||||
|
+ Curl_safecmp(data->CAfile, needle->CAfile) &&
|
||||||
|
+ Curl_safecmp(data->issuercert, needle->issuercert) &&
|
||||||
|
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
+ Curl_safecmp(data->random_file, needle->random_file) &&
|
||||||
|
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
||||||
|
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
40
0003-curl-7.82.0-CVE-2022-27775.patch
Normal file
40
0003-curl-7.82.0-CVE-2022-27775.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 11:48:00 +0200
|
||||||
|
Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
|
||||||
|
|
||||||
|
Make connections to two separate IPv6 zone ids create separate
|
||||||
|
connections.
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27775.html
|
||||||
|
Closes #8747
|
||||||
|
|
||||||
|
Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/conncache.c | 8 ++++++--
|
||||||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/conncache.c b/lib/conncache.c
|
||||||
|
index cd5756a..9b9f683 100644
|
||||||
|
--- a/lib/conncache.c
|
||||||
|
+++ b/lib/conncache.c
|
||||||
|
@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf,
|
||||||
|
/* report back which name we used */
|
||||||
|
*hostp = hostname;
|
||||||
|
|
||||||
|
- /* put the number first so that the hostname gets cut off if too long */
|
||||||
|
- msnprintf(buf, len, "%ld%s", port, hostname);
|
||||||
|
+ /* put the numbers first so that the hostname gets cut off if too long */
|
||||||
|
+#ifdef ENABLE_IPV6
|
||||||
|
+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
|
||||||
|
+#else
|
||||||
|
+ msnprintf(buf, len, "%ld/%s", port, hostname);
|
||||||
|
+#endif
|
||||||
|
Curl_strntolower(buf, buf, len);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
246
0004-curl-7.82.0-CVE-2022-27776.patch
Normal file
246
0004-curl-7.82.0-CVE-2022-27776.patch
Normal file
@ -0,0 +1,246 @@
|
|||||||
|
From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 13:05:40 +0200
|
||||||
|
Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port
|
||||||
|
|
||||||
|
CVE-2022-27776
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27776.html
|
||||||
|
Closes #8749
|
||||||
|
|
||||||
|
Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http.c | 34 ++++++++++++++++++++++------------
|
||||||
|
lib/urldata.h | 16 +++++++++-------
|
||||||
|
2 files changed, 31 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index 799d4fb..0791dcf 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
|
||||||
|
+ * data" can (still) be sent to this host.
|
||||||
|
+ */
|
||||||
|
+static bool allow_auth_to_host(struct Curl_easy *data)
|
||||||
|
+{
|
||||||
|
+ struct connectdata *conn = data->conn;
|
||||||
|
+ return (!data->state.this_is_a_follow ||
|
||||||
|
+ data->set.allow_auth_to_other_hosts ||
|
||||||
|
+ (data->state.first_host &&
|
||||||
|
+ strcasecompare(data->state.first_host, conn->host.name) &&
|
||||||
|
+ (data->state.first_remote_port == conn->remote_port) &&
|
||||||
|
+ (data->state.first_remote_protocol == conn->handler->protocol)));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* Curl_http_output_auth() setups the authentication headers for the
|
||||||
|
* host/proxy and the correct authentication
|
||||||
|
@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data,
|
||||||
|
with it */
|
||||||
|
authproxy->done = TRUE;
|
||||||
|
|
||||||
|
- /* To prevent the user+password to get sent to other than the original
|
||||||
|
- host due to a location-follow, we do some weirdo checks here */
|
||||||
|
- if(!data->state.this_is_a_follow ||
|
||||||
|
+ /* To prevent the user+password to get sent to other than the original host
|
||||||
|
+ due to a location-follow */
|
||||||
|
+ if(allow_auth_to_host(data)
|
||||||
|
#ifndef CURL_DISABLE_NETRC
|
||||||
|
- conn->bits.netrc ||
|
||||||
|
+ || conn->bits.netrc
|
||||||
|
#endif
|
||||||
|
- !data->state.first_host ||
|
||||||
|
- data->set.allow_auth_to_other_hosts ||
|
||||||
|
- strcasecompare(data->state.first_host, conn->host.name)) {
|
||||||
|
+ )
|
||||||
|
result = output_auth_headers(data, conn, authhost, request, path, FALSE);
|
||||||
|
- }
|
||||||
|
else
|
||||||
|
authhost->done = TRUE;
|
||||||
|
|
||||||
|
@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
|
||||||
|
checkprefix("Cookie:", compare)) &&
|
||||||
|
/* be careful of sending this potentially sensitive header to
|
||||||
|
other hosts */
|
||||||
|
- (data->state.this_is_a_follow &&
|
||||||
|
- data->state.first_host &&
|
||||||
|
- !data->set.allow_auth_to_other_hosts &&
|
||||||
|
- !strcasecompare(data->state.first_host, conn->host.name)))
|
||||||
|
+ !allow_auth_to_host(data))
|
||||||
|
;
|
||||||
|
else {
|
||||||
|
#ifdef USE_HYPER
|
||||||
|
@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
data->state.first_remote_port = conn->remote_port;
|
||||||
|
+ data->state.first_remote_protocol = conn->handler->protocol;
|
||||||
|
}
|
||||||
|
Curl_safefree(data->state.aptr.host);
|
||||||
|
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 03da59a..f92052a 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -1329,14 +1329,16 @@ struct UrlState {
|
||||||
|
char *ulbuf; /* allocated upload buffer or NULL */
|
||||||
|
curl_off_t current_speed; /* the ProgressShow() function sets this,
|
||||||
|
bytes / second */
|
||||||
|
- char *first_host; /* host name of the first (not followed) request.
|
||||||
|
- if set, this should be the host name that we will
|
||||||
|
- sent authorization to, no else. Used to make Location:
|
||||||
|
- following not keep sending user+password... This is
|
||||||
|
- strdup() data.
|
||||||
|
- */
|
||||||
|
+
|
||||||
|
+ /* host name, port number and protocol of the first (not followed) request.
|
||||||
|
+ if set, this should be the host name that we will sent authorization to,
|
||||||
|
+ no else. Used to make Location: following not keep sending user+password.
|
||||||
|
+ This is strdup()ed data. */
|
||||||
|
+ char *first_host;
|
||||||
|
+ int first_remote_port;
|
||||||
|
+ unsigned int first_remote_protocol;
|
||||||
|
+
|
||||||
|
int retrycount; /* number of retries on a new connection */
|
||||||
|
- int first_remote_port; /* remote port of the first (not followed) request */
|
||||||
|
struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
|
||||||
|
long sessionage; /* number of the most recent session */
|
||||||
|
struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 13:05:47 +0200
|
||||||
|
Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776
|
||||||
|
|
||||||
|
Do not pass on Authorization headers on redirects to another port
|
||||||
|
|
||||||
|
Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 91 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/data/test898
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 59d46bc..7ae2cf8 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -109,7 +109,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \
|
||||||
|
test863 test864 test865 test866 test867 test868 test869 test870 test871 \
|
||||||
|
test872 test873 test874 test875 test876 test877 test878 test879 test880 \
|
||||||
|
test881 test882 test883 test884 test885 test886 test887 test888 test889 \
|
||||||
|
-test890 test891 test892 test893 test894 test895 test896 test897 \
|
||||||
|
+test890 test891 test892 test893 test894 test895 test896 test897 test898 \
|
||||||
|
\
|
||||||
|
test900 test901 test902 test903 test904 test905 test906 test907 test908 \
|
||||||
|
test909 test910 test911 test912 test913 test914 test915 test916 test917 \
|
||||||
|
diff --git a/tests/data/test898 b/tests/data/test898
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..5cbb7d8
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test898
|
||||||
|
@@ -0,0 +1,90 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+--location
|
||||||
|
+Authorization
|
||||||
|
+Cookie
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with custom auth and cookies redirected to HTTP on a diff port
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://firsthost.com/ HTTP/1.1
|
||||||
|
+Host: firsthost.com
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+Cookie: userpwd=am9lOnNlY3JldA==
|
||||||
|
+
|
||||||
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
||||||
|
+Host: firsthost.com:9999
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
636
0005-curl-7.82.0-CVE-2022-27774.patch
Normal file
636
0005-curl-7.82.0-CVE-2022-27774.patch
Normal file
@ -0,0 +1,636 @@
|
|||||||
|
From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||||||
|
Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
|
||||||
|
|
||||||
|
To make it available after the connection ended.
|
||||||
|
|
||||||
|
Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/connect.c | 1 +
|
||||||
|
lib/urldata.h | 6 +++++-
|
||||||
|
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/connect.c b/lib/connect.c
|
||||||
|
index 64f9511..7518807 100644
|
||||||
|
--- a/lib/connect.c
|
||||||
|
+++ b/lib/connect.c
|
||||||
|
@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
data->info.conn_scheme = conn->handler->scheme;
|
||||||
|
data->info.conn_protocol = conn->handler->protocol;
|
||||||
|
data->info.conn_primary_port = conn->port;
|
||||||
|
+ data->info.conn_remote_port = conn->remote_port;
|
||||||
|
data->info.conn_local_port = local_port;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index f92052a..5218f76 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -1160,7 +1160,11 @@ struct PureInfo {
|
||||||
|
reused, in the connection cache. */
|
||||||
|
|
||||||
|
char conn_primary_ip[MAX_IPADR_LEN];
|
||||||
|
- int conn_primary_port;
|
||||||
|
+ int conn_primary_port; /* this is the destination port to the connection,
|
||||||
|
+ which might have been a proxy */
|
||||||
|
+ int conn_remote_port; /* this is the "remote port", which is the port
|
||||||
|
+ number of the used URL, independent of proxy or
|
||||||
|
+ not */
|
||||||
|
char conn_local_ip[MAX_IPADR_LEN];
|
||||||
|
int conn_local_port;
|
||||||
|
const char *conn_scheme;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||||||
|
Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
|
||||||
|
auth
|
||||||
|
|
||||||
|
... unless explicitly permitted.
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27774.html
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Closes #8748
|
||||||
|
|
||||||
|
Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 48 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/transfer.c b/lib/transfer.c
|
||||||
|
index 1f8019b..752fe14 100644
|
||||||
|
--- a/lib/transfer.c
|
||||||
|
+++ b/lib/transfer.c
|
||||||
|
@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
-
|
||||||
|
uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
|
||||||
|
if(uc)
|
||||||
|
return Curl_uc_to_curlcode(uc);
|
||||||
|
+
|
||||||
|
+ /* Clear auth if this redirects to a different port number or protocol,
|
||||||
|
+ unless permitted */
|
||||||
|
+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
|
||||||
|
+ char *portnum;
|
||||||
|
+ int port;
|
||||||
|
+ bool clear = FALSE;
|
||||||
|
+
|
||||||
|
+ if(data->set.use_port && data->state.allow_port)
|
||||||
|
+ /* a custom port is used */
|
||||||
|
+ port = (int)data->set.use_port;
|
||||||
|
+ else {
|
||||||
|
+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
|
||||||
|
+ CURLU_DEFAULT_PORT);
|
||||||
|
+ if(uc) {
|
||||||
|
+ free(newurl);
|
||||||
|
+ return Curl_uc_to_curlcode(uc);
|
||||||
|
+ }
|
||||||
|
+ port = atoi(portnum);
|
||||||
|
+ free(portnum);
|
||||||
|
+ }
|
||||||
|
+ if(port != data->info.conn_remote_port) {
|
||||||
|
+ infof(data, "Clear auth, redirects to port from %u to %u",
|
||||||
|
+ data->info.conn_remote_port, port);
|
||||||
|
+ clear = TRUE;
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ char *scheme;
|
||||||
|
+ const struct Curl_handler *p;
|
||||||
|
+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
|
||||||
|
+ if(uc) {
|
||||||
|
+ free(newurl);
|
||||||
|
+ return Curl_uc_to_curlcode(uc);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ p = Curl_builtin_scheme(scheme);
|
||||||
|
+ if(p && (p->protocol != data->info.conn_protocol)) {
|
||||||
|
+ infof(data, "Clear auth, redirects scheme from %s to %s",
|
||||||
|
+ data->info.conn_scheme, scheme);
|
||||||
|
+ clear = TRUE;
|
||||||
|
+ }
|
||||||
|
+ free(scheme);
|
||||||
|
+ }
|
||||||
|
+ if(clear) {
|
||||||
|
+ Curl_safefree(data->state.aptr.user);
|
||||||
|
+ Curl_safefree(data->state.aptr.passwd);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if(type == FOLLOW_FAKE) {
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||||||
|
Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
|
||||||
|
|
||||||
|
- Test 973 redirects from HTTP to FTP, clear auth
|
||||||
|
- Test 974 redirects from HTTP to HTTP different port, clear auth
|
||||||
|
- Test 975 redirects from HTTP to FTP, permitted to keep auth
|
||||||
|
- Test 976 redirects from HTTP to HTTP different port, permitted to keep
|
||||||
|
auth
|
||||||
|
|
||||||
|
Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
5 files changed, 352 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/data/test973
|
||||||
|
create mode 100644 tests/data/test974
|
||||||
|
create mode 100644 tests/data/test975
|
||||||
|
create mode 100644 tests/data/test976
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 7ae2cf8..175fc43 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -119,7 +119,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
|
||||||
|
test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
||||||
|
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
||||||
|
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
||||||
|
-test972 \
|
||||||
|
+test972 test973 test974 test975 test976 \
|
||||||
|
\
|
||||||
|
test980 test981 test982 test983 test984 test985 test986 \
|
||||||
|
\
|
||||||
|
diff --git a/tests/data/test973 b/tests/data/test973
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..6ced107
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test973
|
||||||
|
@@ -0,0 +1,88 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+FTP
|
||||||
|
+--location
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTP
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTP
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+ftp
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with auth redirected to FTP w/o auth
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET /%TESTNUMBER HTTP/1.1
|
||||||
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+
|
||||||
|
+USER anonymous
|
||||||
|
+PASS ftp@example.com
|
||||||
|
+PWD
|
||||||
|
+CWD a
|
||||||
|
+CWD path
|
||||||
|
+EPSV
|
||||||
|
+TYPE I
|
||||||
|
+SIZE %TESTNUMBER0002
|
||||||
|
+RETR %TESTNUMBER0002
|
||||||
|
+QUIT
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test974 b/tests/data/test974
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..ac4e641
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test974
|
||||||
|
@@ -0,0 +1,87 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+--location
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with auth redirected to HTTP on a diff port w/o auth
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://firsthost.com/ HTTP/1.1
|
||||||
|
+Host: firsthost.com
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
||||||
|
+Host: firsthost.com:9999
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test975 b/tests/data/test975
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..85e03e4
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test975
|
||||||
|
@@ -0,0 +1,88 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+FTP
|
||||||
|
+--location-trusted
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTP
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTP
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+ftp
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with auth redirected to FTP allowing auth to continue
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET /%TESTNUMBER HTTP/1.1
|
||||||
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+
|
||||||
|
+USER joe
|
||||||
|
+PASS secret
|
||||||
|
+PWD
|
||||||
|
+CWD a
|
||||||
|
+CWD path
|
||||||
|
+EPSV
|
||||||
|
+TYPE I
|
||||||
|
+SIZE %TESTNUMBER0002
|
||||||
|
+RETR %TESTNUMBER0002
|
||||||
|
+QUIT
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test976 b/tests/data/test976
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..c4dd61e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test976
|
||||||
|
@@ -0,0 +1,88 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+--location-trusted
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with auth redirected to HTTP on a diff port --location-trusted
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://firsthost.com/ HTTP/1.1
|
||||||
|
+Host: firsthost.com
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
||||||
|
+Host: firsthost.com:9999
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 17:59:15 +0200
|
||||||
|
Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
|
||||||
|
either
|
||||||
|
|
||||||
|
Follow-up to 620ea21410030
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Closes #8751
|
||||||
|
|
||||||
|
Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http.c | 10 +++++-----
|
||||||
|
lib/http.h | 6 ++++++
|
||||||
|
lib/vtls/openssl.c | 3 ++-
|
||||||
|
3 files changed, 13 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index 0791dcf..4433824 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
|
||||||
|
- * data" can (still) be sent to this host.
|
||||||
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
||||||
|
+ * "sensitive data" can (still) be sent to this host.
|
||||||
|
*/
|
||||||
|
-static bool allow_auth_to_host(struct Curl_easy *data)
|
||||||
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
|
||||||
|
{
|
||||||
|
struct connectdata *conn = data->conn;
|
||||||
|
return (!data->state.this_is_a_follow ||
|
||||||
|
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
|
||||||
|
|
||||||
|
/* To prevent the user+password to get sent to other than the original host
|
||||||
|
due to a location-follow */
|
||||||
|
- if(allow_auth_to_host(data)
|
||||||
|
+ if(Curl_allow_auth_to_host(data)
|
||||||
|
#ifndef CURL_DISABLE_NETRC
|
||||||
|
|| conn->bits.netrc
|
||||||
|
#endif
|
||||||
|
@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
|
||||||
|
checkprefix("Cookie:", compare)) &&
|
||||||
|
/* be careful of sending this potentially sensitive header to
|
||||||
|
other hosts */
|
||||||
|
- !allow_auth_to_host(data))
|
||||||
|
+ !Curl_allow_auth_to_host(data))
|
||||||
|
;
|
||||||
|
else {
|
||||||
|
#ifdef USE_HYPER
|
||||||
|
diff --git a/lib/http.h b/lib/http.h
|
||||||
|
index 07e963d..9000bae 100644
|
||||||
|
--- a/lib/http.h
|
||||||
|
+++ b/lib/http.h
|
||||||
|
@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data,
|
||||||
|
bool proxytunnel); /* TRUE if this is the request setting
|
||||||
|
up the proxy tunnel */
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
||||||
|
+ * "sensitive data" can (still) be sent to this host.
|
||||||
|
+ */
|
||||||
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
|
||||||
|
+
|
||||||
|
#endif /* HEADER_CURL_HTTP_H */
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 1bafe96..97c5666 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -2894,7 +2894,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_OPENSSL_SRP
|
||||||
|
- if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
||||||
|
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
||||||
|
+ Curl_allow_auth_to_host(data)) {
|
||||||
|
char * const ssl_username = SSL_SET_OPTION(username);
|
||||||
|
|
||||||
|
infof(data, "Using TLS-SRP username: %s", ssl_username);
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
69
0006-curl-7.82.0-CVE-2022-27780.patch
Normal file
69
0006-curl-7.82.0-CVE-2022-27780.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
From 52684f4ad348deee05ce49c65b2446f68f4dc1a8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 08:19:38 +0200
|
||||||
|
Subject: [PATCH 1/2] urlapi: reject percent-decoding host name into separator
|
||||||
|
bytes
|
||||||
|
|
||||||
|
CVE-2022-27780
|
||||||
|
|
||||||
|
Reported-by: Axel Chong
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27780.html
|
||||||
|
Closes #8826
|
||||||
|
|
||||||
|
Upstream-commit: 914aaab9153764ef8fa4178215b8ad89d3ac263a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/urlapi.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/urlapi.c b/lib/urlapi.c
|
||||||
|
index ff00ee4..00222fc 100644
|
||||||
|
--- a/lib/urlapi.c
|
||||||
|
+++ b/lib/urlapi.c
|
||||||
|
@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- /* letters from the second string is not ok */
|
||||||
|
- len = strcspn(hostname, " \r\n");
|
||||||
|
+ /* letters from the second string are not ok */
|
||||||
|
+ len = strcspn(hostname, " \r\n\t/:#?!@");
|
||||||
|
if(hlen != len)
|
||||||
|
/* hostname with bad content */
|
||||||
|
return CURLUE_BAD_HOSTNAME;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From f69fa599b12737aebc4bacee7608807620ff42cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 08:19:38 +0200
|
||||||
|
Subject: [PATCH 2/2] libtest/lib1560: verify the host name percent decode fix
|
||||||
|
|
||||||
|
Upstream-commit: cfa47974fea04753d1131cac701e331cd91bec6f
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/libtest/lib1560.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
|
||||||
|
index 7614849..84ee933 100644
|
||||||
|
--- a/tests/libtest/lib1560.c
|
||||||
|
+++ b/tests/libtest/lib1560.c
|
||||||
|
@@ -374,6 +374,13 @@ static const struct testcase get_parts_list[] ={
|
||||||
|
|
||||||
|
static const struct urltestcase get_url_list[] = {
|
||||||
|
/* percent encoded host names */
|
||||||
|
+ {"http://example.com%40127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||||
|
+ {"http://example.com%21127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||||
|
+ {"http://example.com%3f127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||||
|
+ {"http://example.com%23127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||||
|
+ {"http://example.com%3a127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||||
|
+ {"http://example.com%09127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||||
|
+ {"http://example.com%2F127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
|
||||||
|
{"https://%this", "https://%25this/", 0, 0, CURLUE_OK},
|
||||||
|
{"https://h%c", "https://h%25c/", 0, 0, CURLUE_OK},
|
||||||
|
{"https://%%%%%%", "https://%25%25%25%25%25%25/", 0, 0, CURLUE_OK},
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
273
0007-curl-7.82.0-CVE-2022-30115.patch
Normal file
273
0007-curl-7.82.0-CVE-2022-30115.patch
Normal file
@ -0,0 +1,273 @@
|
|||||||
|
From c8c0db4fc5459c47cb422407cfd3ee3406c40734 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 08:13:54 +0200
|
||||||
|
Subject: [PATCH 1/2] test440/441: verify HSTS with trailing dots
|
||||||
|
|
||||||
|
Upstream-commit: ff3ee510c328db03bf171cae6179bb9463fb054f
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 2 ++
|
||||||
|
tests/data/test440 | 72 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test441 | 72 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
3 files changed, 146 insertions(+)
|
||||||
|
create mode 100644 tests/data/test440
|
||||||
|
create mode 100644 tests/data/test441
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 175fc43..a5b8dc2 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -72,6 +72,8 @@ test409 test410 \
|
||||||
|
\
|
||||||
|
test430 test431 test432 test433 test434 test435 test436 \
|
||||||
|
\
|
||||||
|
+test440 test441 \
|
||||||
|
+\
|
||||||
|
test490 test491 test492 test493 test494 \
|
||||||
|
\
|
||||||
|
test500 test501 test502 test503 test504 test505 test506 test507 test508 \
|
||||||
|
diff --git a/tests/data/test440 b/tests/data/test440
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..c640b02
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test440
|
||||||
|
@@ -0,0 +1,72 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+HSTS
|
||||||
|
+trailing-dot
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+<reply>
|
||||||
|
+
|
||||||
|
+# we use this as response to a CONNECT
|
||||||
|
+<connect nocheck="yes">
|
||||||
|
+HTTP/1.1 403 not OK at all
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 6
|
||||||
|
+Connection: close
|
||||||
|
+Funny-head: yesyes
|
||||||
|
+
|
||||||
|
+-foo-
|
||||||
|
+</connect>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+<features>
|
||||||
|
+HSTS
|
||||||
|
+proxy
|
||||||
|
+https
|
||||||
|
+</features>
|
||||||
|
+
|
||||||
|
+# no trailing dot in the file only in the URL
|
||||||
|
+<file name="log/input%TESTNUMBER">
|
||||||
|
+this.hsts.example "99991001 04:47:41"
|
||||||
|
+</file>
|
||||||
|
+
|
||||||
|
+<name>
|
||||||
|
+HSTS with trailing-dot host name in URL but none in hsts file
|
||||||
|
+</name>
|
||||||
|
+<command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example./%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+<verify>
|
||||||
|
+# we let it CONNECT to the server to confirm HSTS but deny from there
|
||||||
|
+<protocol>
|
||||||
|
+CONNECT this.hsts.example.:443 HTTP/1.1
|
||||||
|
+Host: this.hsts.example.:443
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+<stdout>
|
||||||
|
+HTTP/1.1 403 not OK at all
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 6
|
||||||
|
+Connection: close
|
||||||
|
+Funny-head: yesyes
|
||||||
|
+
|
||||||
|
+https://this.hsts.example./%TESTNUMBER
|
||||||
|
+</stdout>
|
||||||
|
+# Proxy CONNECT aborted
|
||||||
|
+<errorcode>
|
||||||
|
+56
|
||||||
|
+</errorcode>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test441 b/tests/data/test441
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..7f5245b
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test441
|
||||||
|
@@ -0,0 +1,72 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+HSTS
|
||||||
|
+trailing-dot
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+<reply>
|
||||||
|
+
|
||||||
|
+# we use this as response to a CONNECT
|
||||||
|
+<connect nocheck="yes">
|
||||||
|
+HTTP/1.1 403 not OK at all
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 6
|
||||||
|
+Connection: close
|
||||||
|
+Funny-head: yesyes
|
||||||
|
+
|
||||||
|
+-foo-
|
||||||
|
+</connect>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+<features>
|
||||||
|
+HSTS
|
||||||
|
+proxy
|
||||||
|
+https
|
||||||
|
+</features>
|
||||||
|
+
|
||||||
|
+# no trailing dot in the file only in the URL
|
||||||
|
+<file name="log/input%TESTNUMBER">
|
||||||
|
+this.hsts.example. "99991001 04:47:41"
|
||||||
|
+</file>
|
||||||
|
+
|
||||||
|
+<name>
|
||||||
|
+HSTS with no t-dot host name in URL but t-dot in file
|
||||||
|
+</name>
|
||||||
|
+<command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example/%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+<verify>
|
||||||
|
+# we let it CONNECT to the server to confirm HSTS but deny from there
|
||||||
|
+<protocol>
|
||||||
|
+CONNECT this.hsts.example:443 HTTP/1.1
|
||||||
|
+Host: this.hsts.example:443
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+<stdout>
|
||||||
|
+HTTP/1.1 403 not OK at all
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 6
|
||||||
|
+Connection: close
|
||||||
|
+Funny-head: yesyes
|
||||||
|
+
|
||||||
|
+https://this.hsts.example/%TESTNUMBER
|
||||||
|
+</stdout>
|
||||||
|
+# Proxy CONNECT aborted
|
||||||
|
+<errorcode>
|
||||||
|
+56
|
||||||
|
+</errorcode>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From fa4a1193f9bb9970b925cc7795d481c8ee9a0a4a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 08:13:55 +0200
|
||||||
|
Subject: [PATCH 2/2] hsts: ignore trailing dots when comparing hosts names
|
||||||
|
|
||||||
|
CVE-2022-30115
|
||||||
|
|
||||||
|
Reported-by: Axel Chong
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-30115.html
|
||||||
|
Closes #8821
|
||||||
|
|
||||||
|
Upstream-commit: fae6fea209a2d4db1582f608bd8cc8000721733a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/hsts.c | 30 +++++++++++++++++++++++++-----
|
||||||
|
1 file changed, 25 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/hsts.c b/lib/hsts.c
|
||||||
|
index 03fcc9e..b9fa6f7 100644
|
||||||
|
--- a/lib/hsts.c
|
||||||
|
+++ b/lib/hsts.c
|
||||||
|
@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h,
|
||||||
|
curl_off_t expires)
|
||||||
|
{
|
||||||
|
struct stsentry *sts = hsts_entry();
|
||||||
|
+ char *duphost;
|
||||||
|
+ size_t hlen;
|
||||||
|
if(!sts)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
- sts->expires = expires;
|
||||||
|
- sts->includeSubDomains = subdomains;
|
||||||
|
- sts->host = strdup(hostname);
|
||||||
|
- if(!sts->host) {
|
||||||
|
+ duphost = strdup(hostname);
|
||||||
|
+ if(!duphost) {
|
||||||
|
free(sts);
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ hlen = strlen(duphost);
|
||||||
|
+ if(duphost[hlen - 1] == '.')
|
||||||
|
+ /* strip off trailing any dot */
|
||||||
|
+ duphost[--hlen] = 0;
|
||||||
|
+
|
||||||
|
+ sts->host = duphost;
|
||||||
|
+ sts->expires = expires;
|
||||||
|
+ sts->includeSubDomains = subdomains;
|
||||||
|
Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
|
||||||
|
bool subdomain)
|
||||||
|
{
|
||||||
|
if(h) {
|
||||||
|
+ char buffer[MAX_HSTS_HOSTLEN + 1];
|
||||||
|
time_t now = time(NULL);
|
||||||
|
size_t hlen = strlen(hostname);
|
||||||
|
struct Curl_llist_element *e;
|
||||||
|
struct Curl_llist_element *n;
|
||||||
|
+
|
||||||
|
+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
|
||||||
|
+ return NULL;
|
||||||
|
+ memcpy(buffer, hostname, hlen);
|
||||||
|
+ if(hostname[hlen-1] == '.')
|
||||||
|
+ /* remove the trailing dot */
|
||||||
|
+ --hlen;
|
||||||
|
+ buffer[hlen] = 0;
|
||||||
|
+ hostname = buffer;
|
||||||
|
+
|
||||||
|
for(e = h->list.head; e; e = n) {
|
||||||
|
struct stsentry *sts = e->ptr;
|
||||||
|
n = e->next;
|
||||||
|
@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
|
||||||
|
CURLSTScode sc;
|
||||||
|
DEBUGASSERT(h);
|
||||||
|
do {
|
||||||
|
- char buffer[257];
|
||||||
|
+ char buffer[MAX_HSTS_HOSTLEN + 1];
|
||||||
|
struct curl_hstsentry e;
|
||||||
|
e.name = buffer;
|
||||||
|
e.namelen = sizeof(buffer)-1;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
144
0008-curl-7.82.0-CVE-2022-27779.patch
Normal file
144
0008-curl-7.82.0-CVE-2022-27779.patch
Normal file
@ -0,0 +1,144 @@
|
|||||||
|
From 755d4386dabf1b29dd8c44a3505567eeed9a5b99 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 16:47:06 +0200
|
||||||
|
Subject: [PATCH 1/2] test977: reproduce ability to set cookie on TLD
|
||||||
|
|
||||||
|
When PSL is not enabled
|
||||||
|
|
||||||
|
Upstream-commit: f8cb6c610a8e1576f1f615918a8b0a8fbd0e4e85
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test977 | 60 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 61 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/data/test977
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index a5b8dc2..98d5516 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -121,7 +121,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
|
||||||
|
test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
||||||
|
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
||||||
|
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
||||||
|
-test972 test973 test974 test975 test976 \
|
||||||
|
+test972 test973 test974 test975 test976 test977 \
|
||||||
|
\
|
||||||
|
test980 test981 test982 test983 test984 test985 test986 \
|
||||||
|
\
|
||||||
|
diff --git a/tests/data/test977 b/tests/data/test977
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..11ff1b7
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test977
|
||||||
|
@@ -0,0 +1,60 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+cookies
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Set-Cookie: a=b; Domain=.me.;
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<features>
|
||||||
|
+proxy
|
||||||
|
+</features>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+URL with trailing dot and receiving a cookie for the TLD with dot
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.me. -c log/cookies%TESTNUMBER
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://firsthost.me./ HTTP/1.1
|
||||||
|
+Host: firsthost.me.
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+<file name="log/cookies%TESTNUMBER" mode="text">
|
||||||
|
+# Netscape HTTP Cookie File
|
||||||
|
+# https://curl.se/docs/http-cookies.html
|
||||||
|
+# This file was generated by libcurl! Edit at your own risk.
|
||||||
|
+
|
||||||
|
+</file>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 49307bc15142cda9a7f4eff4cdb82111344d865a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 16:47:06 +0200
|
||||||
|
Subject: [PATCH 2/2] cookies: make bad_domain() not consider a trailing dot
|
||||||
|
fine
|
||||||
|
|
||||||
|
The check for a dot in the domain must not consider a single trailing
|
||||||
|
dot to be fine, as then TLD + trailing dot is fine and curl will accept
|
||||||
|
setting cookies for it.
|
||||||
|
|
||||||
|
CVE-2022-27779
|
||||||
|
|
||||||
|
Reported-by: Axel Chong
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27779.html
|
||||||
|
Closes #8820
|
||||||
|
|
||||||
|
Upstream-commit: 7e92d12b4e6911f424678a133b19de670e183a59
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/cookie.c | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||||
|
index d418efa..1b8c8f9 100644
|
||||||
|
--- a/lib/cookie.c
|
||||||
|
+++ b/lib/cookie.c
|
||||||
|
@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies)
|
||||||
|
/* Make sure domain contains a dot or is localhost. */
|
||||||
|
static bool bad_domain(const char *domain)
|
||||||
|
{
|
||||||
|
- return !strchr(domain, '.') && !strcasecompare(domain, "localhost");
|
||||||
|
+ if(strcasecompare(domain, "localhost"))
|
||||||
|
+ return FALSE;
|
||||||
|
+ else {
|
||||||
|
+ /* there must be a dot present, but that dot must not be a trailing dot */
|
||||||
|
+ char *dot = strchr(domain, '.');
|
||||||
|
+ if(dot)
|
||||||
|
+ return dot[1] ? FALSE : TRUE;
|
||||||
|
+ }
|
||||||
|
+ return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
659
0009-curl-7.82.0-CVE-2022-27782.patch
Normal file
659
0009-curl-7.82.0-CVE-2022-27782.patch
Normal file
@ -0,0 +1,659 @@
|
|||||||
|
From 505c04ea93c3db64747e0f776c531e5d63a5acfe Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jay Satiro <raysatiro@yahoo.com>
|
||||||
|
Date: Thu, 17 Mar 2022 15:31:10 -0400
|
||||||
|
Subject: [PATCH 1/3] gtls: fix build for disabled TLS-SRP
|
||||||
|
|
||||||
|
Prior to this change if, at build time, the GnuTLS backend was found to
|
||||||
|
have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl
|
||||||
|
via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur.
|
||||||
|
|
||||||
|
Bug: https://curl.se/mail/lib-2022-03/0046.html
|
||||||
|
Reported-by: Robert Brose
|
||||||
|
|
||||||
|
Closes https://github.com/curl/curl/pull/8604
|
||||||
|
|
||||||
|
Upstream-commit: 8b1cae63b77ecfbdb372b5fafb0eb4c273ec887a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/gtls.c | 26 +++++++++++++++++---------
|
||||||
|
1 file changed, 17 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||||
|
index 5749376..bc8ef68 100644
|
||||||
|
--- a/lib/vtls/gtls.c
|
||||||
|
+++ b/lib/vtls/gtls.c
|
||||||
|
@@ -55,6 +55,14 @@
|
||||||
|
/* The last #include file should be: */
|
||||||
|
#include "memdebug.h"
|
||||||
|
|
||||||
|
+#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+/* the function exists */
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+/* the functionality is not disabled */
|
||||||
|
+#define USE_GNUTLS_SRP
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* Enable GnuTLS debugging by defining GTLSDEBUG */
|
||||||
|
/*#define GTLSDEBUG */
|
||||||
|
|
||||||
|
@@ -75,7 +83,7 @@ static bool gtls_inited = FALSE;
|
||||||
|
struct ssl_backend_data {
|
||||||
|
gnutls_session_t session;
|
||||||
|
gnutls_certificate_credentials_t cred;
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
gnutls_srp_client_credentials_t srp_client_cred;
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
@@ -436,7 +444,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
return CURLE_SSL_CONNECT_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
|
||||||
|
|
||||||
|
@@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
/* Only add SRP to the cipher list if SRP is requested. Otherwise
|
||||||
|
* GnuTLS will disable TLS 1.3 support. */
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
@@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
#endif
|
||||||
|
infof(data, "GnuTLS ciphers: %s", prioritylist);
|
||||||
|
rc = gnutls_priority_set_direct(session, prioritylist, &err);
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
/* put the credentials to the current session */
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
|
||||||
|
@@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||||||
|
if(SSL_CONN_CONFIG(verifypeer) ||
|
||||||
|
SSL_CONN_CONFIG(verifyhost) ||
|
||||||
|
SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
&& SSL_SET_OPTION(username) != NULL
|
||||||
|
&& !SSL_CONN_CONFIG(verifypeer)
|
||||||
|
@@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||||||
|
failf(data, "failed to get server cert");
|
||||||
|
*certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
|
||||||
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
@@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl)
|
||||||
|
gnutls_certificate_free_credentials(backend->cred);
|
||||||
|
backend->cred = NULL;
|
||||||
|
}
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
if(backend->srp_client_cred) {
|
||||||
|
gnutls_srp_free_client_credentials(backend->srp_client_cred);
|
||||||
|
backend->srp_client_cred = NULL;
|
||||||
|
@@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
}
|
||||||
|
gnutls_certificate_free_credentials(backend->cred);
|
||||||
|
|
||||||
|
-#ifdef HAVE_GNUTLS_SRP
|
||||||
|
+#ifdef USE_GNUTLS_SRP
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
&& SSL_SET_OPTION(username) != NULL)
|
||||||
|
gnutls_srp_free_client_credentials(backend->srp_client_cred);
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
|
||||||
|
From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||||||
|
Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
|
||||||
|
|
||||||
|
CVE-2022-27782
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27782.html
|
||||||
|
Closes #8825
|
||||||
|
|
||||||
|
Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/setopt.c | 29 +++++++++++++++++------------
|
||||||
|
lib/url.c | 23 ++++++++++++++++-------
|
||||||
|
lib/urldata.h | 13 +++++++------
|
||||||
|
lib/vtls/gtls.c | 32 +++++++++++++++++---------------
|
||||||
|
lib/vtls/mbedtls.c | 2 +-
|
||||||
|
lib/vtls/nss.c | 6 +++---
|
||||||
|
lib/vtls/openssl.c | 10 +++++-----
|
||||||
|
lib/vtls/vtls.c | 21 +++++++++++++++++++++
|
||||||
|
8 files changed, 87 insertions(+), 49 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||||
|
index 8e1bf12..7aa6fdb 100644
|
||||||
|
--- a/lib/setopt.c
|
||||||
|
+++ b/lib/setopt.c
|
||||||
|
@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||||
|
|
||||||
|
case CURLOPT_SSL_OPTIONS:
|
||||||
|
arg = va_arg(param, long);
|
||||||
|
+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
||||||
|
data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
|
||||||
|
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||||
|
data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||||||
|
@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_SSL_OPTIONS:
|
||||||
|
arg = va_arg(param, long);
|
||||||
|
+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
||||||
|
data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST);
|
||||||
|
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||||
|
data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||||||
|
@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||||
|
case CURLOPT_TLSAUTH_USERNAME:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
|
||||||
|
va_arg(param, char *));
|
||||||
|
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
|
||||||
|
+ !data->set.ssl.primary.authtype)
|
||||||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
break;
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_USERNAME:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
|
||||||
|
va_arg(param, char *));
|
||||||
|
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
||||||
|
- !data->set.proxy_ssl.authtype)
|
||||||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
+ !data->set.proxy_ssl.primary.authtype)
|
||||||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
|
||||||
|
+ SRP */
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
case CURLOPT_TLSAUTH_PASSWORD:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
||||||
|
va_arg(param, char *));
|
||||||
|
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
|
||||||
|
+ !data->set.ssl.primary.authtype)
|
||||||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
||||||
|
break;
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
|
||||||
|
va_arg(param, char *));
|
||||||
|
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
||||||
|
- !data->set.proxy_ssl.authtype)
|
||||||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
+ !data->set.proxy_ssl.primary.authtype)
|
||||||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
case CURLOPT_TLSAUTH_TYPE:
|
||||||
|
argptr = va_arg(param, char *);
|
||||||
|
if(!argptr ||
|
||||||
|
strncasecompare(argptr, "SRP", strlen("SRP")))
|
||||||
|
- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
|
||||||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
|
||||||
|
else
|
||||||
|
- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
break;
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_TYPE:
|
||||||
|
argptr = va_arg(param, char *);
|
||||||
|
if(!argptr ||
|
||||||
|
strncasecompare(argptr, "SRP", strlen("SRP")))
|
||||||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
|
||||||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
|
||||||
|
else
|
||||||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index 94e3406..5ebf5e2 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||||
|
set->ssl.primary.verifypeer = TRUE;
|
||||||
|
set->ssl.primary.verifyhost = TRUE;
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
- set->ssl.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
#endif
|
||||||
|
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
|
||||||
|
type */
|
||||||
|
@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
|
||||||
|
conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
|
||||||
|
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
|
||||||
|
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
|
||||||
|
+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+#endif
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
conn->proxy_ssl_config.verifystatus =
|
||||||
|
data->set.proxy_ssl.primary.verifystatus;
|
||||||
|
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
|
||||||
|
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
|
||||||
|
+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+#endif
|
||||||
|
#endif
|
||||||
|
conn->ip_version = data->set.ipver;
|
||||||
|
conn->bits.connect_only = data->set.connect_only;
|
||||||
|
@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||||||
|
data->set.proxy_ssl.primary.issuercert_blob =
|
||||||
|
data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
|
||||||
|
- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||||
|
+ data->set.proxy_ssl.primary.CRLfile =
|
||||||
|
+ data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||||
|
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
|
||||||
|
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
|
||||||
|
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
|
||||||
|
@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
|
||||||
|
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
|
||||||
|
#endif
|
||||||
|
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||||
|
+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||||
|
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
||||||
|
data->set.ssl.key = data->set.str[STRING_KEY];
|
||||||
|
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
|
||||||
|
data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
|
||||||
|
data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||||||
|
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||||||
|
+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||||||
|
+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||||||
|
- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||||||
|
+ data->set.proxy_ssl.primary.username =
|
||||||
|
+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||||||
|
+ data->set.proxy_ssl.primary.password =
|
||||||
|
+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 5218f76..e006495 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -253,10 +253,17 @@ struct ssl_primary_config {
|
||||||
|
char *cipher_list; /* list of ciphers to use */
|
||||||
|
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
||||||
|
char *pinned_key;
|
||||||
|
+ char *CRLfile; /* CRL to check certificate revocation */
|
||||||
|
struct curl_blob *cert_blob;
|
||||||
|
struct curl_blob *ca_info_blob;
|
||||||
|
struct curl_blob *issuercert_blob;
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ char *username; /* TLS username (for, e.g., SRP) */
|
||||||
|
+ char *password; /* TLS password (for, e.g., SRP) */
|
||||||
|
+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
||||||
|
+#endif
|
||||||
|
char *curves; /* list of curves to use */
|
||||||
|
+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
|
||||||
|
BIT(verifypeer); /* set TRUE if this is desired */
|
||||||
|
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
|
||||||
|
BIT(verifystatus); /* set TRUE if certificate status must be checked */
|
||||||
|
@@ -266,7 +273,6 @@ struct ssl_primary_config {
|
||||||
|
struct ssl_config_data {
|
||||||
|
struct ssl_primary_config primary;
|
||||||
|
long certverifyresult; /* result from the certificate verification */
|
||||||
|
- char *CRLfile; /* CRL to check certificate revocation */
|
||||||
|
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
||||||
|
void *fsslctxp; /* parameter for call back */
|
||||||
|
char *cert_type; /* format for certificate (default: PEM)*/
|
||||||
|
@@ -274,11 +280,6 @@ struct ssl_config_data {
|
||||||
|
struct curl_blob *key_blob;
|
||||||
|
char *key_type; /* format for private key (default: PEM) */
|
||||||
|
char *key_passwd; /* plain text private key password */
|
||||||
|
-#ifdef USE_TLS_SRP
|
||||||
|
- char *username; /* TLS username (for, e.g., SRP) */
|
||||||
|
- char *password; /* TLS password (for, e.g., SRP) */
|
||||||
|
- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
||||||
|
-#endif
|
||||||
|
BIT(certinfo); /* gather lots of certificate info */
|
||||||
|
BIT(falsestart);
|
||||||
|
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
|
||||||
|
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||||
|
index 5749376..ec6be16 100644
|
||||||
|
--- a/lib/vtls/gtls.c
|
||||||
|
+++ b/lib/vtls/gtls.c
|
||||||
|
@@ -445,8 +445,9 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef USE_GNUTLS_SRP
|
||||||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
|
||||||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
+ infof(data, "Using TLS-SRP username: %s",
|
||||||
|
+ SSL_SET_OPTION(primary.username));
|
||||||
|
|
||||||
|
rc = gnutls_srp_allocate_client_credentials(
|
||||||
|
&backend->srp_client_cred);
|
||||||
|
@@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
|
||||||
|
rc = gnutls_srp_set_client_credentials(backend->srp_client_cred,
|
||||||
|
- SSL_SET_OPTION(username),
|
||||||
|
- SSL_SET_OPTION(password));
|
||||||
|
+ SSL_SET_OPTION(primary.username),
|
||||||
|
+ SSL_SET_OPTION(primary.password));
|
||||||
|
if(rc != GNUTLS_E_SUCCESS) {
|
||||||
|
failf(data, "gnutls_srp_set_client_cred() failed: %s",
|
||||||
|
gnutls_strerror(rc));
|
||||||
|
@@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if(SSL_SET_OPTION(CRLfile)) {
|
||||||
|
+ if(SSL_SET_OPTION(primary.CRLfile)) {
|
||||||
|
/* set the CRL list file */
|
||||||
|
rc = gnutls_certificate_set_x509_crl_file(backend->cred,
|
||||||
|
- SSL_SET_OPTION(CRLfile),
|
||||||
|
+ SSL_SET_OPTION(primary.CRLfile),
|
||||||
|
GNUTLS_X509_FMT_PEM);
|
||||||
|
if(rc < 0) {
|
||||||
|
failf(data, "error reading crl file %s (%s)",
|
||||||
|
- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc));
|
||||||
|
+ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc));
|
||||||
|
return CURLE_SSL_CRL_BADFILE;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
infof(data, "found %d CRL in %s",
|
||||||
|
- rc, SSL_SET_OPTION(CRLfile));
|
||||||
|
+ rc, SSL_SET_OPTION(primary.CRLfile));
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Initialize TLS session as a client */
|
||||||
|
@@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
#ifdef USE_GNUTLS_SRP
|
||||||
|
/* Only add SRP to the cipher list if SRP is requested. Otherwise
|
||||||
|
* GnuTLS will disable TLS 1.3 support. */
|
||||||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
size_t len = strlen(prioritylist);
|
||||||
|
|
||||||
|
char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
|
||||||
|
@@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data,
|
||||||
|
|
||||||
|
#ifdef USE_GNUTLS_SRP
|
||||||
|
/* put the credentials to the current session */
|
||||||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) {
|
||||||
|
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
|
||||||
|
backend->srp_client_cred);
|
||||||
|
if(rc != GNUTLS_E_SUCCESS) {
|
||||||
|
@@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||||||
|
SSL_CONN_CONFIG(verifyhost) ||
|
||||||
|
SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
#ifdef USE_GNUTLS_SRP
|
||||||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
- && SSL_SET_OPTION(username) != NULL
|
||||||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
|
||||||
|
+ && SSL_SET_OPTION(primary.username) != NULL
|
||||||
|
&& !SSL_CONN_CONFIG(verifypeer)
|
||||||
|
&& gnutls_cipher_get(session)) {
|
||||||
|
/* no peer cert, but auth is ok if we have SRP user and cipher and no
|
||||||
|
@@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
|
||||||
|
failf(data, "server certificate verification failed. CAfile: %s "
|
||||||
|
"CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
|
||||||
|
"none",
|
||||||
|
- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none");
|
||||||
|
+ SSL_SET_OPTION(primary.CRLfile) ?
|
||||||
|
+ SSL_SET_OPTION(primary.CRLfile) : "none");
|
||||||
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
gnutls_certificate_free_credentials(backend->cred);
|
||||||
|
|
||||||
|
#ifdef USE_GNUTLS_SRP
|
||||||
|
- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
- && SSL_SET_OPTION(username) != NULL)
|
||||||
|
+ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP
|
||||||
|
+ && SSL_SET_OPTION(primary.username) != NULL)
|
||||||
|
gnutls_srp_free_client_credentials(backend->srp_client_cred);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
|
||||||
|
index b9fd26a..bd4ad8f 100644
|
||||||
|
--- a/lib/vtls/mbedtls.c
|
||||||
|
+++ b/lib/vtls/mbedtls.c
|
||||||
|
@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
|
||||||
|
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
|
||||||
|
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
|
||||||
|
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
|
||||||
|
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
|
||||||
|
const char * const hostname = SSL_HOST_NAME();
|
||||||
|
#ifndef CURL_DISABLE_VERBOSE_STRINGS
|
||||||
|
const long int port = SSL_HOST_PORT();
|
||||||
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||||
|
index 558e3be..892e7d8 100644
|
||||||
|
--- a/lib/vtls/nss.c
|
||||||
|
+++ b/lib/vtls/nss.c
|
||||||
|
@@ -2027,13 +2027,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if(SSL_SET_OPTION(CRLfile)) {
|
||||||
|
- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile));
|
||||||
|
+ if(SSL_SET_OPTION(primary.CRLfile)) {
|
||||||
|
+ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile));
|
||||||
|
if(rv) {
|
||||||
|
result = rv;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile));
|
||||||
|
+ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile));
|
||||||
|
}
|
||||||
|
|
||||||
|
if(SSL_SET_OPTION(primary.clientcert)) {
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 97c5666..a4ef9d1 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -2633,7 +2633,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||||||
|
#endif
|
||||||
|
const long int ssl_version = SSL_CONN_CONFIG(version);
|
||||||
|
#ifdef USE_OPENSSL_SRP
|
||||||
|
- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
|
||||||
|
+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
|
||||||
|
#endif
|
||||||
|
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
|
||||||
|
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
|
||||||
|
@@ -2644,7 +2644,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||||||
|
(ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
|
||||||
|
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
|
||||||
|
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
|
||||||
|
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
|
||||||
|
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
|
||||||
|
char error_buffer[256];
|
||||||
|
struct ssl_backend_data *backend = connssl->backend;
|
||||||
|
bool imported_native_ca = false;
|
||||||
|
@@ -2896,15 +2896,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||||||
|
#ifdef USE_OPENSSL_SRP
|
||||||
|
if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
||||||
|
Curl_allow_auth_to_host(data)) {
|
||||||
|
- char * const ssl_username = SSL_SET_OPTION(username);
|
||||||
|
-
|
||||||
|
+ char * const ssl_username = SSL_SET_OPTION(primary.username);
|
||||||
|
+ char * const ssl_password = SSL_SET_OPTION(primary.password);
|
||||||
|
infof(data, "Using TLS-SRP username: %s", ssl_username);
|
||||||
|
|
||||||
|
if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
|
||||||
|
failf(data, "Unable to set SRP user name");
|
||||||
|
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||||
|
}
|
||||||
|
- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
|
||||||
|
+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
|
||||||
|
failf(data, "failed setting SRP password");
|
||||||
|
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||||
|
}
|
||||||
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||||
|
index a40ac06..e2d3438 100644
|
||||||
|
--- a/lib/vtls/vtls.c
|
||||||
|
+++ b/lib/vtls/vtls.c
|
||||||
|
@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
{
|
||||||
|
if((data->version == needle->version) &&
|
||||||
|
(data->version_max == needle->version_max) &&
|
||||||
|
+ (data->ssl_options == needle->ssl_options) &&
|
||||||
|
(data->verifypeer == needle->verifypeer) &&
|
||||||
|
(data->verifyhost == needle->verifyhost) &&
|
||||||
|
(data->verifystatus == needle->verifystatus) &&
|
||||||
|
@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
Curl_safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
Curl_safecmp(data->random_file, needle->random_file) &&
|
||||||
|
Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ Curl_safecmp(data->username, needle->username) &&
|
||||||
|
+ Curl_safecmp(data->password, needle->password) &&
|
||||||
|
+ (data->authtype == needle->authtype) &&
|
||||||
|
+#endif
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
||||||
|
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
||||||
|
+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
|
||||||
|
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||||||
|
dest->verifyhost = source->verifyhost;
|
||||||
|
dest->verifystatus = source->verifystatus;
|
||||||
|
dest->sessionid = source->sessionid;
|
||||||
|
+ dest->ssl_options = source->ssl_options;
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ dest->authtype = source->authtype;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
CLONE_BLOB(cert_blob);
|
||||||
|
CLONE_BLOB(ca_info_blob);
|
||||||
|
@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||||||
|
CLONE_STRING(cipher_list13);
|
||||||
|
CLONE_STRING(pinned_key);
|
||||||
|
CLONE_STRING(curves);
|
||||||
|
+ CLONE_STRING(CRLfile);
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ CLONE_STRING(username);
|
||||||
|
+ CLONE_STRING(password);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
||||||
|
Curl_safefree(sslc->ca_info_blob);
|
||||||
|
Curl_safefree(sslc->issuercert_blob);
|
||||||
|
Curl_safefree(sslc->curves);
|
||||||
|
+ Curl_safefree(sslc->CRLfile);
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ Curl_safefree(sslc->username);
|
||||||
|
+ Curl_safefree(sslc->password);
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef USE_SSL
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||||||
|
Subject: [PATCH 3/3] url: check SSH config match on connection reuse
|
||||||
|
|
||||||
|
CVE-2022-27782
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27782.html
|
||||||
|
Closes #8825
|
||||||
|
|
||||||
|
Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/url.c | 11 +++++++++++
|
||||||
|
lib/vssh/ssh.h | 6 +++---
|
||||||
|
2 files changed, 14 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index 5ebf5e2..c713e54 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool ssh_config_matches(struct connectdata *one,
|
||||||
|
+ struct connectdata *two)
|
||||||
|
+{
|
||||||
|
+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
|
||||||
|
+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
|
||||||
|
+}
|
||||||
|
/*
|
||||||
|
* Given one filled in connection struct (named needle), this function should
|
||||||
|
* detect if there already is one that has all the significant details
|
||||||
|
@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data,
|
||||||
|
(data->state.httpwant < CURL_HTTP_VERSION_2_0))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
|
||||||
|
+ if(!ssh_config_matches(needle, check))
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if((needle->handler->flags&PROTOPT_SSL)
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
|| !needle->bits.httpproxy || needle->bits.tunnel_proxy
|
||||||
|
diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
|
||||||
|
index 7972081..30d82e5 100644
|
||||||
|
--- a/lib/vssh/ssh.h
|
||||||
|
+++ b/lib/vssh/ssh.h
|
||||||
|
@@ -7,7 +7,7 @@
|
||||||
|
* | (__| |_| | _ <| |___
|
||||||
|
* \___|\___/|_| \_\_____|
|
||||||
|
*
|
||||||
|
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
*
|
||||||
|
* This software is licensed as described in the file COPYING, which
|
||||||
|
* you should have received as part of this distribution. The terms
|
||||||
|
@@ -131,8 +131,8 @@ struct ssh_conn {
|
||||||
|
|
||||||
|
/* common */
|
||||||
|
const char *passphrase; /* pass-phrase to use */
|
||||||
|
- char *rsa_pub; /* path name */
|
||||||
|
- char *rsa; /* path name */
|
||||||
|
+ char *rsa_pub; /* strdup'ed public key file */
|
||||||
|
+ char *rsa; /* strdup'ed private key file */
|
||||||
|
bool authed; /* the connection has been authenticated fine */
|
||||||
|
bool acceptfail; /* used by the SFTP_QUOTE (continue if
|
||||||
|
quote command fails) */
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
70
0010-curl-7.82.0-CVE-2022-32208.patch
Normal file
70
0010-curl-7.82.0-CVE-2022-32208.patch
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 9 Jun 2022 09:27:24 +0200
|
||||||
|
Subject: [PATCH] krb5: return error properly on decode errors
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-32208.html
|
||||||
|
CVE-2022-32208
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Closes #9051
|
||||||
|
|
||||||
|
Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/krb5.c | 18 +++++++++++-------
|
||||||
|
1 file changed, 11 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/krb5.c b/lib/krb5.c
|
||||||
|
index 787137c..6f9e1f7 100644
|
||||||
|
--- a/lib/krb5.c
|
||||||
|
+++ b/lib/krb5.c
|
||||||
|
@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
|
||||||
|
enc.value = buf;
|
||||||
|
enc.length = len;
|
||||||
|
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
|
||||||
|
- if(maj != GSS_S_COMPLETE) {
|
||||||
|
- if(len >= 4)
|
||||||
|
- strcpy(buf, "599 ");
|
||||||
|
+ if(maj != GSS_S_COMPLETE)
|
||||||
|
return -1;
|
||||||
|
- }
|
||||||
|
|
||||||
|
memcpy(buf, dec.value, dec.length);
|
||||||
|
len = curlx_uztosi(dec.length);
|
||||||
|
@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
|
{
|
||||||
|
int len;
|
||||||
|
CURLcode result;
|
||||||
|
+ int nread;
|
||||||
|
|
||||||
|
result = socket_read(fd, &len, sizeof(len));
|
||||||
|
if(result)
|
||||||
|
@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
|
if(len) {
|
||||||
|
/* only realloc if there was a length */
|
||||||
|
len = ntohl(len);
|
||||||
|
- buf->data = Curl_saferealloc(buf->data, len);
|
||||||
|
+ if(len > CURL_MAX_INPUT_LENGTH)
|
||||||
|
+ len = 0;
|
||||||
|
+ else
|
||||||
|
+ buf->data = Curl_saferealloc(buf->data, len);
|
||||||
|
}
|
||||||
|
if(!len || !buf->data)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
|
result = socket_read(fd, buf->data, len);
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
|
||||||
|
- conn->data_prot, conn);
|
||||||
|
+ nread = conn->mech->decode(conn->app_data, buf->data, len,
|
||||||
|
+ conn->data_prot, conn);
|
||||||
|
+ if(nread < 0)
|
||||||
|
+ return CURLE_RECV_ERROR;
|
||||||
|
+ buf->size = (size_t)nread;
|
||||||
|
buf->index = 0;
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
144
0011-curl-7.82.0-CVE-2022-32206.patch
Normal file
144
0011-curl-7.82.0-CVE-2022-32206.patch
Normal file
@ -0,0 +1,144 @@
|
|||||||
|
From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 16 May 2022 16:28:13 +0200
|
||||||
|
Subject: [PATCH 1/2] content_encoding: return error on too many compression
|
||||||
|
steps
|
||||||
|
|
||||||
|
The max allowed steps is arbitrarily set to 5.
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-32206.html
|
||||||
|
CVE-2022-32206
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Closes #9049
|
||||||
|
|
||||||
|
Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/content_encoding.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
|
||||||
|
index c03637a..6f994b3 100644
|
||||||
|
--- a/lib/content_encoding.c
|
||||||
|
+++ b/lib/content_encoding.c
|
||||||
|
@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name,
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* allow no more than 5 "chained" compression steps */
|
||||||
|
+#define MAX_ENCODE_STACK 5
|
||||||
|
+
|
||||||
|
/* Set-up the unencoding stack from the Content-Encoding header value.
|
||||||
|
* See RFC 7231 section 3.1.2.2. */
|
||||||
|
CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
||||||
|
const char *enclist, int maybechunked)
|
||||||
|
{
|
||||||
|
struct SingleRequest *k = &data->req;
|
||||||
|
+ int counter = 0;
|
||||||
|
|
||||||
|
do {
|
||||||
|
const char *name;
|
||||||
|
@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
||||||
|
if(!encoding)
|
||||||
|
encoding = &error_encoding; /* Defer error at stack use. */
|
||||||
|
|
||||||
|
+ if(++counter >= MAX_ENCODE_STACK) {
|
||||||
|
+ failf(data, "Reject response due to %u content encodings",
|
||||||
|
+ counter);
|
||||||
|
+ return CURLE_BAD_CONTENT_ENCODING;
|
||||||
|
+ }
|
||||||
|
/* Stack the unencoding stage. */
|
||||||
|
writer = new_unencoding_writer(data, encoding, k->writer_stack);
|
||||||
|
if(!writer)
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
|
||||||
|
From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 16 May 2022 16:29:07 +0200
|
||||||
|
Subject: [PATCH 2/2] test387: verify rejection of compression chain attack
|
||||||
|
|
||||||
|
Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 54 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/data/test387
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 98d5516..9b5f4fb 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -63,7 +63,7 @@ test352 test353 test354 test355 test356 test357 test358 test359 test360 \
|
||||||
|
test361 test362 test363 test364 test365 test366 test367 test368 test369 \
|
||||||
|
test370 test371 test372 test373 test374 \
|
||||||
|
\
|
||||||
|
-test380 test381 test383 test384 test385 test386 \
|
||||||
|
+test380 test381 test383 test384 test385 test386 test387 \
|
||||||
|
\
|
||||||
|
test392 test393 test394 test395 test396 test397 \
|
||||||
|
\
|
||||||
|
diff --git a/tests/data/test387 b/tests/data/test387
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..015ec25
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test387
|
||||||
|
@@ -0,0 +1,53 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+gzip
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data nocheck="yes">
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip
|
||||||
|
+
|
||||||
|
+-foo-
|
||||||
|
+</data>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+Response with overly long compression chain
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET /%TESTNUMBER HTTP/1.1
|
||||||
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+
|
||||||
|
+# CURLE_BAD_CONTENT_ENCODING is 61
|
||||||
|
+<errorcode>
|
||||||
|
+61
|
||||||
|
+</errorcode>
|
||||||
|
+<stderr mode="text">
|
||||||
|
+curl: (61) Reject response due to 5 content encodings
|
||||||
|
+</stderr>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
740
0012-curl-7.82.0-CVE-2022-32205.patch
Normal file
740
0012-curl-7.82.0-CVE-2022-32205.patch
Normal file
File diff suppressed because one or more lines are too long
428
0013-curl-7.82.0-CVE-2022-32207.patch
Normal file
428
0013-curl-7.82.0-CVE-2022-32207.patch
Normal file
@ -0,0 +1,428 @@
|
|||||||
|
From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Wed, 25 May 2022 10:09:53 +0200
|
||||||
|
Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-32207.html
|
||||||
|
CVE-2022-32207
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Closes #9050
|
||||||
|
|
||||||
|
Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
CMakeLists.txt | 1 +
|
||||||
|
configure.ac | 1 +
|
||||||
|
lib/Makefile.inc | 2 +
|
||||||
|
lib/cookie.c | 19 ++-----
|
||||||
|
lib/curl_config.h.cmake | 3 ++
|
||||||
|
lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++
|
||||||
|
lib/fopen.h | 30 +++++++++++
|
||||||
|
7 files changed, 154 insertions(+), 15 deletions(-)
|
||||||
|
create mode 100644 lib/fopen.c
|
||||||
|
create mode 100644 lib/fopen.h
|
||||||
|
|
||||||
|
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||||
|
index b77de6d..a0bfaad 100644
|
||||||
|
--- a/CMakeLists.txt
|
||||||
|
+++ b/CMakeLists.txt
|
||||||
|
@@ -1027,6 +1027,7 @@ elseif(HAVE_LIBSOCKET)
|
||||||
|
set(CMAKE_REQUIRED_LIBRARIES socket)
|
||||||
|
endif()
|
||||||
|
|
||||||
|
+check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD)
|
||||||
|
check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME)
|
||||||
|
check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET)
|
||||||
|
check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT)
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index d431870..7433bb9 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -3351,6 +3351,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
|
||||||
|
|
||||||
|
|
||||||
|
AC_CHECK_FUNCS([fnmatch \
|
||||||
|
+ fchmod \
|
||||||
|
geteuid \
|
||||||
|
getpass_r \
|
||||||
|
getppid \
|
||||||
|
diff --git a/lib/Makefile.inc b/lib/Makefile.inc
|
||||||
|
index e8f110f..5139b03 100644
|
||||||
|
--- a/lib/Makefile.inc
|
||||||
|
+++ b/lib/Makefile.inc
|
||||||
|
@@ -133,6 +133,7 @@ LIB_CFILES = \
|
||||||
|
escape.c \
|
||||||
|
file.c \
|
||||||
|
fileinfo.c \
|
||||||
|
+ fopen.c \
|
||||||
|
formdata.c \
|
||||||
|
ftp.c \
|
||||||
|
ftplistparser.c \
|
||||||
|
@@ -263,6 +264,7 @@ LIB_HFILES = \
|
||||||
|
escape.h \
|
||||||
|
file.h \
|
||||||
|
fileinfo.h \
|
||||||
|
+ fopen.h \
|
||||||
|
formdata.h \
|
||||||
|
ftp.h \
|
||||||
|
ftplistparser.h \
|
||||||
|
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||||
|
index 8a6aa1a..cb0c03b 100644
|
||||||
|
--- a/lib/cookie.c
|
||||||
|
+++ b/lib/cookie.c
|
||||||
|
@@ -96,8 +96,8 @@ Example set of cookies:
|
||||||
|
#include "curl_get_line.h"
|
||||||
|
#include "curl_memrchr.h"
|
||||||
|
#include "parsedate.h"
|
||||||
|
-#include "rand.h"
|
||||||
|
#include "rename.h"
|
||||||
|
+#include "fopen.h"
|
||||||
|
|
||||||
|
/* The last 3 #include files should be in this order */
|
||||||
|
#include "curl_printf.h"
|
||||||
|
@@ -1620,20 +1620,9 @@ static CURLcode cookie_output(struct Curl_easy *data,
|
||||||
|
use_stdout = TRUE;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- unsigned char randsuffix[9];
|
||||||
|
-
|
||||||
|
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
|
||||||
|
- return 2;
|
||||||
|
-
|
||||||
|
- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
|
||||||
|
- if(!tempstore)
|
||||||
|
- return CURLE_OUT_OF_MEMORY;
|
||||||
|
-
|
||||||
|
- out = fopen(tempstore, FOPEN_WRITETEXT);
|
||||||
|
- if(!out) {
|
||||||
|
- error = CURLE_WRITE_ERROR;
|
||||||
|
+ error = Curl_fopen(data, filename, &out, &tempstore);
|
||||||
|
+ if(error)
|
||||||
|
goto error;
|
||||||
|
- }
|
||||||
|
}
|
||||||
|
|
||||||
|
fputs("# Netscape HTTP Cookie File\n"
|
||||||
|
@@ -1680,7 +1669,7 @@ static CURLcode cookie_output(struct Curl_easy *data,
|
||||||
|
if(!use_stdout) {
|
||||||
|
fclose(out);
|
||||||
|
out = NULL;
|
||||||
|
- if(Curl_rename(tempstore, filename)) {
|
||||||
|
+ if(tempstore && Curl_rename(tempstore, filename)) {
|
||||||
|
unlink(tempstore);
|
||||||
|
error = CURLE_WRITE_ERROR;
|
||||||
|
goto error;
|
||||||
|
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
|
||||||
|
index d2a0f43..c254359 100644
|
||||||
|
--- a/lib/curl_config.h.cmake
|
||||||
|
+++ b/lib/curl_config.h.cmake
|
||||||
|
@@ -157,6 +157,9 @@
|
||||||
|
/* Define to 1 if you have the <assert.h> header file. */
|
||||||
|
#cmakedefine HAVE_ASSERT_H 1
|
||||||
|
|
||||||
|
+/* Define to 1 if you have the `fchmod' function. */
|
||||||
|
+#cmakedefine HAVE_FCHMOD 1
|
||||||
|
+
|
||||||
|
/* Define to 1 if you have the `basename' function. */
|
||||||
|
#cmakedefine HAVE_BASENAME 1
|
||||||
|
|
||||||
|
diff --git a/lib/fopen.c b/lib/fopen.c
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..ad3691b
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/lib/fopen.c
|
||||||
|
@@ -0,0 +1,113 @@
|
||||||
|
+/***************************************************************************
|
||||||
|
+ * _ _ ____ _
|
||||||
|
+ * Project ___| | | | _ \| |
|
||||||
|
+ * / __| | | | |_) | |
|
||||||
|
+ * | (__| |_| | _ <| |___
|
||||||
|
+ * \___|\___/|_| \_\_____|
|
||||||
|
+ *
|
||||||
|
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ *
|
||||||
|
+ * This software is licensed as described in the file COPYING, which
|
||||||
|
+ * you should have received as part of this distribution. The terms
|
||||||
|
+ * are also available at https://curl.se/docs/copyright.html.
|
||||||
|
+ *
|
||||||
|
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||||
|
+ * copies of the Software, and permit persons to whom the Software is
|
||||||
|
+ * furnished to do so, under the terms of the COPYING file.
|
||||||
|
+ *
|
||||||
|
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||||
|
+ * KIND, either express or implied.
|
||||||
|
+ *
|
||||||
|
+ * SPDX-License-Identifier: curl
|
||||||
|
+ *
|
||||||
|
+ ***************************************************************************/
|
||||||
|
+
|
||||||
|
+#include "curl_setup.h"
|
||||||
|
+
|
||||||
|
+#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \
|
||||||
|
+ !defined(CURL_DISABLE_HSTS)
|
||||||
|
+
|
||||||
|
+#ifdef HAVE_FCNTL_H
|
||||||
|
+#include <fcntl.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+#include "urldata.h"
|
||||||
|
+#include "rand.h"
|
||||||
|
+#include "fopen.h"
|
||||||
|
+/* The last 3 #include files should be in this order */
|
||||||
|
+#include "curl_printf.h"
|
||||||
|
+#include "curl_memory.h"
|
||||||
|
+#include "memdebug.h"
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Curl_fopen() opens a file for writing with a temp name, to be renamed
|
||||||
|
+ * to the final name when completed. If there is an existing file using this
|
||||||
|
+ * name at the time of the open, this function will clone the mode from that
|
||||||
|
+ * file. if 'tempname' is non-NULL, it needs a rename after the file is
|
||||||
|
+ * written.
|
||||||
|
+ */
|
||||||
|
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
|
||||||
|
+ FILE **fh, char **tempname)
|
||||||
|
+{
|
||||||
|
+ CURLcode result = CURLE_WRITE_ERROR;
|
||||||
|
+ unsigned char randsuffix[9];
|
||||||
|
+ char *tempstore = NULL;
|
||||||
|
+ struct_stat sb;
|
||||||
|
+ int fd = -1;
|
||||||
|
+ *tempname = NULL;
|
||||||
|
+
|
||||||
|
+ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
|
||||||
|
+ /* a non-regular file, fallback to direct fopen() */
|
||||||
|
+ *fh = fopen(filename, FOPEN_WRITETEXT);
|
||||||
|
+ if(*fh)
|
||||||
|
+ return CURLE_OK;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
|
||||||
|
+ if(result)
|
||||||
|
+ goto fail;
|
||||||
|
+
|
||||||
|
+ tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
|
||||||
|
+ if(!tempstore) {
|
||||||
|
+ result = CURLE_OUT_OF_MEMORY;
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ result = CURLE_WRITE_ERROR;
|
||||||
|
+ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
|
||||||
|
+ if(fd == -1)
|
||||||
|
+ goto fail;
|
||||||
|
+
|
||||||
|
+#ifdef HAVE_FCHMOD
|
||||||
|
+ {
|
||||||
|
+ struct_stat nsb;
|
||||||
|
+ if((fstat(fd, &nsb) != -1) &&
|
||||||
|
+ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
|
||||||
|
+ /* if the user and group are the same, clone the original mode */
|
||||||
|
+ if(fchmod(fd, sb.st_mode) == -1)
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ *fh = fdopen(fd, FOPEN_WRITETEXT);
|
||||||
|
+ if(!*fh)
|
||||||
|
+ goto fail;
|
||||||
|
+
|
||||||
|
+ *tempname = tempstore;
|
||||||
|
+ return CURLE_OK;
|
||||||
|
+
|
||||||
|
+fail:
|
||||||
|
+ if(fd != -1) {
|
||||||
|
+ close(fd);
|
||||||
|
+ unlink(tempstore);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(tempstore);
|
||||||
|
+
|
||||||
|
+ *tempname = NULL;
|
||||||
|
+ return result;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#endif /* ! disabled */
|
||||||
|
diff --git a/lib/fopen.h b/lib/fopen.h
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..289e55f
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/lib/fopen.h
|
||||||
|
@@ -0,0 +1,30 @@
|
||||||
|
+#ifndef HEADER_CURL_FOPEN_H
|
||||||
|
+#define HEADER_CURL_FOPEN_H
|
||||||
|
+/***************************************************************************
|
||||||
|
+ * _ _ ____ _
|
||||||
|
+ * Project ___| | | | _ \| |
|
||||||
|
+ * / __| | | | |_) | |
|
||||||
|
+ * | (__| |_| | _ <| |___
|
||||||
|
+ * \___|\___/|_| \_\_____|
|
||||||
|
+ *
|
||||||
|
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ *
|
||||||
|
+ * This software is licensed as described in the file COPYING, which
|
||||||
|
+ * you should have received as part of this distribution. The terms
|
||||||
|
+ * are also available at https://curl.se/docs/copyright.html.
|
||||||
|
+ *
|
||||||
|
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||||
|
+ * copies of the Software, and permit persons to whom the Software is
|
||||||
|
+ * furnished to do so, under the terms of the COPYING file.
|
||||||
|
+ *
|
||||||
|
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||||
|
+ * KIND, either express or implied.
|
||||||
|
+ *
|
||||||
|
+ * SPDX-License-Identifier: curl
|
||||||
|
+ *
|
||||||
|
+ ***************************************************************************/
|
||||||
|
+
|
||||||
|
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
|
||||||
|
+ FILE **fh, char **tempname);
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
|
||||||
|
From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Wed, 25 May 2022 10:09:53 +0200
|
||||||
|
Subject: [PATCH 2/3] altsvc: use Curl_fopen()
|
||||||
|
|
||||||
|
Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/altsvc.c | 22 ++++++----------------
|
||||||
|
1 file changed, 6 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/altsvc.c b/lib/altsvc.c
|
||||||
|
index 242733b..4dc4078 100644
|
||||||
|
--- a/lib/altsvc.c
|
||||||
|
+++ b/lib/altsvc.c
|
||||||
|
@@ -34,7 +34,7 @@
|
||||||
|
#include "parsedate.h"
|
||||||
|
#include "sendf.h"
|
||||||
|
#include "warnless.h"
|
||||||
|
-#include "rand.h"
|
||||||
|
+#include "fopen.h"
|
||||||
|
#include "rename.h"
|
||||||
|
|
||||||
|
/* The last 3 #include files should be in this order */
|
||||||
|
@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
|
||||||
|
struct Curl_llist_element *n;
|
||||||
|
CURLcode result = CURLE_OK;
|
||||||
|
FILE *out;
|
||||||
|
- char *tempstore;
|
||||||
|
- unsigned char randsuffix[9];
|
||||||
|
+ char *tempstore = NULL;
|
||||||
|
|
||||||
|
if(!altsvc)
|
||||||
|
/* no cache activated */
|
||||||
|
@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
|
||||||
|
/* marked as read-only, no file or zero length file name */
|
||||||
|
return CURLE_OK;
|
||||||
|
|
||||||
|
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
|
||||||
|
- return CURLE_FAILED_INIT;
|
||||||
|
-
|
||||||
|
- tempstore = aprintf("%s.%s.tmp", file, randsuffix);
|
||||||
|
- if(!tempstore)
|
||||||
|
- return CURLE_OUT_OF_MEMORY;
|
||||||
|
-
|
||||||
|
- out = fopen(tempstore, FOPEN_WRITETEXT);
|
||||||
|
- if(!out)
|
||||||
|
- result = CURLE_WRITE_ERROR;
|
||||||
|
- else {
|
||||||
|
+ result = Curl_fopen(data, file, &out, &tempstore);
|
||||||
|
+ if(!result) {
|
||||||
|
fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n"
|
||||||
|
"# This file was generated by libcurl! Edit at your own risk.\n",
|
||||||
|
out);
|
||||||
|
@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
fclose(out);
|
||||||
|
- if(!result && Curl_rename(tempstore, file))
|
||||||
|
+ if(!result && tempstore && Curl_rename(tempstore, file))
|
||||||
|
result = CURLE_WRITE_ERROR;
|
||||||
|
|
||||||
|
- if(result)
|
||||||
|
+ if(result && tempstore)
|
||||||
|
unlink(tempstore);
|
||||||
|
}
|
||||||
|
free(tempstore);
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
|
||||||
|
From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Wed, 25 May 2022 10:09:54 +0200
|
||||||
|
Subject: [PATCH 3/3] hsts: use Curl_fopen()
|
||||||
|
|
||||||
|
Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/hsts.c | 22 ++++++----------------
|
||||||
|
1 file changed, 6 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/hsts.c b/lib/hsts.c
|
||||||
|
index b9fa6f7..9d54c82 100644
|
||||||
|
--- a/lib/hsts.c
|
||||||
|
+++ b/lib/hsts.c
|
||||||
|
@@ -35,7 +35,7 @@
|
||||||
|
#include "sendf.h"
|
||||||
|
#include "strtoofft.h"
|
||||||
|
#include "parsedate.h"
|
||||||
|
-#include "rand.h"
|
||||||
|
+#include "fopen.h"
|
||||||
|
#include "rename.h"
|
||||||
|
#include "strtoofft.h"
|
||||||
|
|
||||||
|
@@ -354,8 +354,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
|
||||||
|
struct Curl_llist_element *n;
|
||||||
|
CURLcode result = CURLE_OK;
|
||||||
|
FILE *out;
|
||||||
|
- char *tempstore;
|
||||||
|
- unsigned char randsuffix[9];
|
||||||
|
+ char *tempstore = NULL;
|
||||||
|
|
||||||
|
if(!h)
|
||||||
|
/* no cache activated */
|
||||||
|
@@ -369,17 +368,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
|
||||||
|
/* marked as read-only, no file or zero length file name */
|
||||||
|
goto skipsave;
|
||||||
|
|
||||||
|
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
|
||||||
|
- return CURLE_FAILED_INIT;
|
||||||
|
-
|
||||||
|
- tempstore = aprintf("%s.%s.tmp", file, randsuffix);
|
||||||
|
- if(!tempstore)
|
||||||
|
- return CURLE_OUT_OF_MEMORY;
|
||||||
|
-
|
||||||
|
- out = fopen(tempstore, FOPEN_WRITETEXT);
|
||||||
|
- if(!out)
|
||||||
|
- result = CURLE_WRITE_ERROR;
|
||||||
|
- else {
|
||||||
|
+ result = Curl_fopen(data, file, &out, &tempstore);
|
||||||
|
+ if(!result) {
|
||||||
|
fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n"
|
||||||
|
"# This file was generated by libcurl! Edit at your own risk.\n",
|
||||||
|
out);
|
||||||
|
@@ -391,10 +381,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
fclose(out);
|
||||||
|
- if(!result && Curl_rename(tempstore, file))
|
||||||
|
+ if(!result && tempstore && Curl_rename(tempstore, file))
|
||||||
|
result = CURLE_WRITE_ERROR;
|
||||||
|
|
||||||
|
- if(result)
|
||||||
|
+ if(result && tempstore)
|
||||||
|
unlink(tempstore);
|
||||||
|
}
|
||||||
|
free(tempstore);
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
136
0014-curl-7.82.0-CVE-2022-35252.patch
Normal file
136
0014-curl-7.82.0-CVE-2022-35252.patch
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 29 Aug 2022 00:09:17 +0200
|
||||||
|
Subject: [PATCH 1/2] cookie: reject cookies with "control bytes"
|
||||||
|
|
||||||
|
Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
|
||||||
|
|
||||||
|
Reported-by: Axel Chong
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-35252.html
|
||||||
|
|
||||||
|
CVE-2022-35252
|
||||||
|
|
||||||
|
Closes #9381
|
||||||
|
|
||||||
|
Upstream-commit: 8dfc93e573ca740544a2d79ebb0ed786592c65c3
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/cookie.c | 29 +++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 29 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||||
|
index cb0c03b..e0470a1 100644
|
||||||
|
--- a/lib/cookie.c
|
||||||
|
+++ b/lib/cookie.c
|
||||||
|
@@ -438,6 +438,30 @@ static bool bad_domain(const char *domain)
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ RFC 6265 section 4.1.1 says a server should accept this range:
|
||||||
|
+
|
||||||
|
+ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E
|
||||||
|
+
|
||||||
|
+ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes
|
||||||
|
+ fine. The prime reason for filtering out control bytes is that some HTTP
|
||||||
|
+ servers return 400 for requests that contain such.
|
||||||
|
+*/
|
||||||
|
+static int invalid_octets(const char *p)
|
||||||
|
+{
|
||||||
|
+ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */
|
||||||
|
+ static const char badoctets[] = {
|
||||||
|
+ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a"
|
||||||
|
+ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14"
|
||||||
|
+ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f"
|
||||||
|
+ };
|
||||||
|
+ size_t vlen, len;
|
||||||
|
+ /* scan for all the octets that are *not* in cookie-octet */
|
||||||
|
+ len = strcspn(p, badoctets);
|
||||||
|
+ vlen = strlen(p);
|
||||||
|
+ return (len != vlen);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Curl_cookie_add
|
||||||
|
*
|
||||||
|
@@ -590,6 +614,11 @@ Curl_cookie_add(struct Curl_easy *data,
|
||||||
|
badcookie = TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+ if(invalid_octets(whatptr) || invalid_octets(name)) {
|
||||||
|
+ infof(data, "invalid octets in name/value, cookie dropped");
|
||||||
|
+ badcookie = TRUE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
else if(!len) {
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
2.37.1
|
||||||
|
|
||||||
|
|
||||||
|
From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 29 Aug 2022 00:09:17 +0200
|
||||||
|
Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored
|
||||||
|
|
||||||
|
Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/test8 | 32 +++++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 31 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/data/test8 b/tests/data/test8
|
||||||
|
index a8548e6..8587611 100644
|
||||||
|
--- a/tests/data/test8
|
||||||
|
+++ b/tests/data/test8
|
||||||
|
@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want;
|
||||||
|
Set-Cookie: nocookie=yes; path=/WE;
|
||||||
|
Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
|
||||||
|
Set-Cookie: partialip=nono; domain=.0.0.1;
|
||||||
|
+Set-Cookie: cookie1=%hex[%01-junk]hex%
|
||||||
|
+Set-Cookie: cookie2=%hex[%02-junk]hex%
|
||||||
|
+Set-Cookie: cookie3=%hex[%03-junk]hex%
|
||||||
|
+Set-Cookie: cookie4=%hex[%04-junk]hex%
|
||||||
|
+Set-Cookie: cookie5=%hex[%05-junk]hex%
|
||||||
|
+Set-Cookie: cookie6=%hex[%06-junk]hex%
|
||||||
|
+Set-Cookie: cookie7=%hex[%07-junk]hex%
|
||||||
|
+Set-Cookie: cookie8=%hex[%08-junk]hex%
|
||||||
|
+Set-Cookie: cookie9=%hex[junk-%09-]hex%
|
||||||
|
+Set-Cookie: cookie11=%hex[%0b-junk]hex%
|
||||||
|
+Set-Cookie: cookie12=%hex[%0c-junk]hex%
|
||||||
|
+Set-Cookie: cookie14=%hex[%0e-junk]hex%
|
||||||
|
+Set-Cookie: cookie15=%hex[%0f-junk]hex%
|
||||||
|
+Set-Cookie: cookie16=%hex[%10-junk]hex%
|
||||||
|
+Set-Cookie: cookie17=%hex[%11-junk]hex%
|
||||||
|
+Set-Cookie: cookie18=%hex[%12-junk]hex%
|
||||||
|
+Set-Cookie: cookie19=%hex[%13-junk]hex%
|
||||||
|
+Set-Cookie: cookie20=%hex[%14-junk]hex%
|
||||||
|
+Set-Cookie: cookie21=%hex[%15-junk]hex%
|
||||||
|
+Set-Cookie: cookie22=%hex[%16-junk]hex%
|
||||||
|
+Set-Cookie: cookie23=%hex[%17-junk]hex%
|
||||||
|
+Set-Cookie: cookie24=%hex[%18-junk]hex%
|
||||||
|
+Set-Cookie: cookie25=%hex[%19-junk]hex%
|
||||||
|
+Set-Cookie: cookie26=%hex[%1a-junk]hex%
|
||||||
|
+Set-Cookie: cookie27=%hex[%1b-junk]hex%
|
||||||
|
+Set-Cookie: cookie28=%hex[%1c-junk]hex%
|
||||||
|
+Set-Cookie: cookie29=%hex[%1d-junk]hex%
|
||||||
|
+Set-Cookie: cookie30=%hex[%1e-junk]hex%
|
||||||
|
+Set-Cookie: cookie31=%hex[%1f-junk]hex%
|
||||||
|
+Set-Cookie: cookie31=%hex[%7f-junk]hex%
|
||||||
|
|
||||||
|
</file>
|
||||||
|
<precheck>
|
||||||
|
@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
|
||||||
|
Host: %HOSTIP:%HTTPPORT
|
||||||
|
User-Agent: curl/%VERSION
|
||||||
|
Accept: */*
|
||||||
|
-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
|
||||||
|
+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- -
|
||||||
|
|
||||||
|
</protocol>
|
||||||
|
</verify>
|
||||||
|
--
|
||||||
|
2.37.1
|
||||||
|
|
@ -4,10 +4,10 @@ Date: Fri, 12 Apr 2013 12:04:05 +0200
|
|||||||
Subject: [PATCH] prevent multilib conflicts on the curl-config script
|
Subject: [PATCH] prevent multilib conflicts on the curl-config script
|
||||||
|
|
||||||
---
|
---
|
||||||
curl-config.in | 21 +++------------------
|
curl-config.in | 23 +++++------------------
|
||||||
docs/curl-config.1 | 4 +++-
|
docs/curl-config.1 | 4 +++-
|
||||||
libcurl.pc.in | 1 +
|
libcurl.pc.in | 1 +
|
||||||
3 files changed, 7 insertions(+), 19 deletions(-)
|
3 files changed, 9 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
diff --git a/curl-config.in b/curl-config.in
|
diff --git a/curl-config.in b/curl-config.in
|
||||||
index 150004d..95d0759 100644
|
index 150004d..95d0759 100644
|
||||||
@ -22,7 +22,7 @@ index 150004d..95d0759 100644
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
--prefix)
|
--prefix)
|
||||||
@@ -155,32 +155,17 @@ while test $# -gt 0; do
|
@@ -155,32 +155,19 @@ while test $# -gt 0; do
|
||||||
;;
|
;;
|
||||||
|
|
||||||
--libs)
|
--libs)
|
||||||
@ -31,7 +31,7 @@ index 150004d..95d0759 100644
|
|||||||
- else
|
- else
|
||||||
- CURLLIBDIR=""
|
- CURLLIBDIR=""
|
||||||
- fi
|
- fi
|
||||||
- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
|
- if test "X@ENABLE_SHARED@" = "Xno"; then
|
||||||
- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
|
- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
|
||||||
- else
|
- else
|
||||||
- echo ${CURLLIBDIR}-lcurl
|
- echo ${CURLLIBDIR}-lcurl
|
||||||
@ -49,6 +49,8 @@ index 150004d..95d0759 100644
|
|||||||
- echo "curl was built with static libraries disabled" >&2
|
- echo "curl was built with static libraries disabled" >&2
|
||||||
- exit 1
|
- exit 1
|
||||||
- fi
|
- fi
|
||||||
|
+ echo "curl was built with static libraries disabled" >&2
|
||||||
|
+ exit 1
|
||||||
;;
|
;;
|
||||||
|
|
||||||
--configure)
|
--configure)
|
||||||
@ -83,7 +85,7 @@ index 2ba9c39..f8f8b00 100644
|
|||||||
+configure_options=@CONFIGURE_OPTIONS@
|
+configure_options=@CONFIGURE_OPTIONS@
|
||||||
|
|
||||||
Name: libcurl
|
Name: libcurl
|
||||||
URL: https://curl.haxx.se/
|
URL: https://curl.se/
|
||||||
--
|
--
|
||||||
2.5.0
|
2.26.2
|
||||||
|
|
||||||
|
@ -1,65 +0,0 @@
|
|||||||
From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
Date: Wed, 31 Oct 2012 11:38:30 +0100
|
|
||||||
Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778)
|
|
||||||
|
|
||||||
---
|
|
||||||
configure | 13 +++----------
|
|
||||||
m4/curl-compilers.m4 | 13 +++----------
|
|
||||||
2 files changed, 6 insertions(+), 20 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/configure b/configure
|
|
||||||
index 8f079a3..53b4774 100755
|
|
||||||
--- a/configure
|
|
||||||
+++ b/configure
|
|
||||||
@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; }
|
|
||||||
gccvhi=`echo $gccver | cut -d . -f1`
|
|
||||||
gccvlo=`echo $gccver | cut -d . -f2`
|
|
||||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
|
||||||
- flags_dbg_all="-g -g0 -g1 -g2 -g3"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -ggdb"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gstabs"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gstabs+"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gcoff"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gxcoff"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gdwarf-2"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gvms"
|
|
||||||
+ flags_dbg_all=""
|
|
||||||
flags_dbg_yes="-g"
|
|
||||||
flags_dbg_off=""
|
|
||||||
- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
|
|
||||||
- flags_opt_yes="-O2"
|
|
||||||
+ flags_opt_all=""
|
|
||||||
+ flags_opt_yes=""
|
|
||||||
flags_opt_off="-O0"
|
|
||||||
|
|
||||||
OLDCPPFLAGS=$CPPFLAGS
|
|
||||||
diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
|
|
||||||
index 0cbba7a..9175b5b 100644
|
|
||||||
--- a/m4/curl-compilers.m4
|
|
||||||
+++ b/m4/curl-compilers.m4
|
|
||||||
@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
|
|
||||||
gccvhi=`echo $gccver | cut -d . -f1`
|
|
||||||
gccvlo=`echo $gccver | cut -d . -f2`
|
|
||||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
|
||||||
- flags_dbg_all="-g -g0 -g1 -g2 -g3"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -ggdb"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gstabs"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gstabs+"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gcoff"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gxcoff"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gdwarf-2"
|
|
||||||
- flags_dbg_all="$flags_dbg_all -gvms"
|
|
||||||
+ flags_dbg_all=""
|
|
||||||
flags_dbg_yes="-g"
|
|
||||||
flags_dbg_off=""
|
|
||||||
- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
|
|
||||||
- flags_opt_yes="-O2"
|
|
||||||
+ flags_opt_all=""
|
|
||||||
+ flags_opt_yes=""
|
|
||||||
flags_opt_off="-O0"
|
|
||||||
CURL_CHECK_DEF([_WIN32], [], [silent])
|
|
||||||
else
|
|
||||||
--
|
|
||||||
1.7.1
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
Date: Thu, 15 Mar 2018 14:49:56 +0100
|
|
||||||
Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3
|
|
||||||
|
|
||||||
Unfortunately, smbserver.py does not work with Python 3 because
|
|
||||||
there is no 'impacket' module available for Python 3:
|
|
||||||
|
|
||||||
https://github.com/CoreSecurity/impacket/issues/61
|
|
||||||
---
|
|
||||||
tests/negtelnetserver.py | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
|
|
||||||
index 8cfd409..72ee771 100755
|
|
||||||
--- a/tests/negtelnetserver.py
|
|
||||||
+++ b/tests/negtelnetserver.py
|
|
||||||
@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
|
|
||||||
response_data = response.encode('ascii')
|
|
||||||
else:
|
|
||||||
log.debug("Received normal request - echoing back")
|
|
||||||
- response_data = data.strip()
|
|
||||||
+ response_data = data.decode('utf8').strip()
|
|
||||||
|
|
||||||
if response_data:
|
|
||||||
log.debug("Sending %r", response_data)
|
|
||||||
- self.request.sendall(response_data)
|
|
||||||
+ self.request.sendall(response_data.encode('utf8'))
|
|
||||||
|
|
||||||
except IOError:
|
|
||||||
log.exception("IOError hit during request")
|
|
||||||
--
|
|
||||||
2.14.3
|
|
||||||
|
|
@ -1,51 +0,0 @@
|
|||||||
diff --git a/tests/data/test1083 b/tests/data/test1083
|
|
||||||
index e441278..b0958b6 100644
|
|
||||||
--- a/tests/data/test1083
|
|
||||||
+++ b/tests/data/test1083
|
|
||||||
@@ -33,13 +33,13 @@ ipv6
|
|
||||||
http-ipv6
|
|
||||||
</server>
|
|
||||||
<name>
|
|
||||||
-HTTP-IPv6 GET with ip6-localhost --interface
|
|
||||||
+HTTP-IPv6 GET with localhost6 --interface
|
|
||||||
</name>
|
|
||||||
<command>
|
|
||||||
--g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost
|
|
||||||
+-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6
|
|
||||||
</command>
|
|
||||||
<precheck>
|
|
||||||
-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
|
|
||||||
+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
|
|
||||||
</precheck>
|
|
||||||
</client>
|
|
||||||
|
|
||||||
diff --git a/tests/data/test241 b/tests/data/test241
|
|
||||||
index 46eae1f..4e1632c 100644
|
|
||||||
--- a/tests/data/test241
|
|
||||||
+++ b/tests/data/test241
|
|
||||||
@@ -30,13 +30,13 @@ ipv6
|
|
||||||
http-ipv6
|
|
||||||
</server>
|
|
||||||
<name>
|
|
||||||
-HTTP-IPv6 GET (using ip6-localhost)
|
|
||||||
+HTTP-IPv6 GET (using localhost6)
|
|
||||||
</name>
|
|
||||||
<command>
|
|
||||||
--g "http://ip6-localhost:%HTTP6PORT/241"
|
|
||||||
+-g "http://localhost6:%HTTP6PORT/241"
|
|
||||||
</command>
|
|
||||||
<precheck>
|
|
||||||
-./server/resolve --ipv6 ip6-localhost
|
|
||||||
+./server/resolve --ipv6 localhost6
|
|
||||||
</precheck>
|
|
||||||
</client>
|
|
||||||
|
|
||||||
@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost)
|
|
||||||
</strip>
|
|
||||||
<protocol>
|
|
||||||
GET /241 HTTP/1.1
|
|
||||||
-Host: ip6-localhost:%HTTP6PORT
|
|
||||||
+Host: localhost6:%HTTP6PORT
|
|
||||||
Accept: */*
|
|
||||||
|
|
||||||
</protocol>
|
|
@ -1,39 +0,0 @@
|
|||||||
From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
Date: Mon, 4 Feb 2019 17:32:56 +0100
|
|
||||||
Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
|
|
||||||
|
|
||||||
... to prevent valgrind from reporting false positives on x86_64:
|
|
||||||
|
|
||||||
Conditional jump or move depends on uninitialised value(s)
|
|
||||||
at 0x10BCAA: part2id (lib1560.c:489)
|
|
||||||
by 0x10BCAA: updateurl (lib1560.c:521)
|
|
||||||
by 0x10BCAA: set_parts (lib1560.c:630)
|
|
||||||
by 0x10BCAA: test (lib1560.c:802)
|
|
||||||
by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
|
|
||||||
|
|
||||||
Conditional jump or move depends on uninitialised value(s)
|
|
||||||
at 0x10BCC3: part2id (lib1560.c:491)
|
|
||||||
by 0x10BCC3: updateurl (lib1560.c:521)
|
|
||||||
by 0x10BCC3: set_parts (lib1560.c:630)
|
|
||||||
by 0x10BCC3: test (lib1560.c:802)
|
|
||||||
by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
|
|
||||||
---
|
|
||||||
tests/libtest/Makefile.inc | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
|
||||||
index 080421b..ea3b806 100644
|
|
||||||
--- a/tests/libtest/Makefile.inc
|
|
||||||
+++ b/tests/libtest/Makefile.inc
|
|
||||||
@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
|
||||||
lib1559_LDADD = $(TESTUTIL_LIBS)
|
|
||||||
|
|
||||||
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
|
||||||
+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
|
|
||||||
lib1560_LDADD = $(TESTUTIL_LIBS)
|
|
||||||
|
|
||||||
lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
|
||||||
--
|
|
||||||
2.17.2
|
|
||||||
|
|
9
ci.fmf
Normal file
9
ci.fmf
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
discover:
|
||||||
|
how: fmf
|
||||||
|
prepare:
|
||||||
|
how: install
|
||||||
|
exclude:
|
||||||
|
- libcurl-minimal
|
||||||
|
- curl-minimal
|
||||||
|
execute:
|
||||||
|
how: tmt
|
@ -1,11 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce
|
|
||||||
EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh
|
|
||||||
kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t
|
|
||||||
O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP
|
|
||||||
s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5
|
|
||||||
ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS
|
|
||||||
3dPfzzRA8wgROem58QhHnrR9c2CmdQ==
|
|
||||||
=5gov
|
|
||||||
-----END PGP SIGNATURE-----
|
|
11
curl-7.82.0.tar.xz.asc
Normal file
11
curl-7.82.0.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAmIjIysACgkQXMkI/bce
|
||||||
|
EsK2qQf/bcLm7LXO+Cvh0gbbIS9S5uT2/8g8AJ3/dFijs/BvqW85ajsfSCx9Z4+4
|
||||||
|
Bad/CfZvuHoBMKKsSC9uSyBzv3UmupEHxYlIw0oik97Q0NDml5czsLJznGEtRiwh
|
||||||
|
DzOSl8hwLg3OhHXD/G239oSPk2b7ys1P7KQsdxadaxHaoVjFMT4qI0/1DQBKBb/C
|
||||||
|
AnzXcQUii3HEsPwnS7OmTvbXcDR6HS0Pq4b0Usop1YVppUlP5rG/gV6o7ogA13Cv
|
||||||
|
yssbfL8fGN3pSgJWtCLoxbIyZbRUROvR74u0ymlf5oLs4bCWzLR9pGKt+oM9YBGq
|
||||||
|
m9LkqrxKUEOp36vdLN4UgqGdWLa5zQ==
|
||||||
|
=/k1v
|
||||||
|
-----END PGP SIGNATURE-----
|
471
curl.spec
471
curl.spec
@ -1,31 +1,63 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.67.0
|
Version: 7.82.0
|
||||||
Release: 2%{?dist}
|
Release: 8%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
Source0: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||||
|
Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
|
||||||
|
# The curl download page ( https://curl.se/download.html ) links
|
||||||
|
# to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key,
|
||||||
|
# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc
|
||||||
|
Source2: mykey.asc
|
||||||
|
|
||||||
# fix infinite loop on upload using a glob (#1771025)
|
# openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
|
||||||
Patch1: 0001-curl-7.67.0-upload-glob.patch
|
Patch1: 0001-curl-7.82.0-openssl-spurious-oom.patch
|
||||||
|
|
||||||
|
# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
|
||||||
|
Patch2: 0002-curl-7.82.0-CVE-2022-22576.patch
|
||||||
|
|
||||||
|
# fix bad local IPv6 connection reuse (CVE-2022-27775)
|
||||||
|
Patch3: 0003-curl-7.82.0-CVE-2022-27775.patch
|
||||||
|
|
||||||
|
# fix auth/cookie leak on redirect (CVE-2022-27776)
|
||||||
|
Patch4: 0004-curl-7.82.0-CVE-2022-27776.patch
|
||||||
|
|
||||||
|
# fix credential leak on redirect (CVE-2022-27774)
|
||||||
|
Patch5: 0005-curl-7.82.0-CVE-2022-27774.patch
|
||||||
|
|
||||||
|
# reject percent-encoded path separator in URL host (CVE-2022-27780)
|
||||||
|
Patch6: 0006-curl-7.82.0-CVE-2022-27780.patch
|
||||||
|
|
||||||
|
# hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
|
||||||
|
Patch7: 0007-curl-7.82.0-CVE-2022-30115.patch
|
||||||
|
|
||||||
|
# do not accept cookies for TLD with trailing dot (CVE-2022-27779)
|
||||||
|
Patch8: 0008-curl-7.82.0-CVE-2022-27779.patch
|
||||||
|
|
||||||
|
# fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
|
||||||
|
Patch9: 0009-curl-7.82.0-CVE-2022-27782.patch
|
||||||
|
|
||||||
|
# fix FTP-KRB bad message verification (CVE-2022-32208)
|
||||||
|
Patch10: 0010-curl-7.82.0-CVE-2022-32208.patch
|
||||||
|
|
||||||
|
# fix HTTP compression denial of service (CVE-2022-32206)
|
||||||
|
Patch11: 0011-curl-7.82.0-CVE-2022-32206.patch
|
||||||
|
|
||||||
|
# fix Set-Cookie denial of service (CVE-2022-32205)
|
||||||
|
Patch12: 0012-curl-7.82.0-CVE-2022-32205.patch
|
||||||
|
|
||||||
|
# fix unpreserved file permissions (CVE-2022-32207)
|
||||||
|
Patch13: 0013-curl-7.82.0-CVE-2022-32207.patch
|
||||||
|
|
||||||
|
# control code in cookie denial of service (CVE-2022-35252)
|
||||||
|
Patch14: 0014-curl-7.82.0-CVE-2022-35252.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
# prevent configure script from discarding -g in CFLAGS (#496778)
|
|
||||||
Patch102: 0102-curl-7.36.0-debug.patch
|
|
||||||
|
|
||||||
# migrate tests/http_pipe.py to Python 3
|
|
||||||
Patch103: 0103-curl-7.59.0-python3.patch
|
|
||||||
|
|
||||||
# use localhost6 instead of ip6-localhost in the curl test-suite
|
|
||||||
Patch104: 0104-curl-7.19.7-localhost6.patch
|
|
||||||
|
|
||||||
# prevent valgrind from reporting false positives on x86_64
|
|
||||||
Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch
|
|
||||||
|
|
||||||
Provides: curl-full = %{version}-%{release}
|
Provides: curl-full = %{version}-%{release}
|
||||||
Provides: webclient
|
Provides: webclient
|
||||||
URL: https://curl.haxx.se/
|
URL: https://curl.se/
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: brotli-devel
|
BuildRequires: brotli-devel
|
||||||
BuildRequires: coreutils
|
BuildRequires: coreutils
|
||||||
@ -33,10 +65,10 @@ BuildRequires: gcc
|
|||||||
BuildRequires: groff
|
BuildRequires: groff
|
||||||
BuildRequires: krb5-devel
|
BuildRequires: krb5-devel
|
||||||
BuildRequires: libidn2-devel
|
BuildRequires: libidn2-devel
|
||||||
BuildRequires: libmetalink-devel
|
|
||||||
BuildRequires: libnghttp2-devel
|
BuildRequires: libnghttp2-devel
|
||||||
BuildRequires: libpsl-devel
|
BuildRequires: libpsl-devel
|
||||||
BuildRequires: libssh-devel
|
BuildRequires: libssh-devel
|
||||||
|
BuildRequires: libtool
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: openldap-devel
|
BuildRequires: openldap-devel
|
||||||
BuildRequires: openssh-clients
|
BuildRequires: openssh-clients
|
||||||
@ -44,11 +76,14 @@ BuildRequires: openssh-server
|
|||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
BuildRequires: perl-interpreter
|
BuildRequires: perl-interpreter
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
|
BuildRequires: python-unversioned-command
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
BuildRequires: sed
|
BuildRequires: sed
|
||||||
BuildRequires: stunnel
|
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
|
|
||||||
|
# For gpg verification of source tarball
|
||||||
|
BuildRequires: gnupg2
|
||||||
|
|
||||||
# needed to compress content of tool_hugehelp.c after changing curl.1 man page
|
# needed to compress content of tool_hugehelp.c after changing curl.1 man page
|
||||||
BuildRequires: perl(IO::Compress::Gzip)
|
BuildRequires: perl(IO::Compress::Gzip)
|
||||||
|
|
||||||
@ -61,12 +96,16 @@ BuildRequires: perl(warnings)
|
|||||||
# gnutls-serv is used by the upstream test-suite
|
# gnutls-serv is used by the upstream test-suite
|
||||||
BuildRequires: gnutls-utils
|
BuildRequires: gnutls-utils
|
||||||
|
|
||||||
|
# hostname(1) is used by the test-suite but it is missing in armv7hl buildroot
|
||||||
|
BuildRequires: hostname
|
||||||
|
|
||||||
# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
|
# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
|
||||||
BuildRequires: nghttp2
|
BuildRequires: nghttp2
|
||||||
|
|
||||||
# perl modules used in the test suite
|
# perl modules used in the test suite
|
||||||
BuildRequires: perl(Cwd)
|
BuildRequires: perl(Cwd)
|
||||||
BuildRequires: perl(Digest::MD5)
|
BuildRequires: perl(Digest::MD5)
|
||||||
|
BuildRequires: perl(Digest::SHA)
|
||||||
BuildRequires: perl(Exporter)
|
BuildRequires: perl(Exporter)
|
||||||
BuildRequires: perl(File::Basename)
|
BuildRequires: perl(File::Basename)
|
||||||
BuildRequires: perl(File::Copy)
|
BuildRequires: perl(File::Copy)
|
||||||
@ -77,6 +116,11 @@ BuildRequires: perl(Time::Local)
|
|||||||
BuildRequires: perl(Time::HiRes)
|
BuildRequires: perl(Time::HiRes)
|
||||||
BuildRequires: perl(vars)
|
BuildRequires: perl(vars)
|
||||||
|
|
||||||
|
%if 0%{?fedora}
|
||||||
|
# needed for upstream test 1451
|
||||||
|
BuildRequires: python3-impacket
|
||||||
|
%endif
|
||||||
|
|
||||||
# The test-suite runs automatically through valgrind if valgrind is available
|
# The test-suite runs automatically through valgrind if valgrind is available
|
||||||
# on the system. By not installing valgrind into mock's chroot, we disable
|
# on the system. By not installing valgrind into mock's chroot, we disable
|
||||||
# this feature for production builds on architectures where valgrind is known
|
# this feature for production builds on architectures where valgrind is known
|
||||||
@ -87,6 +131,12 @@ BuildRequires: perl(vars)
|
|||||||
BuildRequires: valgrind
|
BuildRequires: valgrind
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# stunnel is used by upstream tests but it does not seem to work reliably
|
||||||
|
# on s390x and occasionally breaks some tests (mainly 1561 and 1562)
|
||||||
|
%ifnarch s390x
|
||||||
|
BuildRequires: stunnel
|
||||||
|
%endif
|
||||||
|
|
||||||
# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
|
# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
|
||||||
Requires: libcurl%{?_isa} >= %{version}-%{release}
|
Requires: libcurl%{?_isa} >= %{version}-%{release}
|
||||||
|
|
||||||
@ -100,7 +150,8 @@ Requires: libcurl%{?_isa} >= %{version}-%{release}
|
|||||||
|
|
||||||
# require at least the version of openssl-libs that we were built against,
|
# require at least the version of openssl-libs that we were built against,
|
||||||
# to ensure that we have the necessary symbols available (#1462184, #1462211)
|
# to ensure that we have the necessary symbols available (#1462184, #1462211)
|
||||||
%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0)
|
# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though)
|
||||||
|
%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|')
|
||||||
|
|
||||||
%description
|
%description
|
||||||
curl is a command line tool for transferring data with URL syntax, supporting
|
curl is a command line tool for transferring data with URL syntax, supporting
|
||||||
@ -159,7 +210,7 @@ Summary: Conservatively configured build of libcurl for minimal installations
|
|||||||
Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
|
Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
|
||||||
Provides: libcurl = %{version}-%{release}
|
Provides: libcurl = %{version}-%{release}
|
||||||
Provides: libcurl%{?_isa} = %{version}-%{release}
|
Provides: libcurl%{?_isa} = %{version}-%{release}
|
||||||
Conflicts: libcurl
|
Conflicts: libcurl%{?_isa}
|
||||||
RemovePathPostfixes: .minimal
|
RemovePathPostfixes: .minimal
|
||||||
# needed for RemovePathPostfixes to work with shared libraries
|
# needed for RemovePathPostfixes to work with shared libraries
|
||||||
%undefine __brp_ldconfig
|
%undefine __brp_ldconfig
|
||||||
@ -171,55 +222,85 @@ other hand, the package is smaller and requires fewer run-time dependencies to
|
|||||||
be installed.
|
be installed.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
|
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
|
||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
%patch12 -p1
|
||||||
|
%patch13 -p1
|
||||||
|
%patch14 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
%patch102 -p1
|
|
||||||
%patch103 -p1
|
|
||||||
%patch104 -p1
|
|
||||||
%patch105 -p1
|
|
||||||
|
|
||||||
# make tests/*.py use Python 3
|
|
||||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
|
||||||
|
|
||||||
# regenerate Makefile.in files
|
|
||||||
aclocal -I m4
|
|
||||||
automake
|
|
||||||
|
|
||||||
# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
|
# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
|
||||||
# with errno 98: Address already in use' in Koji environment), and test 1801
|
# with errno 98: Address already in use' in Koji environment), and test 1801
|
||||||
# <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
|
# <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
|
||||||
# and test 1900, which is flaky and covers a deprecated feature of libcurl
|
printf "1112\n1455\n1184\n1801\n" >> tests/data/DISABLED
|
||||||
# <https://github.com/curl/curl/pull/2705>
|
|
||||||
printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED
|
|
||||||
|
|
||||||
# disable test 1319 on ppc64 (server times out)
|
# disable test 1319 on ppc64 (server times out)
|
||||||
%ifarch ppc64
|
%ifarch ppc64
|
||||||
echo "1319" >> tests/data/DISABLED
|
echo "1319" >> tests/data/DISABLED
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# temporarily disable test 582 on s390x (client times out)
|
# disable tests 320..322 on ppc64le where it started to hang/fail
|
||||||
|
%ifarch ppc64le
|
||||||
|
printf "320\n321\n322\n" >> tests/data/DISABLED
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# temporarily disable tests 582 and 1452 on s390x (client times out)
|
||||||
%ifarch s390x
|
%ifarch s390x
|
||||||
echo "582" >> tests/data/DISABLED
|
printf "582\n1452\n" >> tests/data/DISABLED
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# temporarily disable tests 702 703 716 on armv7hl (#1829180)
|
||||||
|
%ifarch armv7hl
|
||||||
|
printf "702\n703\n716\n" >> tests/data/DISABLED
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# temporarily disable tests 300{0,1} on x86_64 (stunnel clashes with itself)
|
||||||
|
%ifarch x86_64
|
||||||
|
printf "3000\n3001\n" >> tests/data/DISABLED
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# adapt test 323 for updated OpenSSL
|
# adapt test 323 for updated OpenSSL
|
||||||
sed -e 's/^35$/35,52/' -i tests/data/test323
|
sed -e 's|^35$|35,52|' -i tests/data/test323
|
||||||
|
|
||||||
|
# use localhost6 instead of ip6-localhost in the curl test-suite
|
||||||
|
(
|
||||||
|
# avoid glob expansion in the trace output of `bash -x`
|
||||||
|
{ set +x; } 2>/dev/null
|
||||||
|
cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*"
|
||||||
|
printf "+ %s\n" "$cmd" >&2
|
||||||
|
eval "$cmd"
|
||||||
|
)
|
||||||
|
|
||||||
|
# regenerate the configure script and Makefile.in files
|
||||||
|
autoreconf -fiv
|
||||||
|
|
||||||
%build
|
%build
|
||||||
mkdir build-{full,minimal}
|
mkdir build-{full,minimal}
|
||||||
export common_configure_opts=" \
|
export common_configure_opts=" \
|
||||||
--cache-file=../config.cache \
|
--cache-file=../config.cache \
|
||||||
--disable-static \
|
--disable-static \
|
||||||
--enable-symbol-hiding \
|
--enable-hsts \
|
||||||
--enable-ipv6 \
|
--enable-ipv6 \
|
||||||
--enable-threaded-resolver \
|
--enable-symbol-hiding \
|
||||||
--with-gssapi \
|
--enable-threaded-resolver \
|
||||||
--with-nghttp2 \
|
--without-zstd \
|
||||||
|
--with-gssapi \
|
||||||
|
--with-nghttp2 \
|
||||||
--with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
|
--with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
|
||||||
|
|
||||||
%global _configure ../configure
|
%global _configure ../configure
|
||||||
@ -227,28 +308,52 @@ export common_configure_opts=" \
|
|||||||
# configure minimal build
|
# configure minimal build
|
||||||
(
|
(
|
||||||
cd build-minimal
|
cd build-minimal
|
||||||
%configure $common_configure_opts \
|
%configure $common_configure_opts \
|
||||||
--disable-ldap \
|
--disable-dict \
|
||||||
--disable-ldaps \
|
--disable-gopher \
|
||||||
--disable-manual \
|
--disable-imap \
|
||||||
--without-brotli \
|
--disable-ldap \
|
||||||
--without-libidn2 \
|
--disable-ldaps \
|
||||||
--without-libmetalink \
|
--disable-manual \
|
||||||
--without-libpsl \
|
--disable-mqtt \
|
||||||
|
--disable-ntlm \
|
||||||
|
--disable-ntlm-wb \
|
||||||
|
--disable-pop3 \
|
||||||
|
--disable-rtsp \
|
||||||
|
--disable-smb \
|
||||||
|
--disable-smtp \
|
||||||
|
--disable-telnet \
|
||||||
|
--disable-tftp \
|
||||||
|
--disable-tls-srp \
|
||||||
|
--without-brotli \
|
||||||
|
--without-libidn2 \
|
||||||
|
--without-libpsl \
|
||||||
--without-libssh
|
--without-libssh
|
||||||
)
|
)
|
||||||
|
|
||||||
# configure full build
|
# configure full build
|
||||||
(
|
(
|
||||||
cd build-full
|
cd build-full
|
||||||
%configure $common_configure_opts \
|
%configure $common_configure_opts \
|
||||||
--enable-ldap \
|
--enable-dict \
|
||||||
--enable-ldaps \
|
--enable-gopher \
|
||||||
--enable-manual \
|
--enable-imap \
|
||||||
--with-brotli \
|
--enable-ldap \
|
||||||
--with-libidn2 \
|
--enable-ldaps \
|
||||||
--with-libmetalink \
|
--enable-manual \
|
||||||
--with-libpsl \
|
--enable-mqtt \
|
||||||
|
--enable-ntlm \
|
||||||
|
--enable-ntlm-wb \
|
||||||
|
--enable-pop3 \
|
||||||
|
--enable-rtsp \
|
||||||
|
--enable-smb \
|
||||||
|
--enable-smtp \
|
||||||
|
--enable-telnet \
|
||||||
|
--enable-tftp \
|
||||||
|
--enable-tls-srp \
|
||||||
|
--with-brotli \
|
||||||
|
--with-libidn2 \
|
||||||
|
--with-libpsl \
|
||||||
--with-libssh
|
--with-libssh
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -257,35 +362,48 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \
|
|||||||
-e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
|
-e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
|
||||||
-i build-{full,minimal}/libtool
|
-i build-{full,minimal}/libtool
|
||||||
|
|
||||||
make %{?_smp_mflags} V=1 -C build-minimal
|
%make_build V=1 -C build-minimal
|
||||||
make %{?_smp_mflags} V=1 -C build-full
|
%make_build V=1 -C build-full
|
||||||
|
|
||||||
%check
|
%check
|
||||||
# we have to override LD_LIBRARY_PATH because we eliminated rpath
|
|
||||||
LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
|
|
||||||
export LD_LIBRARY_PATH
|
|
||||||
|
|
||||||
# compile upstream test-cases
|
# compile upstream test-cases
|
||||||
cd build-full/tests
|
%make_build V=1 -C build-minimal/tests
|
||||||
make %{?_smp_mflags} V=1
|
%make_build V=1 -C build-full/tests
|
||||||
|
|
||||||
# relax crypto policy for the test-suite to make it pass again (#1610888)
|
# relax crypto policy for the test-suite to make it pass again (#1610888)
|
||||||
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
|
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
|
||||||
export OPENSSL_CONF=
|
export OPENSSL_CONF=
|
||||||
|
|
||||||
# run the upstream test-suite
|
# make runtests.pl work for out-of-tree builds
|
||||||
srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
|
export srcdir=../../tests
|
||||||
|
|
||||||
|
# prevent valgrind from being extremely slow (#1662656)
|
||||||
|
# https://fedoraproject.org/wiki/Changes/DebuginfodByDefault
|
||||||
|
unset DEBUGINFOD_URLS
|
||||||
|
|
||||||
|
# run the upstream test-suite for both curl-minimal and curl-full
|
||||||
|
for size in minimal full; do (
|
||||||
|
cd build-${size}
|
||||||
|
|
||||||
|
# we have to override LD_LIBRARY_PATH because we eliminated rpath
|
||||||
|
export LD_LIBRARY_PATH="${PWD}/lib/.libs"
|
||||||
|
|
||||||
|
cd tests
|
||||||
|
perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
|
||||||
|
)
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
# install and rename the library that will be packaged as libcurl-minimal
|
# install and rename the library that will be packaged as libcurl-minimal
|
||||||
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib
|
%make_install -C build-minimal/lib
|
||||||
rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
|
rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
|
||||||
for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
|
for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
|
||||||
mv -v $i $i.minimal
|
mv -v $i $i.minimal
|
||||||
done
|
done
|
||||||
|
|
||||||
# install and rename the executable that will be packaged as curl-minimal
|
# install and rename the executable that will be packaged as curl-minimal
|
||||||
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src
|
%make_install -C build-minimal/src
|
||||||
mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
|
mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
|
||||||
|
|
||||||
# install libcurl.m4
|
# install libcurl.m4
|
||||||
@ -294,12 +412,12 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
|
|||||||
|
|
||||||
# install the executable and library that will be packaged as curl and libcurl
|
# install the executable and library that will be packaged as curl and libcurl
|
||||||
cd build-full
|
cd build-full
|
||||||
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
|
%make_install
|
||||||
|
|
||||||
# install zsh completion for curl
|
# install zsh completion for curl
|
||||||
# (we have to override LD_LIBRARY_PATH because we eliminated rpath)
|
# (we have to override LD_LIBRARY_PATH because we eliminated rpath)
|
||||||
LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
|
LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
|
||||||
make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts
|
%make_install -C scripts
|
||||||
|
|
||||||
# do not install /usr/share/fish/completions/curl.fish which is also installed
|
# do not install /usr/share/fish/completions/curl.fish which is also installed
|
||||||
# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
|
# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
|
||||||
@ -314,12 +432,11 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%files
|
%files
|
||||||
%doc CHANGES
|
%doc CHANGES
|
||||||
%doc README
|
%doc README
|
||||||
%doc docs/BUGS
|
%doc docs/BUGS.md
|
||||||
%doc docs/FAQ
|
%doc docs/FAQ
|
||||||
%doc docs/FEATURES
|
%doc docs/FEATURES.md
|
||||||
%doc docs/RESOURCES
|
|
||||||
%doc docs/TODO
|
%doc docs/TODO
|
||||||
%doc docs/TheArtOfHttpScripting
|
%doc docs/TheArtOfHttpScripting.md
|
||||||
%{_bindir}/curl
|
%{_bindir}/curl
|
||||||
%{_mandir}/man1/curl.1*
|
%{_mandir}/man1/curl.1*
|
||||||
%{_datadir}/zsh
|
%{_datadir}/zsh
|
||||||
@ -331,7 +448,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
|
|
||||||
%files -n libcurl-devel
|
%files -n libcurl-devel
|
||||||
%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
|
%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
|
||||||
%doc docs/CONTRIBUTE.md docs/libcurl/ABI
|
%doc docs/CONTRIBUTE.md docs/libcurl/ABI.md
|
||||||
%{_bindir}/curl-config*
|
%{_bindir}/curl-config*
|
||||||
%{_includedir}/curl
|
%{_includedir}/curl
|
||||||
%{_libdir}/*.so
|
%{_libdir}/*.so
|
||||||
@ -350,10 +467,196 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-2
|
* Fri Sep 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-8
|
||||||
|
- control code in cookie denial of service (CVE-2022-35252)
|
||||||
|
|
||||||
|
* Mon Jul 18 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-7
|
||||||
|
- fix build failure with gnutls backend enabled
|
||||||
|
|
||||||
|
* Wed Jun 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-6
|
||||||
|
- fix unpreserved file permissions (CVE-2022-32207)
|
||||||
|
- fix Set-Cookie denial of service (CVE-2022-32205)
|
||||||
|
- fix HTTP compression denial of service (CVE-2022-32206)
|
||||||
|
- fix FTP-KRB bad message verification (CVE-2022-32208)
|
||||||
|
|
||||||
|
* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-5
|
||||||
|
- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
|
||||||
|
- do not accept cookies for TLD with trailing dot (CVE-2022-27779)
|
||||||
|
- hsts: ignore trailing dots when comparing hosts names (CVE-2022-30115)
|
||||||
|
- reject percent-encoded path separator in URL host (CVE-2022-27780)
|
||||||
|
|
||||||
|
* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-4
|
||||||
|
- fix leak of SRP credentials in redirects (CVE-2022-27774)
|
||||||
|
|
||||||
|
* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-3
|
||||||
|
- fix credential leak on redirect (CVE-2022-27774)
|
||||||
|
- fix auth/cookie leak on redirect (CVE-2022-27776)
|
||||||
|
- fix bad local IPv6 connection reuse (CVE-2022-27775)
|
||||||
|
- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
|
||||||
|
|
||||||
|
* Tue Mar 15 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-2
|
||||||
|
- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure
|
||||||
|
|
||||||
|
* Sat Mar 05 2022 Kamil Dudka <kdudka@redhat.com> - 7.82.0-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 7.81.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jan 05 2022 Kamil Dudka <kdudka@redhat.com> - 7.81.0-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Sun Nov 14 2021 Paul Howarth <paul@city-fan.org> - 7.80.0-2
|
||||||
|
- sshserver.pl (used in test suite) now requires the Digest::SHA perl module
|
||||||
|
|
||||||
|
* Wed Nov 10 2021 Kamil Dudka <kdudka@redhat.com> - 7.80.0-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Tue Oct 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.1-3
|
||||||
|
- re-enable HSTS in libcurl-minimal as a security feature (#2005874)
|
||||||
|
|
||||||
|
* Mon Oct 04 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.1-2
|
||||||
|
- disable more protocols and features in libcurl-minimal (#2005874)
|
||||||
|
|
||||||
|
* Wed Sep 22 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.1-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Thu Sep 16 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.0-4
|
||||||
|
- fix regression in http2 implementation introduced in the last release
|
||||||
|
|
||||||
|
* Thu Sep 16 2021 Sahana Prasad <sahana@redhat.com> - 7.79.0-3
|
||||||
|
- Rebuilt with OpenSSL 3.0.0
|
||||||
|
|
||||||
|
* Thu Sep 16 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.0-2
|
||||||
|
- make SCP/SFTP tests work with openssh-8.7p1
|
||||||
|
|
||||||
|
* Wed Sep 15 2021 Kamil Dudka <kdudka@redhat.com> - 7.79.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2021-22947 - STARTTLS protocol injection via MITM
|
||||||
|
CVE-2021-22946 - protocol downgrade required TLS bypassed
|
||||||
|
CVE-2021-22945 - use-after-free and double-free in MQTT sending
|
||||||
|
|
||||||
|
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 7.78.0-4
|
||||||
|
- Rebuilt with OpenSSL 3.0.0
|
||||||
|
|
||||||
|
* Fri Jul 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.78.0-3
|
||||||
|
- make explicit dependency on openssl work with alpha/beta builds of openssl
|
||||||
|
|
||||||
|
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.78.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 21 2021 Kamil Dudka <kdudka@redhat.com> - 7.78.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2021-22925 - TELNET stack contents disclosure again
|
||||||
|
CVE-2021-22924 - bad connection reuse due to flawed path name checks
|
||||||
|
CVE-2021-22923 - metalink download sends credentials
|
||||||
|
CVE-2021-22922 - wrong content via metalink not discarded
|
||||||
|
|
||||||
|
* Wed Jun 02 2021 Kamil Dudka <kdudka@redhat.com> - 7.77.0-2
|
||||||
|
- build the curl tool without metalink support (#1967213)
|
||||||
|
|
||||||
|
* Wed May 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.77.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2021-22901 - TLS session caching disaster
|
||||||
|
CVE-2021-22898 - TELNET stack contents disclosure
|
||||||
|
|
||||||
|
* Mon May 03 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-2
|
||||||
|
- http2: fix resource leaks detected by Coverity
|
||||||
|
|
||||||
|
* Wed Apr 14 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Wed Mar 31 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup
|
||||||
|
CVE-2021-22876 - Automatic referer leaks credentials
|
||||||
|
|
||||||
|
* Wed Mar 24 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-3
|
||||||
|
- fix SIGSEGV upon disconnect of a ldaps:// transfer
|
||||||
|
|
||||||
|
* Tue Feb 23 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-2
|
||||||
|
- build-require python3-impacket only on Fedora
|
||||||
|
|
||||||
|
* Wed Feb 03 2021 Kamil Dudka <kdudka@redhat.com> - 7.75.0-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.74.0-4
|
||||||
|
- do not use stunnel for tests on s390x builds to avoid spurious failures
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 7.74.0-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.74.0-2
|
||||||
|
- do not rewrite shebangs in test-suite to use python3 explicitly
|
||||||
|
|
||||||
|
* Wed Dec 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.74.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2020-8286 - curl: Inferior OCSP verification
|
||||||
|
CVE-2020-8285 - libcurl: FTP wildcard stack overflow
|
||||||
|
CVE-2020-8284 - curl: trusting FTP PASV responses
|
||||||
|
|
||||||
|
* Wed Oct 14 2020 Kamil Dudka <kdudka@redhat.com> - 7.73.0-2
|
||||||
|
- prevent upstream test 1451 from being skipped
|
||||||
|
|
||||||
|
* Wed Oct 14 2020 Kamil Dudka <kdudka@redhat.com> - 7.73.0-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Thu Sep 10 2020 Jinoh Kang <aurhb20@protonmail.ch> - 7.72.0-2
|
||||||
|
- fix multiarch conflicts in libcurl-minimal (#1877671)
|
||||||
|
|
||||||
|
* Wed Aug 19 2020 Kamil Dudka <kdudka@redhat.com> - 7.72.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerability
|
||||||
|
CVE-2020-8231 - libcurl: wrong connect-only connection
|
||||||
|
|
||||||
|
* Thu Aug 06 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-5
|
||||||
|
- setopt: unset NOBODY switches to GET if still HEAD
|
||||||
|
|
||||||
|
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.71.1-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 7.71.1-3
|
||||||
|
- Use make macros
|
||||||
|
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||||
|
|
||||||
|
* Fri Jul 03 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-2
|
||||||
|
- curl: make the --krb option work again (#1833193)
|
||||||
|
|
||||||
|
* Wed Jul 01 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.1-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Wed Jun 24 2020 Kamil Dudka <kdudka@redhat.com> - 7.71.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2020-8169 - curl: Partial password leak over DNS on HTTP redirect
|
||||||
|
CVE-2020-8177 - curl: overwrite local file with -J
|
||||||
|
|
||||||
|
* Wed Apr 29 2020 Kamil Dudka <kdudka@redhat.com> - 7.70.0-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Mon Apr 20 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-3
|
||||||
|
- SSH: use new ECDSA key types to check known hosts (#1824926)
|
||||||
|
|
||||||
|
* Fri Apr 17 2020 Tom Stellard <tstellar@redhat.com> - 7.69.1-2
|
||||||
|
- Prevent discarding of -g when compiling with clang
|
||||||
|
|
||||||
|
* Wed Mar 11 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.1-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Mon Mar 09 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-2
|
||||||
|
- make Flatpak work again (#1810989)
|
||||||
|
|
||||||
|
* Wed Mar 04 2020 Kamil Dudka <kdudka@redhat.com> - 7.69.0-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.68.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jan 08 2020 Kamil Dudka <kdudka@redhat.com> - 7.68.0-1
|
||||||
|
- new upstream release
|
||||||
|
|
||||||
|
* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-2
|
||||||
- fix infinite loop on upload using a glob (#1771025)
|
- fix infinite loop on upload using a glob (#1771025)
|
||||||
|
|
||||||
* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-1
|
* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.0-1
|
||||||
- new upstream release
|
- new upstream release
|
||||||
|
|
||||||
* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1
|
* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1
|
||||||
|
77
mykey.asc
Normal file
77
mykey.asc
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
Version: GnuPG v2
|
||||||
|
|
||||||
|
mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ
|
||||||
|
QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV
|
||||||
|
0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1
|
||||||
|
EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch
|
||||||
|
soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje
|
||||||
|
f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL
|
||||||
|
gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo
|
||||||
|
SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2
|
||||||
|
m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0
|
||||||
|
ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU
|
||||||
|
ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w
|
||||||
|
i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD
|
||||||
|
AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv
|
||||||
|
jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb
|
||||||
|
XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz
|
||||||
|
7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM
|
||||||
|
wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+
|
||||||
|
dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT
|
||||||
|
rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t
|
||||||
|
FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9
|
||||||
|
OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx
|
||||||
|
5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h
|
||||||
|
zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O
|
||||||
|
poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA
|
||||||
|
Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d
|
||||||
|
6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8
|
||||||
|
tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu
|
||||||
|
c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ
|
||||||
|
EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1
|
||||||
|
svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+
|
||||||
|
Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv
|
||||||
|
+BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh
|
||||||
|
Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg
|
||||||
|
rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL
|
||||||
|
y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP
|
||||||
|
BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/
|
||||||
|
0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf
|
||||||
|
09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG
|
||||||
|
6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8
|
||||||
|
67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H
|
||||||
|
a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr
|
||||||
|
LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK
|
||||||
|
nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb
|
||||||
|
0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb
|
||||||
|
2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC
|
||||||
|
OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/
|
||||||
|
PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC
|
||||||
|
8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3
|
||||||
|
/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e
|
||||||
|
8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk
|
||||||
|
bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0
|
||||||
|
IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx
|
||||||
|
AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN
|
||||||
|
2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ
|
||||||
|
L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD
|
||||||
|
/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6
|
||||||
|
UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb
|
||||||
|
9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh
|
||||||
|
TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k
|
||||||
|
IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ
|
||||||
|
AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ
|
||||||
|
eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8
|
||||||
|
sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI
|
||||||
|
c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND
|
||||||
|
KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j
|
||||||
|
4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S
|
||||||
|
wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv
|
||||||
|
BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF
|
||||||
|
PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu
|
||||||
|
gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5
|
||||||
|
ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb
|
||||||
|
j/qx4ytjt5uxt6Jm6IXV9cry8i6x
|
||||||
|
=Phs/
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29
|
SHA512 (curl-7.82.0.tar.xz) = a977d69360d1793f8872096a21f5c0271e7ad145cd69ad45f4056a0657772f0f298b04bdb41aefd4ea5c4478352c60d80b5a118642280a07a7198aa80ffb1d57
|
||||||
|
@ -1,63 +0,0 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/curl/Sanity/non-root-user-download
|
|
||||||
# Description: various download methods with non-root user
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
export TEST=/CoreOS/curl/Sanity/non-root-user-download
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: various download methods with non-root user" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 5m" >> $(METADATA)
|
|
||||||
@echo "RunFor: curl" >> $(METADATA)
|
|
||||||
@echo "Requires: curl" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,3 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/curl/Sanity/non-root-user-download
|
|
||||||
Description: various download methods with non-root user
|
|
||||||
Author: Karel Srot <ksrot@redhat.com>
|
|
18
tests/non-root-user-download/main.fmf
Normal file
18
tests/non-root-user-download/main.fmf
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
summary: various download methods with non-root user
|
||||||
|
description: ''
|
||||||
|
contact: Daniel Rusek <drusek@redhat.com>
|
||||||
|
component:
|
||||||
|
- curl
|
||||||
|
require:
|
||||||
|
- findutils
|
||||||
|
- libselinux-utils
|
||||||
|
- openssh-clients
|
||||||
|
- openssh-server
|
||||||
|
- passwd
|
||||||
|
test: ./runtest.sh
|
||||||
|
framework: beakerlib
|
||||||
|
duration: 5m
|
||||||
|
enabled: true
|
||||||
|
tier: '1'
|
||||||
|
link:
|
||||||
|
- relates: https://bugzilla.redhat.com/show_bug.cgi?id=1049921
|
15
tests/non-root-user-download/runtest.sh
Normal file → Executable file
15
tests/non-root-user-download/runtest.sh
Normal file → Executable file
@ -27,14 +27,13 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
# Include Beaker environment
|
# Include Beaker environment
|
||||||
. /usr/bin/rhts-environment.sh || exit 1
|
|
||||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
PACKAGE="curl"
|
PACKAGE="curl"
|
||||||
|
|
||||||
FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
|
FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM
|
||||||
HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
|
HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/36/Everything/x86_64/iso/Fedora-Everything-36-1.5-x86_64-CHECKSUM
|
||||||
CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed
|
CONTENT=85cb450443d68d513b41e57b0bd818a740279dac5dfc09c68e681ff8a3006404
|
||||||
PASSWORD=pAssw0rd
|
PASSWORD=pAssw0rd
|
||||||
OPTIONS=""
|
OPTIONS=""
|
||||||
rlIsRHEL 7 && OPTIONS="--insecure"
|
rlIsRHEL 7 && OPTIONS="--insecure"
|
||||||
@ -47,9 +46,11 @@ rlJournalStart
|
|||||||
rlRun "useradd -m curltester" 0 "Adding the test user"
|
rlRun "useradd -m curltester" 0 "Adding the test user"
|
||||||
rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user"
|
rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user"
|
||||||
rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile"
|
rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile"
|
||||||
|
rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts
|
||||||
|
rlRun "rm -f $HOME/.ssh/*"
|
||||||
[ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh )
|
[ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh )
|
||||||
rlFileBackup $HOME/.ssh/known_hosts /etc/hosts
|
rlRun "rlServiceStart sshd"
|
||||||
ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
|
rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
|
||||||
rlPhaseEnd
|
rlPhaseEnd
|
||||||
|
|
||||||
rlPhaseStartTest "http download"
|
rlPhaseStartTest "http download"
|
||||||
@ -82,7 +83,7 @@ if ! rlIsRHEL 5; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
rlPhaseStartCleanup
|
||||||
rlRun "rm -f $HOME/.ssh/known_hosts"
|
rlRun "rlServiceRestore"
|
||||||
rlFileRestore
|
rlFileRestore
|
||||||
rlRun "popd"
|
rlRun "popd"
|
||||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
@ -1,64 +0,0 @@
|
|||||||
- hosts: '{{ hosts | default("localhost") }}'
|
|
||||||
vars:
|
|
||||||
package: "curl"
|
|
||||||
tasks:
|
|
||||||
- name: "Set Content variables"
|
|
||||||
set_fact:
|
|
||||||
content: "a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed"
|
|
||||||
password: "pAssw0rd"
|
|
||||||
crypt_password: "$6$/5GE87XLYLLfB3qx$w84Kct34UZG/4buTSXWkaaVIsw2xGXSAdmnS2QYdG8TtRgTsBnHdFdSkhoy.tKIE6A6LKlxczIZjQbpB19k7B1"
|
|
||||||
- name: "Create user curltester"
|
|
||||||
user:
|
|
||||||
name: "curltester"
|
|
||||||
password: "{{ crypt_password }}"
|
|
||||||
- name: "Copy testfile"
|
|
||||||
copy:
|
|
||||||
dest: "/home/curltester/testfile"
|
|
||||||
content: "{{ content }}"
|
|
||||||
- block:
|
|
||||||
- name: "http download"
|
|
||||||
command: "curl https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
|
|
||||||
args:
|
|
||||||
warn: false
|
|
||||||
register: http
|
|
||||||
become: yes
|
|
||||||
become_user: curltester
|
|
||||||
- name: "Compare http output"
|
|
||||||
fail:
|
|
||||||
msg: "{{ content }} not in {{ http.stdout }}"
|
|
||||||
when: content not in http.stdout
|
|
||||||
- name: "ftp download"
|
|
||||||
command: "curl ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
|
|
||||||
args:
|
|
||||||
warn: false
|
|
||||||
register: ftp
|
|
||||||
become: yes
|
|
||||||
become_user: curltester
|
|
||||||
- name: "Compare ftp output"
|
|
||||||
fail:
|
|
||||||
msg: "{{ content }} not in {{ ftp.stdout }}"
|
|
||||||
when: content not in ftp.stdout
|
|
||||||
- name: "scp download"
|
|
||||||
command: "curl -u curltester:{{ password }} --insecure scp://localhost/home/curltester/testfile"
|
|
||||||
args:
|
|
||||||
warn: false
|
|
||||||
register: scp
|
|
||||||
- name: "Compare scp output"
|
|
||||||
fail:
|
|
||||||
msg: "{{ content }} not in {{ scp.stdout }}"
|
|
||||||
when: content not in scp.stdout
|
|
||||||
- name: "sftp download"
|
|
||||||
command: "curl -u curltester:{{ password }} --insecure sftp://localhost/home/curltester/testfile"
|
|
||||||
args:
|
|
||||||
warn: false
|
|
||||||
register: sftp
|
|
||||||
- name: "Compare sftp output"
|
|
||||||
fail:
|
|
||||||
msg: "{{ content }} not in {{ sftp.stdout }}"
|
|
||||||
when: content not in sftp.stdout
|
|
||||||
always:
|
|
||||||
- name: "Remove user curltester"
|
|
||||||
user:
|
|
||||||
name: "curltester"
|
|
||||||
remove: yes
|
|
||||||
state: absent
|
|
@ -1,63 +0,0 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Makefile of /CoreOS/curl/Sanity/scp-and-sftp-download-test
|
|
||||||
# Description: downloads test file through scp and sftp
|
|
||||||
# Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
#
|
|
||||||
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
|
|
||||||
#
|
|
||||||
# This copyrighted material is made available to anyone wishing
|
|
||||||
# to use, modify, copy, or redistribute it subject to the terms
|
|
||||||
# and conditions of the GNU General Public License version 2.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be
|
|
||||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
||||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
||||||
# PURPOSE. See the GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public
|
|
||||||
# License along with this program; if not, write to the Free
|
|
||||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
||||||
# Boston, MA 02110-1301, USA.
|
|
||||||
#
|
|
||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
export TEST=/CoreOS/curl/Sanity/scp-and-sftp-download-test
|
|
||||||
export TESTVERSION=1.0
|
|
||||||
|
|
||||||
BUILT_FILES=
|
|
||||||
|
|
||||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
||||||
|
|
||||||
.PHONY: all install download clean
|
|
||||||
|
|
||||||
run: $(FILES) build
|
|
||||||
./runtest.sh
|
|
||||||
|
|
||||||
build: $(BUILT_FILES)
|
|
||||||
test -x runtest.sh || chmod a+x runtest.sh
|
|
||||||
|
|
||||||
clean:
|
|
||||||
rm -f *~ $(BUILT_FILES)
|
|
||||||
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
|
||||||
|
|
||||||
$(METADATA): Makefile
|
|
||||||
@echo "Owner: Karel Srot <ksrot@redhat.com>" > $(METADATA)
|
|
||||||
@echo "Name: $(TEST)" >> $(METADATA)
|
|
||||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
||||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
||||||
@echo "Description: downloads test file through scp and sftp" >> $(METADATA)
|
|
||||||
@echo "Type: Sanity" >> $(METADATA)
|
|
||||||
@echo "TestTime: 10m" >> $(METADATA)
|
|
||||||
@echo "RunFor: curl" >> $(METADATA)
|
|
||||||
@echo "Requires: curl openssh" >> $(METADATA)
|
|
||||||
@echo "Priority: Normal" >> $(METADATA)
|
|
||||||
@echo "License: GPLv2" >> $(METADATA)
|
|
||||||
@echo "Confidential: no" >> $(METADATA)
|
|
||||||
@echo "Destructive: no" >> $(METADATA)
|
|
||||||
|
|
||||||
rhts-lint $(METADATA)
|
|
@ -1,12 +0,0 @@
|
|||||||
PURPOSE of /CoreOS/curl/Sanity/scp-and-sftp-download-test
|
|
||||||
Description: downloads test file through scp and sftp
|
|
||||||
Author: Karel Srot <ksrot@redhat.com>
|
|
||||||
|
|
||||||
Test scenario:
|
|
||||||
- scp download
|
|
||||||
- sftp download
|
|
||||||
- scp upload
|
|
||||||
- sftp upload
|
|
||||||
|
|
||||||
When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
|
|
||||||
with empty --pubkey parameter (--pubkey "") or with the paramiter omitted
|
|
20
tests/scp-and-sftp-download-test/main.fmf
Normal file
20
tests/scp-and-sftp-download-test/main.fmf
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
summary: downloads test file through scp and sftp
|
||||||
|
description: |
|
||||||
|
Test scenario:
|
||||||
|
- scp download
|
||||||
|
- sftp download
|
||||||
|
- scp upload
|
||||||
|
- sftp upload
|
||||||
|
|
||||||
|
When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
|
||||||
|
with empty --pubkey parameter (--pubkey "") or with the paramiter omitted
|
||||||
|
contact: Daniel Rusek <drusek@redhat.com>
|
||||||
|
require:
|
||||||
|
- findutils
|
||||||
|
component:
|
||||||
|
- curl
|
||||||
|
test: ./runtest.sh
|
||||||
|
path: /tests/scp-and-sftp-download-test
|
||||||
|
framework: beakerlib
|
||||||
|
duration: 10m
|
||||||
|
enabled: true
|
3
tests/scp-and-sftp-download-test/runtest.sh
Normal file → Executable file
3
tests/scp-and-sftp-download-test/runtest.sh
Normal file → Executable file
@ -27,8 +27,7 @@
|
|||||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
# Include Beaker environment
|
# Include Beaker environment
|
||||||
. /usr/bin/rhts-environment.sh
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
. /usr/lib/beakerlib/beakerlib.sh
|
|
||||||
|
|
||||||
PACKAGE="curl"
|
PACKAGE="curl"
|
||||||
|
|
||||||
|
@ -1,26 +0,0 @@
|
|||||||
---
|
|
||||||
# Tests for Classic
|
|
||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tags:
|
|
||||||
- classic
|
|
||||||
tests:
|
|
||||||
- scp-and-sftp-download-test
|
|
||||||
- non-root-user-download
|
|
||||||
required_packages:
|
|
||||||
- findutils # non-root-user-download needs find command
|
|
||||||
# scp-and-sftp-download-test needs find command
|
|
||||||
- passwd # non-root-user-download needs passwd command
|
|
||||||
- openssh-clients # non-root-user-download needs ssh-keyscan command
|
|
||||||
|
|
||||||
# Tests for Atomic
|
|
||||||
- hosts: localhost
|
|
||||||
roles:
|
|
||||||
- role: standard-test-beakerlib
|
|
||||||
tags:
|
|
||||||
- atomic
|
|
||||||
tests:
|
|
||||||
- scp-and-sftp-download-test
|
|
||||||
- non-root-user-download
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user