From 0eefde2bae1576ec5a4eca30bd1abbe0fc1be3ea Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 11 Oct 2016 00:48:35 +0200 Subject: [PATCH 1/2] urlparse: accept '#' as end of host name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'http://example.com#@127.0.0.1/x.txt' equals a request to example.com for the '/' document with the rest of the URL being a fragment. CVE-2016-8624 Bug: https://curl.haxx.se/docs/adv_20161102J.html Reported-by: Fernando Muñoz Upstream-commit: 3bb273db7e40ebc284cff45f3ce3f0475c8339c2 Signed-off-by: Kamil Dudka --- lib/url.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/url.c b/lib/url.c index ff99c58..ff14dad 100644 --- a/lib/url.c +++ b/lib/url.c @@ -4086,7 +4086,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, path[0]=0; if(2 > sscanf(data->change.url, - "%15[^\n:]://%[^\n/?]%[^\n]", + "%15[^\n:]://%[^\n/?#]%[^\n]", protobuf, conn->host.name, path)) { @@ -4094,7 +4094,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, * The URL was badly formatted, let's try the browser-style _without_ * protocol specified like 'http://'. */ - rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path); + rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path); if(1 > rc) { /* * We couldn't even get this format. @@ -4184,10 +4184,10 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, } /* If the URL is malformatted (missing a '/' after hostname before path) we - * insert a slash here. The only letter except '/' we accept to start a path - * is '?'. + * insert a slash here. The only letters except '/' that can start a path is + * '?' and '#' - as controlled by the two sscanf() patterns above. */ - if(path[0] == '?') { + if(path[0] != '/') { /* We need this function to deal with overlapping memory areas. We know that the memory area 'path' points to is 'urllen' bytes big and that is bigger than the path. Use +1 to move the zero byte too. */ -- 2.7.4 From c0304cbed088744f3c72a93b29bb58c8bc92d48a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 11 Oct 2016 00:54:51 +0200 Subject: [PATCH 2/2] test1246: verify URL parsing with host name ending with '#' Upstream-commit: 42b650b9ea5f26b2f5347af3072eaf690658ed62 Signed-off-by: Kamil Dudka --- tests/data/Makefile.inc | 2 +- tests/data/test1246 | 64 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 tests/data/test1246 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 7321ad5..b4bec03 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -126,7 +126,7 @@ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ test1216 test1217 test1218 test1219 \ test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \ test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \ -test1236 test1237 test1238 test1239 test1240 test1241 \ +test1236 test1237 test1238 test1239 test1240 test1241 test1246 \ \ test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ diff --git a/tests/data/test1246 b/tests/data/test1246 new file mode 100644 index 0000000..6565929 --- /dev/null +++ b/tests/data/test1246 @@ -0,0 +1,64 @@ + + +# verify URL with hostname ending in pound sign + +HTTP +HTTP GET +HTTP proxy + + + +# +# Server-side + + +HTTP/1.1 200 OK +Content-Length: 6 +Connection: close + +-foo- + + + +HTTP/1.1 200 OK +Content-Length: 7 +Connection: close + +-cool- + + + +# +# Client-side + + +http + + +URL with '#' at end of host name instead of '/' + + +--proxy http://%HOSTIP:%HTTPPORT http://test.remote.haxx.se.1246:%HTTPPORT#@127.0.0.1/tricked.html no-scheme-url.com.1246:%HTTPPORT#@127.127.127.127/again.html + + + +# +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET http://test.remote.haxx.se.1246:%HTTPPORT/ HTTP/1.1 +Host: test.remote.haxx.se.1246:%HTTPPORT +Accept: */* +Proxy-Connection: Keep-Alive + +GET http://no-scheme-url.com.1246:%HTTPPORT/ HTTP/1.1 +Host: no-scheme-url.com.1246:%HTTPPORT +Accept: */* +Proxy-Connection: Keep-Alive + + + + -- 2.7.4