From c8c0db4fc5459c47cb422407cfd3ee3406c40734 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 08:13:54 +0200 Subject: [PATCH 1/2] test440/441: verify HSTS with trailing dots Upstream-commit: ff3ee510c328db03bf171cae6179bb9463fb054f Signed-off-by: Kamil Dudka --- tests/data/Makefile.inc | 2 ++ tests/data/test440 | 72 +++++++++++++++++++++++++++++++++++++++++ tests/data/test441 | 72 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 146 insertions(+) create mode 100644 tests/data/test440 create mode 100644 tests/data/test441 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 175fc43..a5b8dc2 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -72,6 +72,8 @@ test409 test410 \ \ test430 test431 test432 test433 test434 test435 test436 \ \ +test440 test441 \ +\ test490 test491 test492 test493 test494 \ \ test500 test501 test502 test503 test504 test505 test506 test507 test508 \ diff --git a/tests/data/test440 b/tests/data/test440 new file mode 100644 index 0000000..c640b02 --- /dev/null +++ b/tests/data/test440 @@ -0,0 +1,72 @@ + + + +HTTP +HSTS +trailing-dot + + + + + +# we use this as response to a CONNECT + +HTTP/1.1 403 not OK at all +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 6 +Connection: close +Funny-head: yesyes + +-foo- + + + + + +http + + +HSTS +proxy +https + + +# no trailing dot in the file only in the URL + +this.hsts.example "99991001 04:47:41" + + + +HSTS with trailing-dot host name in URL but none in hsts file + + +-x http://%HOSTIP:%HTTPPORT http://this.hsts.example./%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n' + + + + +# we let it CONNECT to the server to confirm HSTS but deny from there + +CONNECT this.hsts.example.:443 HTTP/1.1 +Host: this.hsts.example.:443 +User-Agent: curl/%VERSION +Proxy-Connection: Keep-Alive + + + +HTTP/1.1 403 not OK at all +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 6 +Connection: close +Funny-head: yesyes + +https://this.hsts.example./%TESTNUMBER + +# Proxy CONNECT aborted + +56 + + + diff --git a/tests/data/test441 b/tests/data/test441 new file mode 100644 index 0000000..7f5245b --- /dev/null +++ b/tests/data/test441 @@ -0,0 +1,72 @@ + + + +HTTP +HSTS +trailing-dot + + + + + +# we use this as response to a CONNECT + +HTTP/1.1 403 not OK at all +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 6 +Connection: close +Funny-head: yesyes + +-foo- + + + + + +http + + +HSTS +proxy +https + + +# no trailing dot in the file only in the URL + +this.hsts.example. "99991001 04:47:41" + + + +HSTS with no t-dot host name in URL but t-dot in file + + +-x http://%HOSTIP:%HTTPPORT http://this.hsts.example/%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n' + + + + +# we let it CONNECT to the server to confirm HSTS but deny from there + +CONNECT this.hsts.example:443 HTTP/1.1 +Host: this.hsts.example:443 +User-Agent: curl/%VERSION +Proxy-Connection: Keep-Alive + + + +HTTP/1.1 403 not OK at all +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 6 +Connection: close +Funny-head: yesyes + +https://this.hsts.example/%TESTNUMBER + +# Proxy CONNECT aborted + +56 + + + -- 2.34.1 From fa4a1193f9bb9970b925cc7795d481c8ee9a0a4a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 08:13:55 +0200 Subject: [PATCH 2/2] hsts: ignore trailing dots when comparing hosts names CVE-2022-30115 Reported-by: Axel Chong Bug: https://curl.se/docs/CVE-2022-30115.html Closes #8821 Upstream-commit: fae6fea209a2d4db1582f608bd8cc8000721733a Signed-off-by: Kamil Dudka --- lib/hsts.c | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/lib/hsts.c b/lib/hsts.c index 03fcc9e..b9fa6f7 100644 --- a/lib/hsts.c +++ b/lib/hsts.c @@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h, curl_off_t expires) { struct stsentry *sts = hsts_entry(); + char *duphost; + size_t hlen; if(!sts) return CURLE_OUT_OF_MEMORY; - sts->expires = expires; - sts->includeSubDomains = subdomains; - sts->host = strdup(hostname); - if(!sts->host) { + duphost = strdup(hostname); + if(!duphost) { free(sts); return CURLE_OUT_OF_MEMORY; } + + hlen = strlen(duphost); + if(duphost[hlen - 1] == '.') + /* strip off trailing any dot */ + duphost[--hlen] = 0; + + sts->host = duphost; + sts->expires = expires; + sts->includeSubDomains = subdomains; Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node); return CURLE_OK; } @@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, bool subdomain) { if(h) { + char buffer[MAX_HSTS_HOSTLEN + 1]; time_t now = time(NULL); size_t hlen = strlen(hostname); struct Curl_llist_element *e; struct Curl_llist_element *n; + + if((hlen > MAX_HSTS_HOSTLEN) || !hlen) + return NULL; + memcpy(buffer, hostname, hlen); + if(hostname[hlen-1] == '.') + /* remove the trailing dot */ + --hlen; + buffer[hlen] = 0; + hostname = buffer; + for(e = h->list.head; e; e = n) { struct stsentry *sts = e->ptr; n = e->next; @@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h) CURLSTScode sc; DEBUGASSERT(h); do { - char buffer[257]; + char buffer[MAX_HSTS_HOSTLEN + 1]; struct curl_hstsentry e; e.name = buffer; e.namelen = sizeof(buffer)-1; -- 2.34.1