274 lines
6.2 KiB
Diff
274 lines
6.2 KiB
Diff
From c8c0db4fc5459c47cb422407cfd3ee3406c40734 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 9 May 2022 08:13:54 +0200
|
|
Subject: [PATCH 1/2] test440/441: verify HSTS with trailing dots
|
|
|
|
Upstream-commit: ff3ee510c328db03bf171cae6179bb9463fb054f
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
---
|
|
tests/data/Makefile.inc | 2 ++
|
|
tests/data/test440 | 72 +++++++++++++++++++++++++++++++++++++++++
|
|
tests/data/test441 | 72 +++++++++++++++++++++++++++++++++++++++++
|
|
3 files changed, 146 insertions(+)
|
|
create mode 100644 tests/data/test440
|
|
create mode 100644 tests/data/test441
|
|
|
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
index 175fc43..a5b8dc2 100644
|
|
--- a/tests/data/Makefile.inc
|
|
+++ b/tests/data/Makefile.inc
|
|
@@ -72,6 +72,8 @@ test409 test410 \
|
|
\
|
|
test430 test431 test432 test433 test434 test435 test436 \
|
|
\
|
|
+test440 test441 \
|
|
+\
|
|
test490 test491 test492 test493 test494 \
|
|
\
|
|
test500 test501 test502 test503 test504 test505 test506 test507 test508 \
|
|
diff --git a/tests/data/test440 b/tests/data/test440
|
|
new file mode 100644
|
|
index 0000000..c640b02
|
|
--- /dev/null
|
|
+++ b/tests/data/test440
|
|
@@ -0,0 +1,72 @@
|
|
+<testcase>
|
|
+<info>
|
|
+<keywords>
|
|
+HTTP
|
|
+HSTS
|
|
+trailing-dot
|
|
+</keywords>
|
|
+</info>
|
|
+
|
|
+<reply>
|
|
+
|
|
+# we use this as response to a CONNECT
|
|
+<connect nocheck="yes">
|
|
+HTTP/1.1 403 not OK at all
|
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
+Server: test-server/fake
|
|
+Content-Length: 6
|
|
+Connection: close
|
|
+Funny-head: yesyes
|
|
+
|
|
+-foo-
|
|
+</connect>
|
|
+</reply>
|
|
+
|
|
+<client>
|
|
+<server>
|
|
+http
|
|
+</server>
|
|
+<features>
|
|
+HSTS
|
|
+proxy
|
|
+https
|
|
+</features>
|
|
+
|
|
+# no trailing dot in the file only in the URL
|
|
+<file name="log/input%TESTNUMBER">
|
|
+this.hsts.example "99991001 04:47:41"
|
|
+</file>
|
|
+
|
|
+<name>
|
|
+HSTS with trailing-dot host name in URL but none in hsts file
|
|
+</name>
|
|
+<command>
|
|
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example./%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
|
|
+</command>
|
|
+</client>
|
|
+
|
|
+<verify>
|
|
+# we let it CONNECT to the server to confirm HSTS but deny from there
|
|
+<protocol>
|
|
+CONNECT this.hsts.example.:443 HTTP/1.1
|
|
+Host: this.hsts.example.:443
|
|
+User-Agent: curl/%VERSION
|
|
+Proxy-Connection: Keep-Alive
|
|
+
|
|
+</protocol>
|
|
+<stdout>
|
|
+HTTP/1.1 403 not OK at all
|
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
+Server: test-server/fake
|
|
+Content-Length: 6
|
|
+Connection: close
|
|
+Funny-head: yesyes
|
|
+
|
|
+https://this.hsts.example./%TESTNUMBER
|
|
+</stdout>
|
|
+# Proxy CONNECT aborted
|
|
+<errorcode>
|
|
+56
|
|
+</errorcode>
|
|
+</verify>
|
|
+</testcase>
|
|
diff --git a/tests/data/test441 b/tests/data/test441
|
|
new file mode 100644
|
|
index 0000000..7f5245b
|
|
--- /dev/null
|
|
+++ b/tests/data/test441
|
|
@@ -0,0 +1,72 @@
|
|
+<testcase>
|
|
+<info>
|
|
+<keywords>
|
|
+HTTP
|
|
+HSTS
|
|
+trailing-dot
|
|
+</keywords>
|
|
+</info>
|
|
+
|
|
+<reply>
|
|
+
|
|
+# we use this as response to a CONNECT
|
|
+<connect nocheck="yes">
|
|
+HTTP/1.1 403 not OK at all
|
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
+Server: test-server/fake
|
|
+Content-Length: 6
|
|
+Connection: close
|
|
+Funny-head: yesyes
|
|
+
|
|
+-foo-
|
|
+</connect>
|
|
+</reply>
|
|
+
|
|
+<client>
|
|
+<server>
|
|
+http
|
|
+</server>
|
|
+<features>
|
|
+HSTS
|
|
+proxy
|
|
+https
|
|
+</features>
|
|
+
|
|
+# no trailing dot in the file only in the URL
|
|
+<file name="log/input%TESTNUMBER">
|
|
+this.hsts.example. "99991001 04:47:41"
|
|
+</file>
|
|
+
|
|
+<name>
|
|
+HSTS with no t-dot host name in URL but t-dot in file
|
|
+</name>
|
|
+<command>
|
|
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example/%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
|
|
+</command>
|
|
+</client>
|
|
+
|
|
+<verify>
|
|
+# we let it CONNECT to the server to confirm HSTS but deny from there
|
|
+<protocol>
|
|
+CONNECT this.hsts.example:443 HTTP/1.1
|
|
+Host: this.hsts.example:443
|
|
+User-Agent: curl/%VERSION
|
|
+Proxy-Connection: Keep-Alive
|
|
+
|
|
+</protocol>
|
|
+<stdout>
|
|
+HTTP/1.1 403 not OK at all
|
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
+Server: test-server/fake
|
|
+Content-Length: 6
|
|
+Connection: close
|
|
+Funny-head: yesyes
|
|
+
|
|
+https://this.hsts.example/%TESTNUMBER
|
|
+</stdout>
|
|
+# Proxy CONNECT aborted
|
|
+<errorcode>
|
|
+56
|
|
+</errorcode>
|
|
+</verify>
|
|
+</testcase>
|
|
--
|
|
2.34.1
|
|
|
|
|
|
From fa4a1193f9bb9970b925cc7795d481c8ee9a0a4a Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 9 May 2022 08:13:55 +0200
|
|
Subject: [PATCH 2/2] hsts: ignore trailing dots when comparing hosts names
|
|
|
|
CVE-2022-30115
|
|
|
|
Reported-by: Axel Chong
|
|
Bug: https://curl.se/docs/CVE-2022-30115.html
|
|
Closes #8821
|
|
|
|
Upstream-commit: fae6fea209a2d4db1582f608bd8cc8000721733a
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
---
|
|
lib/hsts.c | 30 +++++++++++++++++++++++++-----
|
|
1 file changed, 25 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/lib/hsts.c b/lib/hsts.c
|
|
index 03fcc9e..b9fa6f7 100644
|
|
--- a/lib/hsts.c
|
|
+++ b/lib/hsts.c
|
|
@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h,
|
|
curl_off_t expires)
|
|
{
|
|
struct stsentry *sts = hsts_entry();
|
|
+ char *duphost;
|
|
+ size_t hlen;
|
|
if(!sts)
|
|
return CURLE_OUT_OF_MEMORY;
|
|
|
|
- sts->expires = expires;
|
|
- sts->includeSubDomains = subdomains;
|
|
- sts->host = strdup(hostname);
|
|
- if(!sts->host) {
|
|
+ duphost = strdup(hostname);
|
|
+ if(!duphost) {
|
|
free(sts);
|
|
return CURLE_OUT_OF_MEMORY;
|
|
}
|
|
+
|
|
+ hlen = strlen(duphost);
|
|
+ if(duphost[hlen - 1] == '.')
|
|
+ /* strip off trailing any dot */
|
|
+ duphost[--hlen] = 0;
|
|
+
|
|
+ sts->host = duphost;
|
|
+ sts->expires = expires;
|
|
+ sts->includeSubDomains = subdomains;
|
|
Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
|
|
return CURLE_OK;
|
|
}
|
|
@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
|
|
bool subdomain)
|
|
{
|
|
if(h) {
|
|
+ char buffer[MAX_HSTS_HOSTLEN + 1];
|
|
time_t now = time(NULL);
|
|
size_t hlen = strlen(hostname);
|
|
struct Curl_llist_element *e;
|
|
struct Curl_llist_element *n;
|
|
+
|
|
+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
|
|
+ return NULL;
|
|
+ memcpy(buffer, hostname, hlen);
|
|
+ if(hostname[hlen-1] == '.')
|
|
+ /* remove the trailing dot */
|
|
+ --hlen;
|
|
+ buffer[hlen] = 0;
|
|
+ hostname = buffer;
|
|
+
|
|
for(e = h->list.head; e; e = n) {
|
|
struct stsentry *sts = e->ptr;
|
|
n = e->next;
|
|
@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
|
|
CURLSTScode sc;
|
|
DEBUGASSERT(h);
|
|
do {
|
|
- char buffer[257];
|
|
+ char buffer[MAX_HSTS_HOSTLEN + 1];
|
|
struct curl_hstsentry e;
|
|
e.name = buffer;
|
|
e.namelen = sizeof(buffer)-1;
|
|
--
|
|
2.34.1
|
|
|