rpms/curl
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
424d9c193f
curl/0006-curl-7.82.0-CVE-2022-27780.patch

70 lines
2.4 KiB
Diff
Raw Blame History

From 52684f4ad348deee05ce49c65b2446f68f4dc1a8 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 08:19:38 +0200
Subject: [PATCH 1/2] urlapi: reject percent-decoding host name into separator
bytes
CVE-2022-27780
Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27780.html
Closes #8826
Upstream-commit: 914aaab9153764ef8fa4178215b8ad89d3ac263a
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/urlapi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/urlapi.c b/lib/urlapi.c
index ff00ee4..00222fc 100644
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
#endif
}
else {
- /* letters from the second string is not ok */
- len = strcspn(hostname, " \r\n");
+ /* letters from the second string are not ok */
+ len = strcspn(hostname, " \r\n\t/:#?!@");
if(hlen != len)
/* hostname with bad content */
return CURLUE_BAD_HOSTNAME;
--
2.34.1
From f69fa599b12737aebc4bacee7608807620ff42cf Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 08:19:38 +0200
Subject: [PATCH 2/2] libtest/lib1560: verify the host name percent decode fix
Upstream-commit: cfa47974fea04753d1131cac701e331cd91bec6f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/libtest/lib1560.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
index 7614849..84ee933 100644
--- a/tests/libtest/lib1560.c
+++ b/tests/libtest/lib1560.c
@@ -374,6 +374,13 @@ static const struct testcase get_parts_list[] ={
static const struct urltestcase get_url_list[] = {
/* percent encoded host names */
+ {"http://example.com%40127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+ {"http://example.com%21127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+ {"http://example.com%3f127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+ {"http://example.com%23127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+ {"http://example.com%3a127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+ {"http://example.com%09127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
+ {"http://example.com%2F127.0.0.1/", "", 0, 0, CURLUE_BAD_HOSTNAME},
{"https://%this", "https://%25this/", 0, 0, CURLUE_OK},
{"https://h%c", "https://h%25c/", 0, 0, CURLUE_OK},
{"https://%%%%%%", "https://%25%25%25%25%25%25/", 0, 0, CURLUE_OK},
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink