diff options
Diffstat (limited to 'external/curl/CVE-2018-1000007.patch')
-rw-r--r-- | external/curl/CVE-2018-1000007.patch | 110 |
1 files changed, 0 insertions, 110 deletions
diff --git a/external/curl/CVE-2018-1000007.patch b/external/curl/CVE-2018-1000007.patch deleted file mode 100644 index c474370c78ad..000000000000 --- a/external/curl/CVE-2018-1000007.patch +++ /dev/null @@ -1,110 +0,0 @@ -From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Fri, 19 Jan 2018 13:19:25 +0100 -Subject: [PATCH] http: prevent custom Authorization headers in redirects - -... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how -curl already handles Authorization headers created internally. - -Note: this changes behavior slightly, for the sake of reducing mistakes. - -Added test 317 and 318 to verify. - -Reported-by: Craig de Stigter -Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html ---- - docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++- - lib/http.c | 10 +++- - lib/setopt.c | 2 +- - lib/urldata.h | 2 +- - tests/data/Makefile.inc | 2 +- - tests/data/test317 | 94 +++++++++++++++++++++++++++++++++ - tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++ - 7 files changed, 212 insertions(+), 5 deletions(-) - create mode 100644 tests/data/test317 - create mode 100644 tests/data/test318 - -diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 -index c5ccb1a53d..c9f29e393e 100644 ---- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 -+++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 -@@ -5,7 +5,7 @@ - .\" * | (__| |_| | _ <| |___ - .\" * \___|\___/|_| \_\_____| - .\" * --.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al. -+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. - .\" * - .\" * This software is licensed as described in the file COPYING, which - .\" * you should have received as part of this distribution. The terms -@@ -77,6 +77,16 @@ the headers. They may be private or otherwise sensitive to leak. - - Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you - intend them to get sent. -+ -+Custom headers are sent in all requests done by the easy handles, which -+implies that if you tell libcurl to follow redirects -+(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent -+in the subsequent request. Redirects can of course go to other hosts and thus -+those servers will get all the contents of your custom headers too. -+ -+Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers -+from being sent to other hosts than the first used one, unless specifically -+permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option. - .SH DEFAULT - NULL - .SH PROTOCOLS -diff --git a/lib/http.c b/lib/http.c -index c1cdf2da02..a5007670d7 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -714,7 +714,7 @@ Curl_http_output_auth(struct connectdata *conn, - if(!data->state.this_is_a_follow || - conn->bits.netrc || - !data->state.first_host || -- data->set.http_disable_hostname_check_before_authentication || -+ data->set.allow_auth_to_other_hosts || - strcasecompare(data->state.first_host, conn->host.name)) { - result = output_auth_headers(conn, authhost, request, path, FALSE); - } -@@ -1636,6 +1636,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, - checkprefix("Transfer-Encoding:", headers->data)) - /* HTTP/2 doesn't support chunked requests */ - ; -+ else if(checkprefix("Authorization:", headers->data) && -+ /* be careful of sending this potentially sensitive header to -+ other hosts */ -+ (data->state.this_is_a_follow && -+ data->state.first_host && -+ !data->set.allow_auth_to_other_hosts && -+ !strcasecompare(data->state.first_host, conn->host.name))) -+ ; - else { - CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", - headers->data); -diff --git a/lib/setopt.c b/lib/setopt.c -index 66f30ea653..a5ef75c722 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -976,7 +976,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, - * Send authentication (user+password) when following locations, even when - * hostname changed. - */ -- data->set.http_disable_hostname_check_before_authentication = -+ data->set.allow_auth_to_other_hosts = - (0 != va_arg(param, long)) ? TRUE : FALSE; - break; - -diff --git a/lib/urldata.h b/lib/urldata.h -index 4dcd1a322c..5c04ad1720 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1599,7 +1599,7 @@ struct UserDefined { - bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */ - bool http_follow_location; /* follow HTTP redirects */ - bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ -- bool http_disable_hostname_check_before_authentication; -+ bool allow_auth_to_other_hosts; - bool include_header; /* include received protocol headers in data output */ - bool http_set_referer; /* is a custom referer used */ - bool http_auto_referer; /* set "correct" referer when following location: */ |