1 files changed, 0 insertions, 110 deletions
diff --git a/external/curl/CVE-2018-1000007.patch b/external/curl/CVE-2018-1000007.patch
deleted file mode 100644
index c474370c78ad..000000000000
--- a/external/curl/CVE-2018-1000007.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Fri, 19 Jan 2018 13:19:25 +0100
-Subject: [PATCH] http: prevent custom Authorization headers in redirects
-
-... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
-curl already handles Authorization headers created internally.
-
-Note: this changes behavior slightly, for the sake of reducing mistakes.
-
-Added test 317 and 318 to verify.
-
-Reported-by: Craig de Stigter
-Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
----
- docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++-
- lib/http.c                             | 10 +++-
- lib/setopt.c                           |  2 +-
- lib/urldata.h                          |  2 +-
- tests/data/Makefile.inc                |  2 +-
- tests/data/test317                     | 94 +++++++++++++++++++++++++++++++++
- tests/data/test318                     | 95 ++++++++++++++++++++++++++++++++++
- 7 files changed, 212 insertions(+), 5 deletions(-)
- create mode 100644 tests/data/test317
- create mode 100644 tests/data/test318
-
-diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
-index c5ccb1a53d..c9f29e393e 100644
---- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
-+++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
-@@ -5,7 +5,7 @@
- .\" *                            | (__| |_| |  _ <| |___
- .\" *                             \___|\___/|_| \_\_____|
- .\" *
--.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
-+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
- .\" *
- .\" * This software is licensed as described in the file COPYING, which
- .\" * you should have received as part of this distribution. The terms
-@@ -77,6 +77,16 @@ the headers. They may be private or otherwise sensitive to leak.
- 
- Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
- intend them to get sent.
-+
-+Custom headers are sent in all requests done by the easy handles, which
-+implies that if you tell libcurl to follow redirects
-+(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
-+in the subsequent request. Redirects can of course go to other hosts and thus
-+those servers will get all the contents of your custom headers too.
-+
-+Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
-+from being sent to other hosts than the first used one, unless specifically
-+permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
- .SH DEFAULT
- NULL
- .SH PROTOCOLS
-diff --git a/lib/http.c b/lib/http.c
-index c1cdf2da02..a5007670d7 100644
---- a/lib/http.c
-+++ b/lib/http.c
-@@ -714,7 +714,7 @@ Curl_http_output_auth(struct connectdata *conn,
-   if(!data->state.this_is_a_follow ||
-      conn->bits.netrc ||
-      !data->state.first_host ||
--     data->set.http_disable_hostname_check_before_authentication ||
-+     data->set.allow_auth_to_other_hosts ||
-      strcasecompare(data->state.first_host, conn->host.name)) {
-     result = output_auth_headers(conn, authhost, request, path, FALSE);
-   }
-@@ -1636,6 +1636,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
-                   checkprefix("Transfer-Encoding:", headers->data))
-             /* HTTP/2 doesn't support chunked requests */
-             ;
-+          else if(checkprefix("Authorization:", headers->data) &&
-+                  /* be careful of sending this potentially sensitive header to
-+                     other hosts */
-+                  (data->state.this_is_a_follow &&
-+                   data->state.first_host &&
-+                   !data->set.allow_auth_to_other_hosts &&
-+                   !strcasecompare(data->state.first_host, conn->host.name)))
-+            ;
-           else {
-             CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
-                                                headers->data);
-diff --git a/lib/setopt.c b/lib/setopt.c
-index 66f30ea653..a5ef75c722 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -976,7 +976,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
-      * Send authentication (user+password) when following locations, even when
-      * hostname changed.
-      */
--    data->set.http_disable_hostname_check_before_authentication =
-+    data->set.allow_auth_to_other_hosts =
-       (0 != va_arg(param, long)) ? TRUE : FALSE;
-     break;
- 
-diff --git a/lib/urldata.h b/lib/urldata.h
-index 4dcd1a322c..5c04ad1720 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -1599,7 +1599,7 @@ struct UserDefined {
-   bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
-   bool http_follow_location; /* follow HTTP redirects */
-   bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
--  bool http_disable_hostname_check_before_authentication;
-+  bool allow_auth_to_other_hosts;
-   bool include_header;   /* include received protocol headers in data output */
-   bool http_set_referer; /* is a custom referer used */
-   bool http_auto_referer; /* set "correct" referer when following location: */