Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
curl
curl-7.37.0-CVE-2018-1000007.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-7.37.0-CVE-2018-1000007.patch of Package curl
From eb681b986b457917dbda55c97f03e79a1092ca6d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Fri, 19 Jan 2018 13:19:25 +0100 Subject: [PATCH] http: prevent custom Authorization headers in redirects ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Added test 317 and 318 to verify behavior. Reported-by: Craig de Stigter Index: curl-7.37.0/lib/http.c =================================================================== --- curl-7.37.0.orig/lib/http.c +++ curl-7.37.0/lib/http.c @@ -711,7 +711,7 @@ Curl_http_output_auth(struct connectdata if(!data->state.this_is_a_follow || conn->bits.netrc || !data->state.first_host || - data->set.http_disable_hostname_check_before_authentication || + data->set.allow_auth_to_other_hosts || Curl_raw_equal(data->state.first_host, conn->host.name)) { result = output_auth_headers(conn, authhost, request, path, FALSE); } @@ -1635,6 +1635,14 @@ CURLcode Curl_add_custom_headers(struct Connection: */ checkprefix("Connection", headers->data)) ; + else if(checkprefix("Authorization:", headers->data) && + /* be careful of sending this potentially sensitive header to + other hosts */ + (data->state.this_is_a_follow && + data->state.first_host && + !data->set.allow_auth_to_other_hosts && + !Curl_raw_equal(data->state.first_host, conn->host.name))) + ; else { CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", headers->data); Index: curl-7.37.0/lib/urldata.h =================================================================== --- curl-7.37.0.orig/lib/urldata.h +++ curl-7.37.0/lib/urldata.h @@ -1544,7 +1544,7 @@ struct UserDefined { bool http_fail_on_error; /* fail on HTTP error codes >= 300 */ bool http_follow_location; /* follow HTTP redirects */ bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ - bool http_disable_hostname_check_before_authentication; + bool allow_auth_to_other_hosts; bool include_header; /* include received protocol headers in data output */ bool http_set_referer; /* is a custom referer used */ bool http_auto_referer; /* set "correct" referer when following location: */ Index: curl-7.37.0/tests/data/test317 =================================================================== --- /dev/null +++ curl-7.37.0/tests/data/test317 @@ -0,0 +1,94 @@ +<testcase> +<info> +<keywords> +HTTP +HTTP proxy +HTTP Basic auth +HTTP proxy Basic auth +followlocation +</keywords> +</info> +# +# Server-side +<reply> +<data> +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3170002 +Content-Length: 8 +Connection: close + +contents +</data> +<data2> +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents +</data2> + +<datacheck> +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3170002 +Content-Length: 8 +Connection: close + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents +</datacheck> +</reply> + +# +# Client-side +<client> +<server> +http +</server> + <name> +HTTP with custom Authorization: and redirect to new host + </name> + <command> +http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<strip> +^User-Agent:.* +</strip> +<protocol> +GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: first.host.it.is +Accept: */* +Proxy-Connection: Keep-Alive +Authorization: s3cr3t + +GET http://goto.second.host.now/3170002 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: goto.second.host.now +Accept: */* +Proxy-Connection: Keep-Alive + +</protocol> +</verify> +</testcase> Index: curl-7.37.0/tests/data/test318 =================================================================== --- /dev/null +++ curl-7.37.0/tests/data/test318 @@ -0,0 +1,95 @@ +<testcase> +<info> +<keywords> +HTTP +HTTP proxy +HTTP Basic auth +HTTP proxy Basic auth +followlocation +</keywords> +</info> +# +# Server-side +<reply> +<data> +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3180002 +Content-Length: 8 +Connection: close + +contents +</data> +<data2> +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents +</data2> + +<datacheck> +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3180002 +Content-Length: 8 +Connection: close + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents +</datacheck> +</reply> + +# +# Client-side +<client> +<server> +http +</server> + <name> +HTTP with custom Authorization: and redirect to new host + </name> + <command> +http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<strip> +^User-Agent:.* +</strip> +<protocol> +GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: first.host.it.is +Accept: */* +Proxy-Connection: Keep-Alive +Authorization: s3cr3t + +GET http://goto.second.host.now/3180002 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: goto.second.host.now +Accept: */* +Proxy-Connection: Keep-Alive +Authorization: s3cr3t + +</protocol> +</verify> +</testcase> Index: curl-7.37.0/lib/url.c =================================================================== --- curl-7.37.0.orig/lib/url.c +++ curl-7.37.0/lib/url.c @@ -913,7 +913,7 @@ CURLcode Curl_setopt(struct SessionHandl * Send authentication (user+password) when following locations, even when * hostname changed. */ - data->set.http_disable_hostname_check_before_authentication = + data->set.allow_auth_to_other_hosts = (0 != va_arg(param, long))?TRUE:FALSE; break; Index: curl-7.37.0/tests/data/Makefile.am =================================================================== --- curl-7.37.0.orig/tests/data/Makefile.am +++ curl-7.37.0/tests/data/Makefile.am @@ -37,7 +37,7 @@ test280 test281 test282 test283 test284 test289 test290 test291 test292 test293 test294 test295 test296 test297 \ test298 test299 test300 test301 test302 test303 test304 test305 test306 \ test307 test308 test309 test310 test311 test312 test313 \ - test320 test321 test322 test323 test324 \ +test317 test318 test320 test321 test322 test323 test324 \ test325 \ test350 test351 test352 test353 test354 \ \ Index: curl-7.37.0/tests/data/Makefile.in =================================================================== --- curl-7.37.0.orig/tests/data/Makefile.in +++ curl-7.37.0/tests/data/Makefile.in @@ -345,7 +345,7 @@ test280 test281 test282 test283 test284 test289 test290 test291 test292 test293 test294 test295 test296 test297 \ test298 test299 test300 test301 test302 test303 test304 test305 test306 \ test307 test308 test309 test310 test311 test312 test313 \ - test320 test321 test322 test323 test324 \ +test317 test318 test320 test321 test322 test323 test324 \ test325 \ test350 test351 test352 test353 test354 \ \
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor