Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
curl
curl-CVE-2023-28321.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2023-28321.patch of Package curl
From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Mon, 24 Apr 2023 21:07:02 +0200 Subject: [PATCH] hostcheck: fix host name wildcard checking The leftmost "label" of the host name can now only match against single '*'. Like the browsers have worked for a long time. - extended unit test 1397 for this - move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc Reported-by: Hiroki Kurosawa Closes #11018 --- lib/hostcheck.c | 50 +++++++-------- tests/data/test1397 | 10 ++- tests/unit/Makefile.am | 94 ---------------------------- tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++ tests/unit/unit1397.c | 134 ++++++++++++++++++++++++---------------- 5 files changed, 202 insertions(+), 180 deletions(-) Index: curl-7.37.0/lib/hostcheck.c =================================================================== --- curl-7.37.0.orig/lib/hostcheck.c +++ curl-7.37.0/lib/hostcheck.c @@ -54,15 +54,19 @@ * apparent distinction between a name and an IP. We need to detect the use of * an IP address and not wildcard match on such names. * + * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor + * "*b". + * + * @unittest: 1397 + * * NOTE: hostmatch() gets called with copied buffers so that it can modify the * contents at will. */ static int hostmatch(char *hostname, char *pattern) { - const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; - int wildcard_enabled; - size_t prefixlen, suffixlen; + const char *pattern_label_end, *hostname_label_end; + size_t suffixlen; struct in_addr ignored; #ifdef ENABLE_IPV6 struct sockaddr_in6 si6; @@ -76,13 +80,12 @@ static int hostmatch(char *hostname, cha if(pattern[len-1]=='.') pattern[len-1]=0; - pattern_wildcard = strchr(pattern, '*'); - if(pattern_wildcard == NULL) + if(strncmp(pattern, "*.", 2)) return Curl_raw_equal(pattern, hostname) ? CURL_HOST_MATCH : CURL_HOST_NOMATCH; /* detect IP address as hostname and fail the match if so */ - if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) + else if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0) return CURL_HOST_NOMATCH; #ifdef ENABLE_IPV6 else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0) @@ -91,14 +94,9 @@ static int hostmatch(char *hostname, cha /* We require at least 2 dots in pattern to avoid too wide wildcard match. */ - wildcard_enabled = 1; pattern_label_end = strchr(pattern, '.'); - if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL || - pattern_wildcard > pattern_label_end || - Curl_raw_nequal(pattern, "xn--", 4)) { - wildcard_enabled = 0; - } - if(!wildcard_enabled) + if(pattern_label_end == NULL || + strchr(pattern_label_end+1, '.') == NULL) return Curl_raw_equal(pattern, hostname) ? CURL_HOST_MATCH : CURL_HOST_NOMATCH; @@ -113,11 +111,9 @@ static int hostmatch(char *hostname, cha if(hostname_label_end - hostname < pattern_label_end - pattern) return CURL_HOST_NOMATCH; - prefixlen = pattern_wildcard - pattern; - suffixlen = pattern_label_end - (pattern_wildcard+1); - return Curl_raw_nequal(pattern, hostname, prefixlen) && - Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen, - suffixlen) ? + suffixlen = pattern_label_end - (pattern+1); + return Curl_raw_nequal(pattern+1, hostname_label_end - suffixlen, + suffixlen) ? CURL_HOST_MATCH : CURL_HOST_NOMATCH; } Index: curl-7.37.0/tests/data/test1397 =================================================================== --- curl-7.37.0.orig/tests/data/test1397 +++ curl-7.37.0/tests/data/test1397 @@ -2,8 +2,7 @@ <info> <keywords> unittest -ssl -wildcard +Curl_cert_hostcheck </keywords> </info> @@ -16,12 +15,11 @@ none <features> unittest </features> - <name> -Check wildcard certificate matching function Curl_cert_hostcheck - </name> +<name> +Curl_cert_hostcheck unit tests +</name> <tool> unit1397 </tool> </client> - </testcase> Index: curl-7.37.0/tests/unit/unit1397.c =================================================================== --- curl-7.37.0.orig/tests/unit/unit1397.c +++ curl-7.37.0/tests/unit/unit1397.c @@ -1,7 +1,5 @@ #include "curlcheck.h" -#include "hostcheck.h" /* from the lib dir */ - static CURLcode unit_setup(void) { return CURLE_OK; @@ -9,44 +7,94 @@ static CURLcode unit_setup(void) static void unit_stop( void ) { - /* done before shutting down and exiting */ } -UNITTEST_START - /* only these backends define the tested functions */ #if defined(USE_SSLEAY) || defined(USE_AXTLS) || defined(USE_QSOSSL) || \ - defined(USE_GSKIT) - - /* here you start doing things and checking that the results are good */ + defined(USE_GSKIT) || defined(USE_SCHANNEL) +#include "hostcheck.h" /* from the lib dir */ +struct testcase { + const char *host; + const char *pattern; + bool match; +}; + + +static struct testcase tests[] = { + {"", "", FALSE}, + {"a", "", FALSE}, + {"", "b", FALSE}, + {"a", "b", FALSE}, + {"aa", "bb", FALSE}, + {"\xff", "\xff", TRUE}, + {"aa.aa.aa", "aa.aa.bb", FALSE}, + {"aa.aa.aa", "aa.aa.aa", TRUE}, + {"aa.aa.aa", "*.aa.bb", FALSE}, + {"aa.aa.aa", "*.aa.aa", TRUE}, + {"192.168.0.1", "192.168.0.1", TRUE}, + {"192.168.0.1", "*.168.0.1", FALSE}, + {"192.168.0.1", "*.0.1", FALSE}, + {"h.ello", "*.ello", FALSE}, + {"h.ello.", "*.ello", FALSE}, + {"h.ello", "*.ello.", FALSE}, + {"h.e.llo", "*.e.llo", TRUE}, + {"h.e.llo", " *.e.llo", FALSE}, + {" h.e.llo", "*.e.llo", TRUE}, + {"h.e.llo.", "*.e.llo", TRUE}, + {"*.e.llo.", "*.e.llo", TRUE}, + {"************.e.llo.", "*.e.llo", TRUE}, + {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" + "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" + "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" + "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" + ".e.llo.", "*.e.llo", TRUE}, + {"\xfe\xfe.e.llo.", "*.e.llo", TRUE}, + {"h.e.llo.", "*.e.llo.", TRUE}, + {"h.e.llo", "*.e.llo.", TRUE}, + {".h.e.llo", "*.e.llo.", FALSE}, + {"h.e.llo", "*.*.llo.", FALSE}, + {"h.e.llo", "h.*.llo", FALSE}, + {"h.e.llo", "h.e.*", FALSE}, + {"hello", "*.ello", FALSE}, + {"hello", "**llo", FALSE}, + {"bar.foo.example.com", "*.example.com", FALSE}, + {"foo.example.com", "*.example.com", TRUE}, + {"baz.example.net", "b*z.example.net", FALSE}, + {"foobaz.example.net", "*baz.example.net", FALSE}, + {"xn--l8j.example.local", "x*.example.local", FALSE}, + {"xn--l8j.example.net", "*.example.net", TRUE}, + {"xn--l8j.example.net", "*j.example.net", FALSE}, + {"xn--l8j.example.net", "xn--l8j.example.net", TRUE}, + {"xn--l8j.example.net", "xn--l8j.*.net", FALSE}, + {"xl8j.example.net", "*.example.net", TRUE}, + {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE}, + {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE}, + {NULL, NULL, FALSE} +}; -fail_unless( Curl_cert_hostcheck("www.example.com", "www.example.com"), "good 1" ); -fail_unless( Curl_cert_hostcheck("*.example.com", "www.example.com"), "good 2" ); -fail_unless( Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"), "good 3" ); -fail_unless( Curl_cert_hostcheck("f*.example.com", "foo.example.com"), "good 4" ); -fail_unless( Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"), "good 5" ); - -fail_if( Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1" ); -fail_if( Curl_cert_hostcheck("*", "www.example.com"), "bad 2" ); -fail_if( Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3" ); -fail_if( Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4" ); -fail_if( Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5" ); -fail_if( Curl_cert_hostcheck("*.com", "example.com"), "bad 6" ); -fail_if( Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7" ); -fail_if( Curl_cert_hostcheck("*.example.", "www.example."), "bad 8" ); -fail_if( Curl_cert_hostcheck("*.example.", "www.example"), "bad 9" ); -fail_if( Curl_cert_hostcheck("", "www"), "bad 10" ); -fail_if( Curl_cert_hostcheck("*", "www"), "bad 11" ); -fail_if( Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12" ); -fail_if( Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13" ); - -#ifdef ENABLE_IPV6 -fail_if( Curl_cert_hostcheck("*::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619"), "bad 14" ); -fail_unless( Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619"), "good 6" ); -#endif +UNITTEST_START +{ + int i; + for(i = 0; tests[i].host; i++) { + if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern, + tests[i].host)) { + fprintf(stderr, + "HOST: %s\n" + "PTRN: %s\n" + "did %sMATCH\n", + tests[i].host, + tests[i].pattern, + tests[i].match ? "NOT ": ""); + unitfail++; + } + } +} -#endif +UNITTEST_STOP +#else - /* you end the test code like this: */ +UNITTEST_START UNITTEST_STOP +#endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor