Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
curl-mini.19620
curl-CVE-2020-8169.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2020-8169.patch of Package curl-mini.19620
From 600a8cded447cd7118ed50142c576567c0cf5158 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 14 May 2020 14:37:12 +0200 Subject: [PATCH] url: make the updated credentials URL-encoded in the URL Found-by: Gregory Jefferis Reported-by: Jeroen Ooms Added test 1168 to verify. Bug spotted when doing a redirect. Bug: https://github.com/jeroen/curl/issues/224 Closes #5400 --- lib/url.c | 6 ++-- tests/data/Makefile.inc | 1 + tests/data/test1168 | 78 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 tests/data/test1168 Index: curl-7.66.0/lib/url.c =================================================================== --- curl-7.66.0.orig/lib/url.c +++ curl-7.66.0/lib/url.c @@ -2716,12 +2716,14 @@ static CURLcode override_login(struct Cu /* for updated strings, we update them in the URL */ if(user_changed) { - uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0); + uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, + CURLU_URLENCODE); if(uc) return Curl_uc_to_curlcode(uc); } if(passwd_changed) { - uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0); + uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, + CURLU_URLENCODE); if(uc) return Curl_uc_to_curlcode(uc); } Index: curl-7.66.0/tests/data/Makefile.inc =================================================================== --- curl-7.66.0.orig/tests/data/Makefile.inc +++ curl-7.66.0/tests/data/Makefile.inc @@ -129,7 +129,7 @@ test1128 test1129 test1130 test1131 test test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \ test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \ -test1160 test1161 test1162 test1163 test1164 test1165 \ +test1160 test1161 test1162 test1163 test1164 test1165 test1168 \ test1170 test1171 test1172 test1173 test1174 \ \ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ Index: curl-7.66.0/tests/data/test1168 =================================================================== --- /dev/null +++ curl-7.66.0/tests/data/test1168 @@ -0,0 +1,78 @@ +<testcase> +<info> +<keywords> +HTTP +HTTP GET +followlocation +</keywords> +</info> +# Server-side +<reply> +<data> +HTTP/1.1 301 This is a weirdo text message swsclose +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Location: /data/11680002.txt +Connection: close + +This server reply is for testing a simple Location: following + +</data> +<data2> +HTTP/1.1 200 Followed here fine swsclose +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 52 + +If this is received, the location following worked + +</data2> +<datacheck> +HTTP/1.1 301 This is a weirdo text message swsclose +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Location: /data/11680002.txt +Connection: close + +HTTP/1.1 200 Followed here fine swsclose +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 52 + +If this is received, the location following worked + +</datacheck> +</reply> + +# Client-side +<client> +<server> +http +</server> + <name> +HTTP redirect with credentials using # in user and password + </name> + <command> +http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY" +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +<strip> +^User-Agent:.* +</strip> +<protocol> +GET /want/1168 HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== +Accept: */* + +GET /data/11680002.txt HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== +Accept: */* + +</protocol> +</verify> +</testcase>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor