hemu312/curl
1
0
Fork 0
forked from rpms/curl
Code Pull Requests Activity

import curl-7.61.1-14.el8_3.1

Browse Source
This commit is contained in:
CentOS Sources 2020-12-15 10:59:37 -05:00 committed by Andrew Lukoshko
parent 239d821966
commit 324a6e1c46
2 changed files with 68 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch Normal file
View File

@ -0,0 +1,60 @@
From 9d5903ebcbcbcc4f3a997ec7d5552721c5383b9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Ba=C5=A1ti?= <mbasti@redhat.com>
Date: Thu, 27 Aug 2020 23:09:56 +0200
Subject: [PATCH] http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
... in case NO_PROXY takes an effect
Without this patch, the following command crashes:
$ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
git clone https://github.com/curl/curl.git
Minimal libcurl-based reproducer:
#include <curl/curl.h>
int main() {
CURL *curl = curl_easy_init();
if(curl) {
CURLcode ret;
curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
/* set the proxy type */
curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
ret = curl_easy_perform(curl);
curl_easy_cleanup(curl);
return ret;
}
return -1;
}
Assisted-by: Kamil Dudka
Bug: https://bugzilla.redhat.com/1873327
Closes #5902
Upstream-commit: 3eff1c5092e542819ac7e6454a70c94b36ab2a40
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/url.c b/lib/url.c
index d65d17d..e77f391 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3074,6 +3074,9 @@ static CURLcode create_conn_helper_init_proxy(struct connectdata *conn)
conn->bits.socksproxy = FALSE;
conn->bits.proxy_user_passwd = FALSE;
conn->bits.tunnel_proxy = FALSE;
+ /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need
+ to signal that CURLPROXY_HTTPS is not used for this connection */
+ conn->http_proxy.proxytype = CURLPROXY_HTTP;
}
out:
--
2.25.4

9
SPECS/curl.spec
View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.61.1 Version: 7.61.1
Release: 14%{?dist} Release: 14%{?dist}.1
License: MIT License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@ -58,6 +58,9 @@ Patch20: 0020-curl-7.61.1-openssl-engines.patch
# avoid overwriting a local file with -J (CVE-2020-8177) # avoid overwriting a local file with -J (CVE-2020-8177)
Patch21: 0021-curl-7.61.1-CVE-2020-8177.patch Patch21: 0021-curl-7.61.1-CVE-2020-8177.patch
# do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
Patch23: 0023-curl-7.61.1-no-https-proxy-crash.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -242,6 +245,7 @@ git apply %{PATCH4}
%patch19 -p1 %patch19 -p1
%patch20 -p1 %patch20 -p1
%patch21 -p1 %patch21 -p1
%patch23 -p1
# make tests/*.py use Python 3 # make tests/*.py use Python 3
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -402,6 +406,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Mon Nov 23 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14.el8_3.1
- do not crash when HTTPS_PROXY and NO_PROXY are used together (#1873327)
* Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14 * Tue Jul 28 2020 Kamil Dudka <kdudka@redhat.com> - 7.61.1-14
- avoid overwriting a local file with -J (CVE-2020-8177) - avoid overwriting a local file with -J (CVE-2020-8177)