548 lines
12 KiB
Diff
548 lines
12 KiB
Diff
|
From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||
|
Subject: [PATCH 1/3] connect: store "conn_remote_port" in the info struct
|
||
|
|
||
|
To make it available after the connection ended.
|
||
|
|
||
|
Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
lib/connect.c | 1 +
|
||
|
lib/urldata.h | 6 +++++-
|
||
|
2 files changed, 6 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/lib/connect.c b/lib/connect.c
|
||
|
index 64f9511..7518807 100644
|
||
|
--- a/lib/connect.c
|
||
|
+++ b/lib/connect.c
|
||
|
@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
|
||
|
data->info.conn_scheme = conn->handler->scheme;
|
||
|
data->info.conn_protocol = conn->handler->protocol;
|
||
|
data->info.conn_primary_port = conn->port;
|
||
|
+ data->info.conn_remote_port = conn->remote_port;
|
||
|
data->info.conn_local_port = local_port;
|
||
|
}
|
||
|
|
||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||
|
index f92052a..5218f76 100644
|
||
|
--- a/lib/urldata.h
|
||
|
+++ b/lib/urldata.h
|
||
|
@@ -1167,7 +1167,11 @@ struct PureInfo {
|
||
|
reused, in the connection cache. */
|
||
|
|
||
|
char conn_primary_ip[MAX_IPADR_LEN];
|
||
|
- int conn_primary_port;
|
||
|
+ int conn_primary_port; /* this is the destination port to the connection,
|
||
|
+ which might have been a proxy */
|
||
|
+ int conn_remote_port; /* this is the "remote port", which is the port
|
||
|
+ number of the used URL, independent of proxy or
|
||
|
+ not */
|
||
|
char conn_local_ip[MAX_IPADR_LEN];
|
||
|
int conn_local_port;
|
||
|
const char *conn_scheme;
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||
|
Subject: [PATCH 2/3] transfer: redirects to other protocols or ports clear
|
||
|
auth
|
||
|
|
||
|
... unless explicitly permitted.
|
||
|
|
||
|
Bug: https://curl.se/docs/CVE-2022-27774.html
|
||
|
Reported-by: Harry Sintonen
|
||
|
Closes #8748
|
||
|
|
||
|
Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
|
||
|
1 file changed, 48 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/lib/transfer.c b/lib/transfer.c
|
||
|
index 1f8019b..752fe14 100644
|
||
|
--- a/lib/transfer.c
|
||
|
+++ b/lib/transfer.c
|
||
|
@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||
|
return CURLE_OUT_OF_MEMORY;
|
||
|
}
|
||
|
else {
|
||
|
-
|
||
|
uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
|
||
|
if(uc)
|
||
|
return Curl_uc_to_curlcode(uc);
|
||
|
+
|
||
|
+ /* Clear auth if this redirects to a different port number or protocol,
|
||
|
+ unless permitted */
|
||
|
+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
|
||
|
+ char *portnum;
|
||
|
+ int port;
|
||
|
+ bool clear = FALSE;
|
||
|
+
|
||
|
+ if(data->set.use_port && data->state.allow_port)
|
||
|
+ /* a custom port is used */
|
||
|
+ port = (int)data->set.use_port;
|
||
|
+ else {
|
||
|
+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
|
||
|
+ CURLU_DEFAULT_PORT);
|
||
|
+ if(uc) {
|
||
|
+ free(newurl);
|
||
|
+ return Curl_uc_to_curlcode(uc);
|
||
|
+ }
|
||
|
+ port = atoi(portnum);
|
||
|
+ free(portnum);
|
||
|
+ }
|
||
|
+ if(port != data->info.conn_remote_port) {
|
||
|
+ infof(data, "Clear auth, redirects to port from %u to %u",
|
||
|
+ data->info.conn_remote_port, port);
|
||
|
+ clear = TRUE;
|
||
|
+ }
|
||
|
+ else {
|
||
|
+ char *scheme;
|
||
|
+ const struct Curl_handler *p;
|
||
|
+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
|
||
|
+ if(uc) {
|
||
|
+ free(newurl);
|
||
|
+ return Curl_uc_to_curlcode(uc);
|
||
|
+ }
|
||
|
+
|
||
|
+ p = Curl_builtin_scheme(scheme);
|
||
|
+ if(p && (p->protocol != data->info.conn_protocol)) {
|
||
|
+ infof(data, "Clear auth, redirects scheme from %s to %s",
|
||
|
+ data->info.conn_scheme, scheme);
|
||
|
+ clear = TRUE;
|
||
|
+ }
|
||
|
+ free(scheme);
|
||
|
+ }
|
||
|
+ if(clear) {
|
||
|
+ Curl_safefree(data->state.aptr.user);
|
||
|
+ Curl_safefree(data->state.aptr.passwd);
|
||
|
+ }
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
if(type == FOLLOW_FAKE) {
|
||
|
--
|
||
|
2.34.1
|
||
|
|
||
|
|
||
|
From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||
|
Subject: [PATCH 3/3] tests: verify the fix for CVE-2022-27774
|
||
|
|
||
|
- Test 973 redirects from HTTP to FTP, clear auth
|
||
|
- Test 974 redirects from HTTP to HTTP different port, clear auth
|
||
|
- Test 975 redirects from HTTP to FTP, permitted to keep auth
|
||
|
- Test 976 redirects from HTTP to HTTP different port, permitted to keep
|
||
|
auth
|
||
|
|
||
|
Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
tests/data/Makefile.inc | 1 +
|
||
|
tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++
|
||
|
tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++
|
||
|
tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++
|
||
|
tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++
|
||
|
5 files changed, 352 insertions(+)
|
||
|
create mode 100644 tests/data/test973
|
||
|
create mode 100644 tests/data/test974
|
||
|
create mode 100644 tests/data/test975
|
||
|
create mode 100644 tests/data/test976
|
||
|
|
||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||
|
index 7ae2cf8..175fc43 100644
|
||
|
--- a/tests/data/Makefile.inc
|
||
|
+++ b/tests/data/Makefile.inc
|
||
|
@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
|
||
|
test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
||
|
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
||
|
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
||
|
+test976 \
|
||
|
\
|
||
|
test980 test981 test982 test983 test984 test985 test986 \
|
||
|
\
|
||
|
diff --git a/tests/data/test973 b/tests/data/test973
|
||
|
new file mode 100644
|
||
|
index 0000000..6ced107
|
||
|
--- /dev/null
|
||
|
+++ b/tests/data/test973
|
||
|
@@ -0,0 +1,88 @@
|
||
|
+<testcase>
|
||
|
+<info>
|
||
|
+<keywords>
|
||
|
+HTTP
|
||
|
+FTP
|
||
|
+--location
|
||
|
+</keywords>
|
||
|
+</info>
|
||
|
+
|
||
|
+#
|
||
|
+# Server-side
|
||
|
+<reply>
|
||
|
+<data>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||
|
+
|
||
|
+</data>
|
||
|
+<data2>
|
||
|
+data
|
||
|
+ to
|
||
|
+ see
|
||
|
+that FTP
|
||
|
+works
|
||
|
+ so does it?
|
||
|
+</data2>
|
||
|
+
|
||
|
+<datacheck>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||
|
+
|
||
|
+data
|
||
|
+ to
|
||
|
+ see
|
||
|
+that FTP
|
||
|
+works
|
||
|
+ so does it?
|
||
|
+</datacheck>
|
||
|
+
|
||
|
+</reply>
|
||
|
+
|
||
|
+#
|
||
|
+# Client-side
|
||
|
+<client>
|
||
|
+<server>
|
||
|
+http
|
||
|
+ftp
|
||
|
+</server>
|
||
|
+ <name>
|
||
|
+HTTP with auth redirected to FTP w/o auth
|
||
|
+ </name>
|
||
|
+ <command>
|
||
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
|
||
|
+</command>
|
||
|
+</client>
|
||
|
+
|
||
|
+#
|
||
|
+# Verify data after the test has been "shot"
|
||
|
+<verify>
|
||
|
+<protocol>
|
||
|
+GET /%TESTNUMBER HTTP/1.1
|
||
|
+Host: %HOSTIP:%HTTPPORT
|
||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||
|
+User-Agent: curl/%VERSION
|
||
|
+Accept: */*
|
||
|
+
|
||
|
+USER anonymous
|
||
|
+PASS ftp@example.com
|
||
|
+PWD
|
||
|
+CWD a
|
||
|
+CWD path
|
||
|
+EPSV
|
||
|
+TYPE I
|
||
|
+SIZE %TESTNUMBER0002
|
||
|
+RETR %TESTNUMBER0002
|
||
|
+QUIT
|
||
|
+</protocol>
|
||
|
+</verify>
|
||
|
+</testcase>
|
||
|
diff --git a/tests/data/test974 b/tests/data/test974
|
||
|
new file mode 100644
|
||
|
index 0000000..ac4e641
|
||
|
--- /dev/null
|
||
|
+++ b/tests/data/test974
|
||
|
@@ -0,0 +1,87 @@
|
||
|
+<testcase>
|
||
|
+<info>
|
||
|
+<keywords>
|
||
|
+HTTP
|
||
|
+--location
|
||
|
+</keywords>
|
||
|
+</info>
|
||
|
+
|
||
|
+#
|
||
|
+# Server-side
|
||
|
+<reply>
|
||
|
+<data>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||
|
+
|
||
|
+</data>
|
||
|
+<data2>
|
||
|
+HTTP/1.1 200 OK
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 4
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+
|
||
|
+hey
|
||
|
+</data2>
|
||
|
+
|
||
|
+<datacheck>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||
|
+
|
||
|
+HTTP/1.1 200 OK
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 4
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+
|
||
|
+hey
|
||
|
+</datacheck>
|
||
|
+
|
||
|
+</reply>
|
||
|
+
|
||
|
+#
|
||
|
+# Client-side
|
||
|
+<client>
|
||
|
+<server>
|
||
|
+http
|
||
|
+</server>
|
||
|
+ <name>
|
||
|
+HTTP with auth redirected to HTTP on a diff port w/o auth
|
||
|
+ </name>
|
||
|
+ <command>
|
||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret
|
||
|
+</command>
|
||
|
+</client>
|
||
|
+
|
||
|
+#
|
||
|
+# Verify data after the test has been "shot"
|
||
|
+<verify>
|
||
|
+<protocol>
|
||
|
+GET http://firsthost.com/ HTTP/1.1
|
||
|
+Host: firsthost.com
|
||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||
|
+User-Agent: curl/%VERSION
|
||
|
+Accept: */*
|
||
|
+Proxy-Connection: Keep-Alive
|
||
|
+
|
||
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
||
|
+Host: firsthost.com:9999
|
||
|
+User-Agent: curl/%VERSION
|
||
|
+Accept: */*
|
||
|
+Proxy-Connection: Keep-Alive
|
||
|
+
|
||
|
+</protocol>
|
||
|
+</verify>
|
||
|
+</testcase>
|
||
|
diff --git a/tests/data/test975 b/tests/data/test975
|
||
|
new file mode 100644
|
||
|
index 0000000..85e03e4
|
||
|
--- /dev/null
|
||
|
+++ b/tests/data/test975
|
||
|
@@ -0,0 +1,88 @@
|
||
|
+<testcase>
|
||
|
+<info>
|
||
|
+<keywords>
|
||
|
+HTTP
|
||
|
+FTP
|
||
|
+--location-trusted
|
||
|
+</keywords>
|
||
|
+</info>
|
||
|
+
|
||
|
+#
|
||
|
+# Server-side
|
||
|
+<reply>
|
||
|
+<data>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||
|
+
|
||
|
+</data>
|
||
|
+<data2>
|
||
|
+data
|
||
|
+ to
|
||
|
+ see
|
||
|
+that FTP
|
||
|
+works
|
||
|
+ so does it?
|
||
|
+</data2>
|
||
|
+
|
||
|
+<datacheck>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||
|
+
|
||
|
+data
|
||
|
+ to
|
||
|
+ see
|
||
|
+that FTP
|
||
|
+works
|
||
|
+ so does it?
|
||
|
+</datacheck>
|
||
|
+
|
||
|
+</reply>
|
||
|
+
|
||
|
+#
|
||
|
+# Client-side
|
||
|
+<client>
|
||
|
+<server>
|
||
|
+http
|
||
|
+ftp
|
||
|
+</server>
|
||
|
+ <name>
|
||
|
+HTTP with auth redirected to FTP allowing auth to continue
|
||
|
+ </name>
|
||
|
+ <command>
|
||
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
|
||
|
+</command>
|
||
|
+</client>
|
||
|
+
|
||
|
+#
|
||
|
+# Verify data after the test has been "shot"
|
||
|
+<verify>
|
||
|
+<protocol>
|
||
|
+GET /%TESTNUMBER HTTP/1.1
|
||
|
+Host: %HOSTIP:%HTTPPORT
|
||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||
|
+User-Agent: curl/%VERSION
|
||
|
+Accept: */*
|
||
|
+
|
||
|
+USER joe
|
||
|
+PASS secret
|
||
|
+PWD
|
||
|
+CWD a
|
||
|
+CWD path
|
||
|
+EPSV
|
||
|
+TYPE I
|
||
|
+SIZE %TESTNUMBER0002
|
||
|
+RETR %TESTNUMBER0002
|
||
|
+QUIT
|
||
|
+</protocol>
|
||
|
+</verify>
|
||
|
+</testcase>
|
||
|
diff --git a/tests/data/test976 b/tests/data/test976
|
||
|
new file mode 100644
|
||
|
index 0000000..c4dd61e
|
||
|
--- /dev/null
|
||
|
+++ b/tests/data/test976
|
||
|
@@ -0,0 +1,88 @@
|
||
|
+<testcase>
|
||
|
+<info>
|
||
|
+<keywords>
|
||
|
+HTTP
|
||
|
+--location-trusted
|
||
|
+</keywords>
|
||
|
+</info>
|
||
|
+
|
||
|
+#
|
||
|
+# Server-side
|
||
|
+<reply>
|
||
|
+<data>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||
|
+
|
||
|
+</data>
|
||
|
+<data2>
|
||
|
+HTTP/1.1 200 OK
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 4
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+
|
||
|
+hey
|
||
|
+</data2>
|
||
|
+
|
||
|
+<datacheck>
|
||
|
+HTTP/1.1 301 redirect
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 0
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||
|
+
|
||
|
+HTTP/1.1 200 OK
|
||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||
|
+Server: test-server/fake
|
||
|
+Content-Length: 4
|
||
|
+Connection: close
|
||
|
+Content-Type: text/html
|
||
|
+
|
||
|
+hey
|
||
|
+</datacheck>
|
||
|
+
|
||
|
+</reply>
|
||
|
+
|
||
|
+#
|
||
|
+# Client-side
|
||
|
+<client>
|
||
|
+<server>
|
||
|
+http
|
||
|
+</server>
|
||
|
+ <name>
|
||
|
+HTTP with auth redirected to HTTP on a diff port --location-trusted
|
||
|
+ </name>
|
||
|
+ <command>
|
||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret
|
||
|
+</command>
|
||
|
+</client>
|
||
|
+
|
||
|
+#
|
||
|
+# Verify data after the test has been "shot"
|
||
|
+<verify>
|
||
|
+<protocol>
|
||
|
+GET http://firsthost.com/ HTTP/1.1
|
||
|
+Host: firsthost.com
|
||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||
|
+User-Agent: curl/%VERSION
|
||
|
+Accept: */*
|
||
|
+Proxy-Connection: Keep-Alive
|
||
|
+
|
||
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
||
|
+Host: firsthost.com:9999
|
||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||
|
+User-Agent: curl/%VERSION
|
||
|
+Accept: */*
|
||
|
+Proxy-Connection: Keep-Alive
|
||
|
+
|
||
|
+</protocol>
|
||
|
+</verify>
|
||
|
+</testcase>
|
||
|
--
|
||
|
2.34.1
|
||
|
|