new upstream release - 7.64.0
Resolves: CVE-2019-3823 - SMTP end-of-response out-of-bounds read Resolves: CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow Resolves: CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read
This commit is contained in:
parent
3c5dec6602
commit
2bdb624139
@ -1,93 +0,0 @@
|
|||||||
From 46fe12fc1d35b8d2484811b9359f0de72114dee4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Fri, 4 Jan 2019 23:34:50 +0100
|
|
||||||
Subject: [PATCH] Revert "http_negotiate: do not close connection until
|
|
||||||
negotiation is completed"
|
|
||||||
|
|
||||||
This reverts commit 07ebaf837843124ee670e5b8c218b80b92e06e47.
|
|
||||||
|
|
||||||
This also reopens PR #3275 which brought the change now reverted.
|
|
||||||
|
|
||||||
Fixes #3384
|
|
||||||
Closes #3439
|
|
||||||
|
|
||||||
Upstream-commit: ebe658c1e5a6577178981a7f406794699305be5c
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/http.c | 3 ++-
|
|
||||||
lib/http_negotiate.c | 10 +---------
|
|
||||||
2 files changed, 3 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/http.c b/lib/http.c
|
|
||||||
index 8866fdf0a..303535af6 100644
|
|
||||||
--- a/lib/http.c
|
|
||||||
+++ b/lib/http.c
|
|
||||||
@@ -5,7 +5,7 @@
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
@@ -616,6 +616,7 @@ output_auth_headers(struct connectdata *conn,
|
|
||||||
result = Curl_output_negotiate(conn, proxy);
|
|
||||||
if(result)
|
|
||||||
return result;
|
|
||||||
+ authstatus->done = TRUE;
|
|
||||||
negdata->state = GSS_AUTHSENT;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
|
|
||||||
index 444265d11..4713d1bd5 100644
|
|
||||||
--- a/lib/http_negotiate.c
|
|
||||||
+++ b/lib/http_negotiate.c
|
|
||||||
@@ -5,7 +5,7 @@
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
@@ -49,7 +49,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
|
||||||
|
|
||||||
/* Point to the correct struct with this */
|
|
||||||
struct negotiatedata *neg_ctx;
|
|
||||||
- struct auth *authp;
|
|
||||||
|
|
||||||
if(proxy) {
|
|
||||||
userp = conn->http_proxy.user;
|
|
||||||
@@ -58,7 +57,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
|
||||||
data->set.str[STRING_PROXY_SERVICE_NAME] : "HTTP";
|
|
||||||
host = conn->http_proxy.host.name;
|
|
||||||
neg_ctx = &data->state.proxyneg;
|
|
||||||
- authp = &conn->data->state.authproxy;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
userp = conn->user;
|
|
||||||
@@ -67,7 +65,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
|
||||||
data->set.str[STRING_SERVICE_NAME] : "HTTP";
|
|
||||||
host = conn->host.name;
|
|
||||||
neg_ctx = &data->state.negotiate;
|
|
||||||
- authp = &conn->data->state.authhost;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Not set means empty */
|
|
||||||
@@ -98,11 +95,6 @@ CURLcode Curl_input_negotiate(struct connectdata *conn, bool proxy,
|
|
||||||
|
|
||||||
if(result)
|
|
||||||
Curl_auth_spnego_cleanup(neg_ctx);
|
|
||||||
- else
|
|
||||||
- /* If the status is different than 0 and we encountered no errors
|
|
||||||
- it means we have to continue. 0 is the OK value for both GSSAPI
|
|
||||||
- (GSS_S_COMPLETE) and SSPI (SEC_E_OK) */
|
|
||||||
- authp->done = !neg_ctx->status;
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.20.0
|
|
||||||
|
|
@ -1,63 +0,0 @@
|
|||||||
From 510ab52ed43589d96f0fab338eb6286940a29a78 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Thu, 3 Jan 2019 12:00:58 +0100
|
|
||||||
Subject: [PATCH] libtest/stub_gssapi: use "real" snprintf
|
|
||||||
|
|
||||||
... since it doesn't link with libcurl.
|
|
||||||
|
|
||||||
Reverts the commit dcd6f81025 changes from this file.
|
|
||||||
|
|
||||||
Bug: https://curl.haxx.se/mail/lib-2019-01/0000.html
|
|
||||||
Reported-by: Shlomi Fish
|
|
||||||
Reviewed-by: Daniel Gustafsson
|
|
||||||
Reviewed-by: Kamil Dudka
|
|
||||||
|
|
||||||
Closes #3434
|
|
||||||
|
|
||||||
Upstream-commit: c7c362a24c0247644f9fde05e8ea353af4a94b04
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
tests/libtest/stub_gssapi.c | 13 ++++++-------
|
|
||||||
1 file changed, 6 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/libtest/stub_gssapi.c b/tests/libtest/stub_gssapi.c
|
|
||||||
index 254a01b31..377b75452 100644
|
|
||||||
--- a/tests/libtest/stub_gssapi.c
|
|
||||||
+++ b/tests/libtest/stub_gssapi.c
|
|
||||||
@@ -5,7 +5,7 @@
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
- * Copyright (C) 2017-2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ * Copyright (C) 2017-2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
@@ -28,10 +28,7 @@
|
|
||||||
|
|
||||||
#include "stub_gssapi.h"
|
|
||||||
|
|
||||||
-#define ENABLE_CURLX_PRINTF
|
|
||||||
-/* make the curlx header define all printf() functions to use the curlx_*
|
|
||||||
- versions instead */
|
|
||||||
-#include "curlx.h" /* from the private lib dir */
|
|
||||||
+/* !checksrc! disable SNPRINTF all */
|
|
||||||
|
|
||||||
#define MAX_CREDS_LENGTH 250
|
|
||||||
#define APPROX_TOKEN_LEN 250
|
|
||||||
@@ -207,8 +204,10 @@ OM_uint32 gss_init_sec_context(OM_uint32 *min,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Token format: creds:target:type:padding */
|
|
||||||
- used = msnprintf(token, length, "%s:%s:%d:", creds,
|
|
||||||
- (char *) target_name, ctx->sent);
|
|
||||||
+ /* Note: this is using the *real* snprintf() and not the curl provided
|
|
||||||
+ one */
|
|
||||||
+ used = snprintf(token, length, "%s:%s:%d:", creds,
|
|
||||||
+ (char *) target_name, ctx->sent);
|
|
||||||
|
|
||||||
if(used >= length) {
|
|
||||||
free(token);
|
|
||||||
--
|
|
||||||
2.17.2
|
|
||||||
|
|
@ -1,115 +0,0 @@
|
|||||||
From ff74657fb645e7175971128a171ef7d5ece40d77 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Mon, 17 Dec 2018 12:51:51 +0100
|
|
||||||
Subject: [PATCH] curl -J: do not append to the destination file
|
|
||||||
|
|
||||||
Reported-by: Kamil Dudka
|
|
||||||
Fixes #3380
|
|
||||||
Closes #3381
|
|
||||||
|
|
||||||
Upstream-commit: 4849267197682e69cfa056c2bd7a44acd123a917
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
src/tool_cb_hdr.c | 6 +++---
|
|
||||||
src/tool_cb_wrt.c | 9 ++++-----
|
|
||||||
src/tool_cb_wrt.h | 2 +-
|
|
||||||
src/tool_operate.c | 2 +-
|
|
||||||
4 files changed, 9 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
|
|
||||||
index 84b0d9c..3844904 100644
|
|
||||||
--- a/src/tool_cb_hdr.c
|
|
||||||
+++ b/src/tool_cb_hdr.c
|
|
||||||
@@ -157,12 +157,12 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
|
|
||||||
outs->filename = filename;
|
|
||||||
outs->alloc_filename = TRUE;
|
|
||||||
hdrcbdata->honor_cd_filename = FALSE; /* done now! */
|
|
||||||
- if(!tool_create_output_file(outs, TRUE))
|
|
||||||
+ if(!tool_create_output_file(outs))
|
|
||||||
return failure;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
- if(!outs->stream && !tool_create_output_file(outs, FALSE))
|
|
||||||
+ if(!outs->stream && !tool_create_output_file(outs))
|
|
||||||
return failure;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -172,7 +172,7 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
|
|
||||||
/* bold headers only for selected protocols */
|
|
||||||
char *value = NULL;
|
|
||||||
|
|
||||||
- if(!outs->stream && !tool_create_output_file(outs, FALSE))
|
|
||||||
+ if(!outs->stream && !tool_create_output_file(outs))
|
|
||||||
return failure;
|
|
||||||
|
|
||||||
if(hdrcbdata->global->isatty && hdrcbdata->global->styled_output)
|
|
||||||
diff --git a/src/tool_cb_wrt.c b/src/tool_cb_wrt.c
|
|
||||||
index 2cb5e1b..195d6e7 100644
|
|
||||||
--- a/src/tool_cb_wrt.c
|
|
||||||
+++ b/src/tool_cb_wrt.c
|
|
||||||
@@ -32,8 +32,7 @@
|
|
||||||
#include "memdebug.h" /* keep this as LAST include */
|
|
||||||
|
|
||||||
/* create a local file for writing, return TRUE on success */
|
|
||||||
-bool tool_create_output_file(struct OutStruct *outs,
|
|
||||||
- bool append)
|
|
||||||
+bool tool_create_output_file(struct OutStruct *outs)
|
|
||||||
{
|
|
||||||
struct GlobalConfig *global = outs->config->global;
|
|
||||||
FILE *file;
|
|
||||||
@@ -43,7 +42,7 @@ bool tool_create_output_file(struct OutStruct *outs,
|
|
||||||
return FALSE;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if(outs->is_cd_filename && !append) {
|
|
||||||
+ if(outs->is_cd_filename) {
|
|
||||||
/* don't overwrite existing files */
|
|
||||||
file = fopen(outs->filename, "rb");
|
|
||||||
if(file) {
|
|
||||||
@@ -55,7 +54,7 @@ bool tool_create_output_file(struct OutStruct *outs,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* open file for writing */
|
|
||||||
- file = fopen(outs->filename, append?"ab":"wb");
|
|
||||||
+ file = fopen(outs->filename, "wb");
|
|
||||||
if(!file) {
|
|
||||||
warnf(global, "Failed to create the file %s: %s\n", outs->filename,
|
|
||||||
strerror(errno));
|
|
||||||
@@ -142,7 +141,7 @@ size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata)
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if(!outs->stream && !tool_create_output_file(outs, FALSE))
|
|
||||||
+ if(!outs->stream && !tool_create_output_file(outs))
|
|
||||||
return failure;
|
|
||||||
|
|
||||||
if(is_tty && (outs->bytes < 2000) && !config->terminal_binary_ok) {
|
|
||||||
diff --git a/src/tool_cb_wrt.h b/src/tool_cb_wrt.h
|
|
||||||
index 51e002b..188d3ea 100644
|
|
||||||
--- a/src/tool_cb_wrt.h
|
|
||||||
+++ b/src/tool_cb_wrt.h
|
|
||||||
@@ -30,6 +30,6 @@
|
|
||||||
size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata);
|
|
||||||
|
|
||||||
/* create a local file for writing, return TRUE on success */
|
|
||||||
-bool tool_create_output_file(struct OutStruct *outs, bool append);
|
|
||||||
+bool tool_create_output_file(struct OutStruct *outs);
|
|
||||||
|
|
||||||
#endif /* HEADER_CURL_TOOL_CB_WRT_H */
|
|
||||||
diff --git a/src/tool_operate.c b/src/tool_operate.c
|
|
||||||
index e53a9d8..429e9cf 100644
|
|
||||||
--- a/src/tool_operate.c
|
|
||||||
+++ b/src/tool_operate.c
|
|
||||||
@@ -1583,7 +1583,7 @@ static CURLcode operate_do(struct GlobalConfig *global,
|
|
||||||
/* do not create (or even overwrite) the file in case we get no
|
|
||||||
data because of unmet condition */
|
|
||||||
curl_easy_getinfo(curl, CURLINFO_CONDITION_UNMET, &cond_unmet);
|
|
||||||
- if(!cond_unmet && !tool_create_output_file(&outs, FALSE))
|
|
||||||
+ if(!cond_unmet && !tool_create_output_file(&outs))
|
|
||||||
result = CURLE_WRITE_ERROR;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.17.2
|
|
||||||
|
|
@ -1,284 +0,0 @@
|
|||||||
From 9fa7298750c1d66331dc55a202277b131868c048 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Wed, 2 Jan 2019 20:18:27 +0100
|
|
||||||
Subject: [PATCH] xattr: strip credentials from any URL that is stored
|
|
||||||
|
|
||||||
Both user and password are cleared uncondtitionally.
|
|
||||||
|
|
||||||
Added unit test 1621 to verify.
|
|
||||||
|
|
||||||
Fixes #3423
|
|
||||||
Closes #3433
|
|
||||||
|
|
||||||
Upstream-commit: 98e6629154044e4ab1ee7cff8351c7ebcb131e88
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
src/tool_xattr.c | 63 +++++++++++++++++++++++++----
|
|
||||||
tests/data/Makefile.inc | 2 +-
|
|
||||||
tests/data/test1621 | 27 +++++++++++++
|
|
||||||
tests/unit/Makefile.inc | 6 ++-
|
|
||||||
tests/unit/unit1621.c | 89 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
5 files changed, 177 insertions(+), 10 deletions(-)
|
|
||||||
create mode 100644 tests/data/test1621
|
|
||||||
create mode 100644 tests/unit/unit1621.c
|
|
||||||
|
|
||||||
diff --git a/src/tool_xattr.c b/src/tool_xattr.c
|
|
||||||
index 92b99db..730381b 100644
|
|
||||||
--- a/src/tool_xattr.c
|
|
||||||
+++ b/src/tool_xattr.c
|
|
||||||
@@ -5,7 +5,7 @@
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
- * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
@@ -49,6 +49,46 @@ static const struct xattr_mapping {
|
|
||||||
{ NULL, CURLINFO_NONE } /* last element, abort loop here */
|
|
||||||
};
|
|
||||||
|
|
||||||
+/* returns TRUE if a new URL is returned, that then needs to be freed */
|
|
||||||
+/* @unittest: 1621 */
|
|
||||||
+#ifdef UNITTESTS
|
|
||||||
+bool stripcredentials(char **url);
|
|
||||||
+#else
|
|
||||||
+static
|
|
||||||
+#endif
|
|
||||||
+bool stripcredentials(char **url)
|
|
||||||
+{
|
|
||||||
+ CURLU *u;
|
|
||||||
+ CURLUcode uc;
|
|
||||||
+ char *nurl;
|
|
||||||
+ u = curl_url();
|
|
||||||
+ if(u) {
|
|
||||||
+ uc = curl_url_set(u, CURLUPART_URL, *url, 0);
|
|
||||||
+ if(uc)
|
|
||||||
+ goto error;
|
|
||||||
+
|
|
||||||
+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
|
|
||||||
+ if(uc)
|
|
||||||
+ goto error;
|
|
||||||
+
|
|
||||||
+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
|
|
||||||
+ if(uc)
|
|
||||||
+ goto error;
|
|
||||||
+
|
|
||||||
+ uc = curl_url_get(u, CURLUPART_URL, &nurl, 0);
|
|
||||||
+ if(uc)
|
|
||||||
+ goto error;
|
|
||||||
+
|
|
||||||
+ curl_url_cleanup(u);
|
|
||||||
+
|
|
||||||
+ *url = nurl;
|
|
||||||
+ return TRUE;
|
|
||||||
+ }
|
|
||||||
+ error:
|
|
||||||
+ curl_url_cleanup(u);
|
|
||||||
+ return FALSE;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* store metadata from the curl request alongside the downloaded
|
|
||||||
* file using extended attributes
|
|
||||||
*/
|
|
||||||
@@ -62,17 +102,24 @@ int fwrite_xattr(CURL *curl, int fd)
|
|
||||||
char *value = NULL;
|
|
||||||
CURLcode result = curl_easy_getinfo(curl, mappings[i].info, &value);
|
|
||||||
if(!result && value) {
|
|
||||||
+ bool freeptr = FALSE;
|
|
||||||
+ if(CURLINFO_EFFECTIVE_URL == mappings[i].info)
|
|
||||||
+ freeptr = stripcredentials(&value);
|
|
||||||
+ if(value) {
|
|
||||||
#ifdef HAVE_FSETXATTR_6
|
|
||||||
- err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0);
|
|
||||||
+ err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0);
|
|
||||||
#elif defined(HAVE_FSETXATTR_5)
|
|
||||||
- err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0);
|
|
||||||
+ err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0);
|
|
||||||
#elif defined(__FreeBSD_version)
|
|
||||||
- err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr, value,
|
|
||||||
- strlen(value));
|
|
||||||
- /* FreeBSD's extattr_set_fd returns the length of the extended attribute
|
|
||||||
- */
|
|
||||||
- err = err < 0 ? err : 0;
|
|
||||||
+ err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr,
|
|
||||||
+ value, strlen(value));
|
|
||||||
+ /* FreeBSD's extattr_set_fd returns the length of the extended
|
|
||||||
+ attribute */
|
|
||||||
+ err = err < 0 ? err : 0;
|
|
||||||
#endif
|
|
||||||
+ if(freeptr)
|
|
||||||
+ curl_free(value);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
i++;
|
|
||||||
}
|
|
||||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
||||||
index dd38f89..6172b77 100644
|
|
||||||
--- a/tests/data/Makefile.inc
|
|
||||||
+++ b/tests/data/Makefile.inc
|
|
||||||
@@ -180,7 +180,7 @@ test1560 \
|
|
||||||
\
|
|
||||||
test1590 \
|
|
||||||
test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 \
|
|
||||||
-test1608 test1609 test1620 \
|
|
||||||
+test1608 test1609 test1620 test1621 \
|
|
||||||
\
|
|
||||||
test1650 test1651 test1652 test1653 \
|
|
||||||
\
|
|
||||||
diff --git a/tests/data/test1621 b/tests/data/test1621
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..1117d1b
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test1621
|
|
||||||
@@ -0,0 +1,27 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+unittest
|
|
||||||
+stripcredentials
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<server>
|
|
||||||
+none
|
|
||||||
+</server>
|
|
||||||
+<features>
|
|
||||||
+unittest
|
|
||||||
+https
|
|
||||||
+</features>
|
|
||||||
+ <name>
|
|
||||||
+unit tests for stripcredentials from URL
|
|
||||||
+ </name>
|
|
||||||
+<tool>
|
|
||||||
+unit1621
|
|
||||||
+</tool>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+</testcase>
|
|
||||||
diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc
|
|
||||||
index 8b1a607..82eaec7 100644
|
|
||||||
--- a/tests/unit/Makefile.inc
|
|
||||||
+++ b/tests/unit/Makefile.inc
|
|
||||||
@@ -10,7 +10,7 @@ UNITPROGS = unit1300 unit1301 unit1302 unit1303 unit1304 unit1305 unit1307 \
|
|
||||||
unit1330 unit1394 unit1395 unit1396 unit1397 unit1398 \
|
|
||||||
unit1399 \
|
|
||||||
unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \
|
|
||||||
- unit1608 unit1609 unit1620 \
|
|
||||||
+ unit1608 unit1609 unit1620 unit1621 \
|
|
||||||
unit1650 unit1651 unit1652 unit1653
|
|
||||||
|
|
||||||
unit1300_SOURCES = unit1300.c $(UNITFILES)
|
|
||||||
@@ -100,6 +100,10 @@ unit1609_CPPFLAGS = $(AM_CPPFLAGS)
|
|
||||||
unit1620_SOURCES = unit1620.c $(UNITFILES)
|
|
||||||
unit1620_CPPFLAGS = $(AM_CPPFLAGS)
|
|
||||||
|
|
||||||
+unit1621_SOURCES = unit1621.c $(UNITFILES)
|
|
||||||
+unit1621_CPPFLAGS = $(AM_CPPFLAGS)
|
|
||||||
+unit1621_LDADD = $(top_builddir)/src/libcurltool.la $(top_builddir)/lib/libcurl.la
|
|
||||||
+
|
|
||||||
unit1650_SOURCES = unit1650.c $(UNITFILES)
|
|
||||||
unit1650_CPPFLAGS = $(AM_CPPFLAGS)
|
|
||||||
|
|
||||||
diff --git a/tests/unit/unit1621.c b/tests/unit/unit1621.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..6e07b6e
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/unit/unit1621.c
|
|
||||||
@@ -0,0 +1,89 @@
|
|
||||||
+/***************************************************************************
|
|
||||||
+ * _ _ ____ _
|
|
||||||
+ * Project ___| | | | _ \| |
|
|
||||||
+ * / __| | | | |_) | |
|
|
||||||
+ * | (__| |_| | _ <| |___
|
|
||||||
+ * \___|\___/|_| \_\_____|
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ *
|
|
||||||
+ * This software is licensed as described in the file COPYING, which
|
|
||||||
+ * you should have received as part of this distribution. The terms
|
|
||||||
+ * are also available at https://curl.haxx.se/docs/copyright.html.
|
|
||||||
+ *
|
|
||||||
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
||||||
+ * copies of the Software, and permit persons to whom the Software is
|
|
||||||
+ * furnished to do so, under the terms of the COPYING file.
|
|
||||||
+ *
|
|
||||||
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
||||||
+ * KIND, either express or implied.
|
|
||||||
+ *
|
|
||||||
+ ***************************************************************************/
|
|
||||||
+#include "curlcheck.h"
|
|
||||||
+
|
|
||||||
+#include "urldata.h"
|
|
||||||
+#include "url.h"
|
|
||||||
+
|
|
||||||
+#include "memdebug.h" /* LAST include file */
|
|
||||||
+
|
|
||||||
+static CURLcode unit_setup(void)
|
|
||||||
+{
|
|
||||||
+ return CURLE_OK;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void unit_stop(void)
|
|
||||||
+{
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#ifdef __MINGW32__
|
|
||||||
+UNITTEST_START
|
|
||||||
+{
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+UNITTEST_STOP
|
|
||||||
+#else
|
|
||||||
+
|
|
||||||
+bool stripcredentials(char **url);
|
|
||||||
+
|
|
||||||
+struct checkthis {
|
|
||||||
+ const char *input;
|
|
||||||
+ const char *output;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static struct checkthis tests[] = {
|
|
||||||
+ { "ninja://foo@example.com", "ninja://foo@example.com" },
|
|
||||||
+ { "https://foo@example.com", "https://example.com/" },
|
|
||||||
+ { "https://localhost:45", "https://localhost:45/" },
|
|
||||||
+ { "https://foo@localhost:45", "https://localhost:45/" },
|
|
||||||
+ { "http://daniel:password@localhost", "http://localhost/" },
|
|
||||||
+ { "http://daniel@localhost", "http://localhost/" },
|
|
||||||
+ { "http://localhost/", "http://localhost/" },
|
|
||||||
+ { NULL, NULL } /* end marker */
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+UNITTEST_START
|
|
||||||
+{
|
|
||||||
+ bool cleanup;
|
|
||||||
+ char *url;
|
|
||||||
+ int i;
|
|
||||||
+ int rc = 0;
|
|
||||||
+
|
|
||||||
+ for(i = 0; tests[i].input; i++) {
|
|
||||||
+ url = (char *)tests[i].input;
|
|
||||||
+ cleanup = stripcredentials(&url);
|
|
||||||
+ printf("Test %u got input \"%s\", output: \"%s\"\n",
|
|
||||||
+ i, tests[i].input, url);
|
|
||||||
+
|
|
||||||
+ if(strcmp(tests[i].output, url)) {
|
|
||||||
+ fprintf(stderr, "Test %u got input \"%s\", expected output \"%s\"\n"
|
|
||||||
+ " Actual output: \"%s\"\n", i, tests[i].input, tests[i].output,
|
|
||||||
+ url);
|
|
||||||
+ rc++;
|
|
||||||
+ }
|
|
||||||
+ if(cleanup)
|
|
||||||
+ curl_free(url);
|
|
||||||
+ }
|
|
||||||
+ return rc;
|
|
||||||
+}
|
|
||||||
+UNITTEST_STOP
|
|
||||||
+#endif
|
|
||||||
--
|
|
||||||
2.17.2
|
|
||||||
|
|
@ -12,7 +12,7 @@ diff --git a/configure b/configure
|
|||||||
index 8f079a3..53b4774 100755
|
index 8f079a3..53b4774 100755
|
||||||
--- a/configure
|
--- a/configure
|
||||||
+++ b/configure
|
+++ b/configure
|
||||||
@@ -16415,18 +16415,11 @@ $as_echo "yes" >&6; }
|
@@ -16250,18 +16250,11 @@ $as_echo "yes" >&6; }
|
||||||
gccvhi=`echo $gccver | cut -d . -f1`
|
gccvhi=`echo $gccver | cut -d . -f1`
|
||||||
gccvlo=`echo $gccver | cut -d . -f2`
|
gccvlo=`echo $gccver | cut -d . -f2`
|
||||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||||
@ -38,7 +38,7 @@ diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
|
|||||||
index 0cbba7a..9175b5b 100644
|
index 0cbba7a..9175b5b 100644
|
||||||
--- a/m4/curl-compilers.m4
|
--- a/m4/curl-compilers.m4
|
||||||
+++ b/m4/curl-compilers.m4
|
+++ b/m4/curl-compilers.m4
|
||||||
@@ -157,18 +157,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
|
@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
|
||||||
gccvhi=`echo $gccver | cut -d . -f1`
|
gccvhi=`echo $gccver | cut -d . -f1`
|
||||||
gccvlo=`echo $gccver | cut -d . -f2`
|
gccvlo=`echo $gccver | cut -d . -f2`
|
||||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||||
|
@ -26,14 +26,14 @@ diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
|||||||
index 080421b..ea3b806 100644
|
index 080421b..ea3b806 100644
|
||||||
--- a/tests/libtest/Makefile.inc
|
--- a/tests/libtest/Makefile.inc
|
||||||
+++ b/tests/libtest/Makefile.inc
|
+++ b/tests/libtest/Makefile.inc
|
||||||
@@ -516,6 +516,7 @@ lib1557_LDADD = $(TESTUTIL_LIBS)
|
@@ -521,6 +521,7 @@ lib1558_SOURCES = lib1558.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||||
lib1557_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1557
|
lib1558_LDADD = $(TESTUTIL_LIBS)
|
||||||
|
|
||||||
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||||
+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
|
+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
|
||||||
lib1560_LDADD = $(TESTUTIL_LIBS)
|
lib1560_LDADD = $(TESTUTIL_LIBS)
|
||||||
|
|
||||||
lib1900_SOURCES = lib1900.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
||||||
--
|
--
|
||||||
2.17.2
|
2.17.2
|
||||||
|
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlwQtYIACgkQXMkI/bce
|
|
||||||
EsKPHgf/RhfKPvl1Q8ftuEOXakF/ZIvINukj49vOMFmfQRHfmGWh5ajaGj0qVF6x
|
|
||||||
U5HtrDoFOP5m74tj6jrzr2Ala/HGeyZmiTWwRLMgu+Tvq4djIv2pzZUJpgawJS52
|
|
||||||
LCb2DUS2F+E1AsZQYvyliYA+r2FO2RRX1kbwdu+0RyuFy5WmWwkI02VahAIYV48o
|
|
||||||
44IqtXshxfSAlfEqQ8MgXtU1KW0SWtfKVP2HpsurugjGyknoXxHP7yoDMgDAkMk0
|
|
||||||
fNYyPDZbUXXN+6Oyo4Xh8rz4dpVLBkIoCZb4WG2pFZSrfP2+FTL5/vRo/tUyjFfv
|
|
||||||
2LHmDUOOFH3VMwMYlnMCgaaXG7/jtg==
|
|
||||||
=TkSP
|
|
||||||
-----END PGP SIGNATURE-----
|
|
11
curl-7.64.0.tar.xz.asc
Normal file
11
curl-7.64.0.tar.xz.asc
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAlxahccACgkQXMkI/bce
|
||||||
|
EsKdrAf+OoNH+Yz1HfJG5MtmEi2sgRC56iAvZBQujPG8SJYGnT3D2nLiuC2+bzA8
|
||||||
|
eMCqisodW5f6lV/9JRvLmLS0dhxAfdf/NHlMOdtgSv+NzVGsggpHeYEZ7HucRHsQ
|
||||||
|
AKZ6/wx7rby8yZqrn2s7yWWB0qgiajWx30r+CJEYXpuw+YwZ2qZo5ecM7fa/J9ko
|
||||||
|
ESwb7BLF6KMkdSz1wSApwCdznB/BXOaPrUBMiOcwO7ftq/t1ZmqnUWLtdlSp8OoH
|
||||||
|
Tw832H1kCP2OFHcOFTQmZJLagRQtLBhC522wNsagXaMwak6uhoFApcAPqoPdm4Pm
|
||||||
|
PvTO6aAopZk+sX9VemdSQzx/4ysT3w==
|
||||||
|
=HOlc
|
||||||
|
-----END PGP SIGNATURE-----
|
26
curl.spec
26
curl.spec
@ -1,22 +1,10 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.63.0
|
Version: 7.64.0
|
||||||
Release: 7%{?dist}
|
Release: 1%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
# revert an upstream commit that broke `fedpkg new-sources` (#1659329)
|
|
||||||
Patch1: 0001-curl-7.62.0-http-post-negotiate.patch
|
|
||||||
|
|
||||||
# libtest: avoid symbol lookup error in libstubgss.so
|
|
||||||
Patch2: 0002-curl-7.62.0-libtest-stub_gssapi-snprintf.patch
|
|
||||||
|
|
||||||
# curl -J: do not append to the destination file (#1658574)
|
|
||||||
Patch7: 0007-curl-7.63.0-JO-preserve-local-file.patch
|
|
||||||
|
|
||||||
# xattr: strip credentials from any URL that is stored (CVE-2018-20483)
|
|
||||||
Patch8: 0008-curl-7.63.0-xattr-strip-credentials-from-any-URL.patch
|
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -178,10 +166,6 @@ be installed.
|
|||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
|
||||||
%patch2 -p1
|
|
||||||
%patch7 -p1
|
|
||||||
%patch8 -p1
|
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -349,6 +333,12 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-1
|
||||||
|
- new upstream release, which fixes the following vulnerabilities
|
||||||
|
CVE-2019-3823 - SMTP end-of-response out-of-bounds read
|
||||||
|
CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow
|
||||||
|
CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read
|
||||||
|
|
||||||
* Mon Feb 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-7
|
* Mon Feb 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-7
|
||||||
- prevent valgrind from reporting false positives on x86_64
|
- prevent valgrind from reporting false positives on x86_64
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (curl-7.63.0.tar.xz) = c905eb157c6b0093f1b1a506e4782b83af423fd6de1ce0ab5372164a686ef292ffb10d7999d3dec2de602f63ee41b65e1a1008409dd8c959a597644c0ecb395b
|
SHA512 (curl-7.64.0.tar.xz) = 953f1f5336ce5dfd1b9f933624432d401552d91ee02d39ecde6f023c956f99ec6aae8d7746d7c34b6eb2d6452f114e67da4e64d9c8dd90b7644b7844e7b9b423
|
||||||
|
Loading…
Reference in New Issue
Block a user