From 40b1d9916f51524d03678a51750441fcd5e37cca Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 15 Nov 2016 18:40:23 +0100 Subject: [PATCH] stricter host name checking for file:// URLs --- 0002-curl-7.51.0-file-host.patch | 91 ++++++++++++++++++++++++++++++++ curl.spec | 5 ++ 2 files changed, 96 insertions(+) create mode 100644 0002-curl-7.51.0-file-host.patch diff --git a/0002-curl-7.51.0-file-host.patch b/0002-curl-7.51.0-file-host.patch new file mode 100644 index 0000000..987caee --- /dev/null +++ b/0002-curl-7.51.0-file-host.patch @@ -0,0 +1,91 @@ +From 93d20cffd3b6b8dc9705f3252c09c9269d8ac705 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 11 Nov 2016 08:09:04 +0100 +Subject: [PATCH 2/2] URL-parser: for file://[host]/ URLs, the [host] must be + localhost + +Previously, the [host] part was just ignored which made libcurl accept +strange URLs misleading users. like "file://etc/passwd" which might've +looked like it refers to "/etc/passwd" but is just "/passwd" since the +"etc" is an ignored host name. + +Reported-by: Mike Crowe +Assisted-by: Kamil Dudka + +Upstream-commit: 346340808c89db33803ef7461dee191ff7c3d07f +Signed-off-by: Kamil Dudka +--- + lib/url.c | 55 ++++++++++++++++++++++++++++++------------------------- + 1 file changed, 30 insertions(+), 25 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index b997f41..9a8f6e3 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4065,33 +4065,38 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + * the URL protocols specified in RFC 1738 + */ + if(path[0] != '/') { +- /* the URL included a host name, we ignore host names in file:// URLs +- as the standards don't define what to do with them */ +- char *ptr=strchr(path, '/'); +- if(ptr) { +- /* there was a slash present +- +- RFC1738 (section 3.1, page 5) says: +- +- The rest of the locator consists of data specific to the scheme, +- and is known as the "url-path". It supplies the details of how the +- specified resource can be accessed. Note that the "/" between the +- host (or port) and the url-path is NOT part of the url-path. +- +- As most agents use file://localhost/foo to get '/foo' although the +- slash preceding foo is a separator and not a slash for the path, +- a URL as file://localhost//foo must be valid as well, to refer to +- the same file with an absolute path. +- */ ++ /* the URL includes a host name, it must match "localhost" or ++ "127.0.0.1" to be valid */ ++ char *ptr; ++ if(!checkprefix("localhost/", path) && ++ !checkprefix("127.0.0.1/", path)) { ++ failf(data, "Valid host name with slash missing in URL"); ++ return CURLE_URL_MALFORMAT; ++ } ++ ptr = &path[9]; /* now points to the slash after the host */ + +- if(ptr[1] && ('/' == ptr[1])) +- /* if there was two slashes, we skip the first one as that is then +- used truly as a separator */ +- ptr++; ++ /* there was a host name and slash present + +- /* This cannot be made with strcpy, as the memory chunks overlap! */ +- memmove(path, ptr, strlen(ptr)+1); +- } ++ RFC1738 (section 3.1, page 5) says: ++ ++ The rest of the locator consists of data specific to the scheme, ++ and is known as the "url-path". It supplies the details of how the ++ specified resource can be accessed. Note that the "/" between the ++ host (or port) and the url-path is NOT part of the url-path. ++ ++ As most agents use file://localhost/foo to get '/foo' although the ++ slash preceding foo is a separator and not a slash for the path, ++ a URL as file://localhost//foo must be valid as well, to refer to ++ the same file with an absolute path. ++ */ ++ ++ if('/' == ptr[1]) ++ /* if there was two slashes, we skip the first one as that is then ++ used truly as a separator */ ++ ptr++; ++ ++ /* This cannot be made with strcpy, as the memory chunks overlap! */ ++ memmove(path, ptr, strlen(ptr)+1); + } + + protop = "file"; /* protocol string */ +-- +2.7.4 + diff --git a/curl.spec b/curl.spec index b862d09..19d7e44 100644 --- a/curl.spec +++ b/curl.spec @@ -9,6 +9,9 @@ Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma # ssh: check md5 fingerprints case insensitively Patch1: 0001-curl-7.51.0-ssh-md5.patch +# stricter host name checking for file:// URLs +Patch2: 0002-curl-7.51.0-file-host.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -126,6 +129,7 @@ documentation of the library, too. # upstream patches %patch1 -p1 +%patch2 -p1 # Fedora patches %patch101 -p1 @@ -234,6 +238,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Tue Nov 15 2016 Kamil Dudka 7.51.0-2 +- stricter host name checking for file:// URLs - ssh: check md5 fingerprints case insensitively * Wed Nov 02 2016 Kamil Dudka 7.51.0-1