stricter host name checking for file:// URLs
This commit is contained in:
Kamil Dudka
parent
2856bdf841
commit
40b1d9916f
91
0002-curl-7.51.0-file-host.patch
Normal file
91
0002-curl-7.51.0-file-host.patch
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
From 93d20cffd3b6b8dc9705f3252c09c9269d8ac705 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Fri, 11 Nov 2016 08:09:04 +0100
|
||||||
|
Subject: [PATCH 2/2] URL-parser: for file://[host]/ URLs, the [host] must be
|
||||||
|
localhost
|
||||||
|
|
||||||
|
Previously, the [host] part was just ignored which made libcurl accept
|
||||||
|
strange URLs misleading users. like "file://etc/passwd" which might've
|
||||||
|
looked like it refers to "/etc/passwd" but is just "/passwd" since the
|
||||||
|
"etc" is an ignored host name.
|
||||||
|
|
||||||
|
Reported-by: Mike Crowe
|
||||||
|
Assisted-by: Kamil Dudka
|
||||||
|
|
||||||
|
Upstream-commit: 346340808c89db33803ef7461dee191ff7c3d07f
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/url.c | 55 ++++++++++++++++++++++++++++++-------------------------
|
||||||
|
1 file changed, 30 insertions(+), 25 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index b997f41..9a8f6e3 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -4065,33 +4065,38 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
|
||||||
|
* the URL protocols specified in RFC 1738
|
||||||
|
*/
|
||||||
|
if(path[0] != '/') {
|
||||||
|
- /* the URL included a host name, we ignore host names in file:// URLs
|
||||||
|
- as the standards don't define what to do with them */
|
||||||
|
- char *ptr=strchr(path, '/');
|
||||||
|
- if(ptr) {
|
||||||
|
- /* there was a slash present
|
||||||
|
-
|
||||||
|
- RFC1738 (section 3.1, page 5) says:
|
||||||
|
-
|
||||||
|
- The rest of the locator consists of data specific to the scheme,
|
||||||
|
- and is known as the "url-path". It supplies the details of how the
|
||||||
|
- specified resource can be accessed. Note that the "/" between the
|
||||||
|
- host (or port) and the url-path is NOT part of the url-path.
|
||||||
|
-
|
||||||
|
- As most agents use file://localhost/foo to get '/foo' although the
|
||||||
|
- slash preceding foo is a separator and not a slash for the path,
|
||||||
|
- a URL as file://localhost//foo must be valid as well, to refer to
|
||||||
|
- the same file with an absolute path.
|
||||||
|
- */
|
||||||
|
+ /* the URL includes a host name, it must match "localhost" or
|
||||||
|
+ "127.0.0.1" to be valid */
|
||||||
|
+ char *ptr;
|
||||||
|
+ if(!checkprefix("localhost/", path) &&
|
||||||
|
+ !checkprefix("127.0.0.1/", path)) {
|
||||||
|
+ failf(data, "Valid host name with slash missing in URL");
|
||||||
|
+ return CURLE_URL_MALFORMAT;
|
||||||
|
+ }
|
||||||
|
+ ptr = &path[9]; /* now points to the slash after the host */
|
||||||
|
|
||||||
|
- if(ptr[1] && ('/' == ptr[1]))
|
||||||
|
- /* if there was two slashes, we skip the first one as that is then
|
||||||
|
- used truly as a separator */
|
||||||
|
- ptr++;
|
||||||
|
+ /* there was a host name and slash present
|
||||||
|
|
||||||
|
- /* This cannot be made with strcpy, as the memory chunks overlap! */
|
||||||
|
- memmove(path, ptr, strlen(ptr)+1);
|
||||||
|
- }
|
||||||
|
+ RFC1738 (section 3.1, page 5) says:
|
||||||
|
+
|
||||||
|
+ The rest of the locator consists of data specific to the scheme,
|
||||||
|
+ and is known as the "url-path". It supplies the details of how the
|
||||||
|
+ specified resource can be accessed. Note that the "/" between the
|
||||||
|
+ host (or port) and the url-path is NOT part of the url-path.
|
||||||
|
+
|
||||||
|
+ As most agents use file://localhost/foo to get '/foo' although the
|
||||||
|
+ slash preceding foo is a separator and not a slash for the path,
|
||||||
|
+ a URL as file://localhost//foo must be valid as well, to refer to
|
||||||
|
+ the same file with an absolute path.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ if('/' == ptr[1])
|
||||||
|
+ /* if there was two slashes, we skip the first one as that is then
|
||||||
|
+ used truly as a separator */
|
||||||
|
+ ptr++;
|
||||||
|
+
|
||||||
|
+ /* This cannot be made with strcpy, as the memory chunks overlap! */
|
||||||
|
+ memmove(path, ptr, strlen(ptr)+1);
|
||||||
|
}
|
||||||
|
|
||||||
|
protop = "file"; /* protocol string */
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
||||||
@ -9,6 +9,9 @@ Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
|||||||
# ssh: check md5 fingerprints case insensitively
|
# ssh: check md5 fingerprints case insensitively
|
||||||
Patch1: 0001-curl-7.51.0-ssh-md5.patch
|
Patch1: 0001-curl-7.51.0-ssh-md5.patch
|
||||||
|
|
||||||
|
# stricter host name checking for file:// URLs
|
||||||
|
Patch2: 0002-curl-7.51.0-file-host.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -126,6 +129,7 @@ documentation of the library, too.
|
|||||||
|
|
||||||
# upstream patches
|
# upstream patches
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -234,6 +238,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
|
* Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
|
||||||
|
- stricter host name checking for file:// URLs
|
||||||
- ssh: check md5 fingerprints case insensitively
|
- ssh: check md5 fingerprints case insensitively
|
||||||
|
|
||||||
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-1
|
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-1
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user