stricter host name checking for file:// URLs

2016-11-15 18:40:23 +01:00 · 2016-11-15 18:40:23 +01:00 · 40b1d9916f
commit 40b1d9916f
parent 2856bdf841
2 changed files with 96 additions and 0 deletions
--- a/0002-curl-7.51.0-file-host.patch
+++ b/0002-curl-7.51.0-file-host.patch
@ -0,0 +1,91 @@
+From 93d20cffd3b6b8dc9705f3252c09c9269d8ac705 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 11 Nov 2016 08:09:04 +0100
+Subject: [PATCH 2/2] URL-parser: for file://[host]/ URLs, the [host] must be
+ localhost
+
+Previously, the [host] part was just ignored which made libcurl accept
+strange URLs misleading users. like "file://etc/passwd" which might've
+looked like it refers to "/etc/passwd" but is just "/passwd" since the
+"etc" is an ignored host name.
+
+Reported-by: Mike Crowe
+Assisted-by: Kamil Dudka
+
+Upstream-commit: 346340808c89db33803ef7461dee191ff7c3d07f
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/url.c | 55 ++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 30 insertions(+), 25 deletions(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index b997f41..9a8f6e3 100644
+--- a/lib/url.c
+++ b/lib/url.c
+@@ -4065,33 +4065,38 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
+      * the URL protocols specified in RFC 1738
+      */
+     if(path[0] != '/') {
+-      /* the URL included a host name, we ignore host names in file:// URLs
+-         as the standards don't define what to do with them */
+-      char *ptr=strchr(path, '/');
+-      if(ptr) {
+-        /* there was a slash present
+-
+-           RFC1738 (section 3.1, page 5) says:
+-
+-           The rest of the locator consists of data specific to the scheme,
+-           and is known as the "url-path". It supplies the details of how the
+-           specified resource can be accessed. Note that the "/" between the
+-           host (or port) and the url-path is NOT part of the url-path.
+-
+-           As most agents use file://localhost/foo to get '/foo' although the
+-           slash preceding foo is a separator and not a slash for the path,
+-           a URL as file://localhost//foo must be valid as well, to refer to
+-           the same file with an absolute path.
+-        */
+      /* the URL includes a host name, it must match "localhost" or
+         "127.0.0.1" to be valid */
+      char *ptr;
+      if(!checkprefix("localhost/", path) &&
+         !checkprefix("127.0.0.1/", path)) {
+        failf(data, "Valid host name with slash missing in URL");
+        return CURLE_URL_MALFORMAT;
+      }
+      ptr = &path[9]; /* now points to the slash after the host */
+ 
+-        if(ptr[1] && ('/' == ptr[1]))
+-          /* if there was two slashes, we skip the first one as that is then
+-             used truly as a separator */
+-          ptr++;
+      /* there was a host name and slash present
+ 
+-        /* This cannot be made with strcpy, as the memory chunks overlap! */
+-        memmove(path, ptr, strlen(ptr)+1);
+-      }
+         RFC1738 (section 3.1, page 5) says:
+
+         The rest of the locator consists of data specific to the scheme,
+         and is known as the "url-path". It supplies the details of how the
+         specified resource can be accessed. Note that the "/" between the
+         host (or port) and the url-path is NOT part of the url-path.
+
+         As most agents use file://localhost/foo to get '/foo' although the
+         slash preceding foo is a separator and not a slash for the path,
+         a URL as file://localhost//foo must be valid as well, to refer to
+         the same file with an absolute path.
+      */
+
+      if('/' == ptr[1])
+        /* if there was two slashes, we skip the first one as that is then
+           used truly as a separator */
+        ptr++;
+
+      /* This cannot be made with strcpy, as the memory chunks overlap! */
+      memmove(path, ptr, strlen(ptr)+1);
+     }
+ 
+     protop = "file"; /* protocol string */
+-- 
+2.7.4
+
--- a/curl.spec
+++ b/curl.spec
@ -9,6 +9,9 @@ Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
 # ssh: check md5 fingerprints case insensitively
 Patch1:   0001-curl-7.51.0-ssh-md5.patch

+# stricter host name checking for file:// URLs
+Patch2:   0002-curl-7.51.0-file-host.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -126,6 +129,7 @@ documentation of the library, too.

 # upstream patches
 %patch1 -p1
+%patch2 -p1

 # Fedora patches
 %patch101 -p1
@ -234,6 +238,7 @@ rm -rf $RPM_BUILD_ROOT

 %changelog
 * Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
+- stricter host name checking for file:// URLs
 - ssh: check md5 fingerprints case insensitively

 * Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-1