Resolves: #2149224 - noproxy: tailmatch like in 7.85.0 and earlier

0001-curl-7.86.0-noproxy.patch

@@ -1,7 +1,7 @@
 From b0ff1fd270924c5eaec09687e3d279130123671a Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 27 Oct 2022 13:54:27 +0200
-Subject: [PATCH 1/2] noproxy: also match with adjacent comma
+Subject: [PATCH 1/3] noproxy: also match with adjacent comma
 
 If the host name is an IP address and the noproxy string contained that
 IP address with a following comma, it would erroneously not match.
@@ -101,7 +101,7 @@ index 6028545..c2f563a 100644
 From d539fd9f11e2a244dbab6b9171f5a9e5c86cc417 Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Fri, 28 Oct 2022 10:51:49 +0200
-Subject: [PATCH 2/2] noproxy: fix tail-matching
+Subject: [PATCH 2/3] noproxy: fix tail-matching
 
 Also ignore trailing dots in both host name and comparison pattern.
 
@@ -193,3 +193,105 @@ index c2f563a..8f62b70 100644
 -- 
 2.37.3
 
+
+From 560b593cb9ba261169df5ea18ac8d0c188e239cd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 6 Nov 2022 23:19:51 +0100
+Subject: [PATCH 3/3] noproxy: tailmatch like in 7.85.0 and earlier
+
+A regfression in 7.86.0 (via 1e9a538e05c010) made the tailmatch work
+differently than before. This restores the logic to how it used to work:
+
+All names listed in NO_PROXY are tailmatched against the used domain
+name, if the lengths are identical it needs a full match.
+
+Update the docs, update test 1614.
+
+Reported-by: Stuart Henderson
+Fixes #9842
+Closes #9858
+
+Upstream-commit: b1953c1933b369b1217ef0f16053e26da63488c3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLOPT_NOPROXY.3 |  4 ----
+ lib/noproxy.c                       | 32 +++++++++++++++--------------
+ tests/unit/unit1614.c               |  3 ++-
+ 3 files changed, 19 insertions(+), 20 deletions(-)
+
+diff --git a/docs/libcurl/opts/CURLOPT_NOPROXY.3 b/docs/libcurl/opts/CURLOPT_NOPROXY.3
+index 149eaac..98c7920 100644
+--- a/docs/libcurl/opts/CURLOPT_NOPROXY.3
++++ b/docs/libcurl/opts/CURLOPT_NOPROXY.3
+@@ -41,10 +41,6 @@ list is matched as either a domain which contains the hostname, or the
+ hostname itself. For example, "ample.com" would match ample.com, ample.com:80,
+ and www.ample.com, but not www.example.com or ample.com.org.
+ 
+-If the name in the \fInoproxy\fP list has a leading period, it is a domain
+-match against the provided host name. This way ".example.com" will switch off
+-proxy use for both "www.example.com" as well as for "foo.example.com".
+-
+ Setting the \fInoproxy\fP string to "" (an empty string) will explicitly
+ enable the proxy for all host names, even if there is an environment variable
+ set for it.
+diff --git a/lib/noproxy.c b/lib/noproxy.c
+index 01f8f47..31d1ca7 100644
+--- a/lib/noproxy.c
++++ b/lib/noproxy.c
+@@ -183,22 +183,24 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
+             tokenlen--;
+ 
+           if(tokenlen && (*token == '.')) {
+-            /* A: example.com matches '.example.com'
+-               B: www.example.com matches '.example.com'
+-               C: nonexample.com DOES NOT match '.example.com'
+-            */
+-            if((tokenlen - 1) == namelen)
+-              /* case A, exact match without leading dot */
+-              match = strncasecompare(token + 1, name, namelen);
+-            else if(tokenlen < namelen)
+-              /* case B, tailmatch with leading dot */
+-              match = strncasecompare(token, name + (namelen - tokenlen),
+-                                      tokenlen);
+-            /* case C passes through, not a match */
++            /* ignore leading token dot as well */
++            token++;
++            tokenlen--;
+           }
+-          else
+-            match = (tokenlen == namelen) &&
+-              strncasecompare(token, name, namelen);
++          /* A: example.com matches 'example.com'
++             B: www.example.com matches 'example.com'
++             C: nonexample.com DOES NOT match 'example.com'
++          */
++          if(tokenlen == namelen)
++            /* case A, exact match */
++            match = strncasecompare(token, name, namelen);
++          else if(tokenlen < namelen) {
++            /* case B, tailmatch domain */
++            match = (name[namelen - tokenlen - 1] == '.') &&
++              strncasecompare(token, name + (namelen - tokenlen),
++                              tokenlen);
++          }
++          /* case C passes through, not a match */
+           break;
+         case TYPE_IPV4:
+           /* FALLTHROUGH */
+diff --git a/tests/unit/unit1614.c b/tests/unit/unit1614.c
+index 8f62b70..523d102 100644
+--- a/tests/unit/unit1614.c
++++ b/tests/unit/unit1614.c
+@@ -85,7 +85,8 @@ UNITTEST_START
+     { "www.example.com", "localhost,www.example.com.,.example.de", TRUE},
+     { "example.com", "localhost,example.com,.example.de", TRUE},
+     { "example.com.", "localhost,example.com,.example.de", TRUE},
+-    { "www.example.com", "localhost,example.com,.example.de", FALSE},
++    { "nexample.com", "localhost,example.com,.example.de", FALSE},
++    { "www.example.com", "localhost,example.com,.example.de", TRUE},
+     { "127.0.0.1", "127.0.0.1,localhost", TRUE},
+     { "127.0.0.1", "127.0.0.1,localhost,", TRUE},
+     { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE},
+-- 
+2.37.3
+

curl.spec

@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.86.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: MIT
 Source0: https://curl.se/download/%{name}-%{version}.tar.xz
 Source1: https://curl.se/download/%{name}-%{version}.tar.xz.asc
@@ -431,6 +431,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
+* Tue Nov 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.86.0-4
+- noproxy: tailmatch like in 7.85.0 and earlier (#2149224)
+
 * Thu Nov 24 2022 Kamil Dudka <kdudka@redhat.com> - 7.86.0-3
 - enforce versioned libnghttp2 dependency for libcurl (#2144277)