Lowercase the domain names before PSL checks

Resolves: RHEL-17598
2023-12-11 13:26:11 +01:00 · 2023-12-11 13:26:11 +01:00 · b5f595d624
commit b5f595d624
parent cc01c64754
3 changed files with 193 additions and 0 deletions
--- a/0059-curl-7.61.1-CVE-2023-46218.patch
+++ b/0059-curl-7.61.1-CVE-2023-46218.patch
@ -0,0 +1,48 @@
 From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 23 Nov 2023 08:15:47 +0100
 Subject: [PATCH] cookie: lowercase the domain names before PSL checks
 Reported-by: Harry Sintonen
 Closes #12387
 ---
 lib/cookie.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)
 diff --git a/lib/cookie.c b/lib/cookie.c
 index 568cf537ad1b1f..9095cea3e97f22 100644
 --- a/lib/cookie.c
 +++ b/lib/cookie.c
@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data,
 #ifdef USE_LIBPSL
   /* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
   if(domain && co->domain && !isip(co->domain)) {
 -    const psl_ctx_t *psl = Curl_psl_use(data);
 -    int acceptable;
 -
 -    if(psl) {
 -      acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
 -      Curl_psl_release(data);
 +    bool acceptable = FALSE;
 +    char lcase[256];
 +    char lcookie[256];
 +    size_t dlen = strlen(domain);
 +    size_t clen = strlen(co->domain);
 +    if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
 +      const psl_ctx_t *psl = Curl_psl_use(data);
 +      if(psl) {
 +        /* the PSL check requires lowercase domain name and pattern */
 +        Curl_strntolower(lcase, domain, dlen + 1);
 +        Curl_strntolower(lcookie, co->domain, clen + 1);
 +        acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
 +        Curl_psl_release(data);
 +      }
 +      else
 +        acceptable = !bad_domain(domain);
     }
 -    else
 -      acceptable = !bad_domain(domain);
     if(!acceptable) {
       infof(data, "cookie '%s' dropped, domain '%s' must not "
--- a/0060-curl-7.61.1-lowercase-headernames.patch
+++ b/0060-curl-7.61.1-lowercase-headernames.patch
@ -0,0 +1,136 @@
 From 0023fce38d3bd6ee0e9b6ff8708fee1195057846 Mon Sep 17 00:00:00 2001
 From: Barry Pollard <barry_pollard@hotmail.com>
 Date: Sun, 22 Sep 2019 21:17:12 +0100
 Subject: [PATCH] http: lowercase headernames for HTTP/2 and HTTP/3
 Closes #4401
 Fixes #4400
 ---
 lib/strcase.c      | 84 ++++++++++++++++++++++++++++++++++++++++++++++
 lib/strcase.h      |  2 ++
 5 files changed, 95 insertions(+), 3 deletions(-)
 diff --git a/lib/strcase.c b/lib/strcase.c
 index 24bcca932..098cec7a8 100644
 --- a/lib/strcase.c
 +++ b/lib/strcase.c
@@ -93,6 +93,75 @@ char Curl_raw_toupper(char in)
   return in;
 }
 +
 +/* Portable, consistent tolower (remember EBCDIC). Do not use tolower() because
 +   its behavior is altered by the current locale. */
 +char Curl_raw_tolower(char in)
 +{
 +#if !defined(CURL_DOES_CONVERSIONS)
 +  if(in >= 'A' && in <= 'Z')
 +    return (char)('a' + in - 'A');
 +#else
 +  switch(in) {
 +  case 'A':
 +    return 'a';
 +  case 'B':
 +    return 'b';
 +  case 'C':
 +    return 'c';
 +  case 'D':
 +    return 'd';
 +  case 'E':
 +    return 'e';
 +  case 'F':
 +    return 'f';
 +  case 'G':
 +    return 'g';
 +  case 'H':
 +    return 'h';
 +  case 'I':
 +    return 'i';
 +  case 'J':
 +    return 'j';
 +  case 'K':
 +    return 'k';
 +  case 'L':
 +    return 'l';
 +  case 'M':
 +    return 'm';
 +  case 'N':
 +    return 'n';
 +  case 'O':
 +    return 'o';
 +  case 'P':
 +    return 'p';
 +  case 'Q':
 +    return 'q';
 +  case 'R':
 +    return 'r';
 +  case 'S':
 +    return 's';
 +  case 'T':
 +    return 't';
 +  case 'U':
 +    return 'u';
 +  case 'V':
 +    return 'v';
 +  case 'W':
 +    return 'w';
 +  case 'X':
 +    return 'X';
 +  case 'Y':
 +    return 'y';
 +  case 'Z':
 +    return 'z';
 +  }
 +#endif
 +
 +  return in;
 +}
 +
 +
 /*
  * Curl_strcasecompare() is for doing "raw" case insensitive strings. This is
  * meant to be locale independent and only compare strings we know are safe
@@ -234,6 +303,21 @@ void Curl_strntoupper(char *dest, const char *src, size_t n)
   } while(*src++ && --n);
 }
 +/* Copy a lower case version of the string from src to dest.  The
 + * strings may overlap.  No more than n characters of the string are copied
 + * (including any NUL) and the destination string will NOT be
 + * NUL-terminated if that limit is reached.
 + */
 +void Curl_strntolower(char *dest, const char *src, size_t n)
 +{
 +  if(n < 1)
 +    return;
 +
 +  do {
 +    *dest++ = Curl_raw_tolower(*src);
 +  } while(*src++ && --n);
 +}
 +
 /* Compare case-sensitive NUL-terminated strings, taking care of possible
  * null pointers. Return true if arguments match.
  */
 diff --git a/lib/strcase.h b/lib/strcase.h
 index 6fee3840e..2f07a74c9 100644
 --- a/lib/strcase.h
 +++ b/lib/strcase.h
@@ -40,12 +40,14 @@ int Curl_safe_strcasecompare(const char *first, const char *second);
 int Curl_strncasecompare(const char *first, const char *second, size_t max);
 char Curl_raw_toupper(char in);
 +char Curl_raw_tolower(char in);
 /* checkprefix() is a shorter version of the above, used when the first
    argument is zero-byte terminated */
 #define checkprefix(a,b)    curl_strnequal(a,b,strlen(a))
 void Curl_strntoupper(char *dest, const char *src, size_t n);
 +void Curl_strntolower(char *dest, const char *src, size_t n);
 bool Curl_safecmp(char *a, char *b);
 int Curl_timestrcmp(const char *first, const char *second);
 -- 
 2.43.0
--- a/curl.spec
+++ b/curl.spec
@ -169,6 +169,12 @@ Patch57:  0057-curl-7.61.1-consolidate-nghttp2-session-mem-recv.patch
 # when marked for closure and wanted to close == OK
 Patch58:  0058-curl-7.61.1-error-in-the-HTTP2-framing-layer.patch
 # lowercase the domain names before PSL checks (CVE-2023-46218)
 Patch59:  0059-curl-7.61.1-CVE-2023-46218.patch
 # lowercase headernames
 Patch60:  0060-curl-7.61.1-lowercase-headernames.patch
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@ -400,6 +406,8 @@ git apply %{PATCH52}
 %patch56 -p1
 %patch57 -p1
 %patch58 -p1
 %patch59 -p1
 %patch60 -p1
 # make tests/*.py use Python 3
 sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
@ -568,6 +576,7 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 - unify the upload/method handling (CVE-2023-28322)
 - fix cookie injection with none file (CVE-2023-38546)
 - fix HTTP2 connection failure with HTTP2 framing layer (RHEL-5657)
 - lowercase the domain names before PSL checks (CVE-2023-46218)
 * Tue Jun 27 2023 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-33
 - fix host name wildcard checking (CVE-2023-28321)