Compare commits
No commits in common. "a9" and "c8" have entirely different histories.
@ -1 +1 @@
|
|||||||
d38ab79ef7a6d92df91ca8dfcf9a5eaf7e25b725 SOURCES/curl-7.76.1.tar.xz
|
8b56123714b4e061f0f71005c5be598b12f82483 SOURCES/curl-7.61.1.tar.xz
|
||||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/curl-7.76.1.tar.xz
|
SOURCES/curl-7.61.1.tar.xz
|
||||||
|
63
SOURCES/0001-curl-7.61.1-test320-gnutls.patch
Normal file
63
SOURCES/0001-curl-7.61.1-test320-gnutls.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 3cd5b375e31fb98e4782dc3a77e7316ad9eb26cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 4 Oct 2018 15:34:13 +0200
|
||||||
|
Subject: [PATCH] test320: strip out more HTML when comparing
|
||||||
|
|
||||||
|
To make the test case work with different gnutls-serv versions better.
|
||||||
|
|
||||||
|
Reported-by: Kamil Dudka
|
||||||
|
Fixes #3093
|
||||||
|
Closes #3094
|
||||||
|
|
||||||
|
Upstream-commit: 94ad57b0246b5658c2a9139dbe6a80efa4c4e2f3
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/test320 | 24 ++++--------------------
|
||||||
|
1 file changed, 4 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/data/test320 b/tests/data/test320
|
||||||
|
index 457a11eb2..87311d4f2 100644
|
||||||
|
--- a/tests/data/test320
|
||||||
|
+++ b/tests/data/test320
|
||||||
|
@@ -62,34 +62,18 @@ simple TLS-SRP HTTPS GET, check user in response
|
||||||
|
HTTP/1.0 200 OK
|
||||||
|
Content-type: text/html
|
||||||
|
|
||||||
|
-
|
||||||
|
-<HTML><BODY>
|
||||||
|
-<CENTER><H1>This is <a href="http://www.gnu.org/software/gnutls">GnuTLS</a></H1></CENTER>
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-<h5>If your browser supports session resuming, then you should see the same session ID, when you press the <b>reload</b> button.</h5>
|
||||||
|
-<p>Connected as user 'jsmith'.</p>
|
||||||
|
-<P>
|
||||||
|
-<TABLE border=1><TR><TD></TD></TR>
|
||||||
|
-<TR><TD>Key Exchange:</TD><TD>SRP</TD></TR>
|
||||||
|
-<TR><TD>Compression</TD><TD>NULL</TD></TR>
|
||||||
|
-<TR><TD>Cipher</TD><TD>AES-NNN-CBC</TD></TR>
|
||||||
|
-<TR><TD>MAC</TD><TD>SHA1</TD></TR>
|
||||||
|
-<TR><TD>Ciphersuite</TD><TD>SRP_SHA_AES_NNN_CBC_SHA1</TD></TR></p></TABLE>
|
||||||
|
-<hr><P>Your HTTP header was:<PRE>Host: %HOSTIP:%HTTPTLSPORT
|
||||||
|
+FINE
|
||||||
|
User-Agent: curl-test-suite
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
-</PRE></P>
|
||||||
|
-</BODY></HTML>
|
||||||
|
-
|
||||||
|
</file>
|
||||||
|
<stripfile>
|
||||||
|
-s/^<p>Session ID:.*//
|
||||||
|
+s/^<p>Connected as user 'jsmith'.*/FINE/
|
||||||
|
s/Protocol version:.*[0-9]//
|
||||||
|
s/GNUTLS/GnuTLS/
|
||||||
|
s/(AES[-_])\d\d\d([-_]CBC)/$1NNN$2/
|
||||||
|
+s/^<.*\n//
|
||||||
|
+s/^\n//
|
||||||
|
</stripfile>
|
||||||
|
</verify>
|
||||||
|
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
@ -1,133 +0,0 @@
|
|||||||
From 2281afef6757ed66c9e8a9a737aa91cb9e2950ef Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
Date: Fri, 30 Apr 2021 18:14:45 +0200
|
|
||||||
Subject: [PATCH 1/2] http2: fix resource leaks in set_transfer_url()
|
|
||||||
|
|
||||||
... detected by Coverity:
|
|
||||||
|
|
||||||
Error: RESOURCE_LEAK (CWE-772):
|
|
||||||
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
||||||
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
|
|
||||||
lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
||||||
lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
|
|
||||||
|
|
||||||
Error: RESOURCE_LEAK (CWE-772):
|
|
||||||
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
||||||
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
|
|
||||||
lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
||||||
lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
|
|
||||||
|
|
||||||
Error: RESOURCE_LEAK (CWE-772):
|
|
||||||
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
||||||
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
|
|
||||||
lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
||||||
lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
|
|
||||||
|
|
||||||
Error: RESOURCE_LEAK (CWE-772):
|
|
||||||
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
||||||
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
|
|
||||||
lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
||||||
lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.
|
|
||||||
|
|
||||||
Closes #6986
|
|
||||||
|
|
||||||
Upstream-commit: 31931704707324af4b4edb24cc877829f7e9949e
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/http2.c | 24 +++++++++++++++++-------
|
|
||||||
1 file changed, 17 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/http2.c b/lib/http2.c
|
|
||||||
index ce9a0d3..d5ba89b 100644
|
|
||||||
--- a/lib/http2.c
|
|
||||||
+++ b/lib/http2.c
|
|
||||||
@@ -500,32 +500,42 @@ static int set_transfer_url(struct Curl_easy *data,
|
|
||||||
CURLU *u = curl_url();
|
|
||||||
CURLUcode uc;
|
|
||||||
char *url;
|
|
||||||
+ int rc = 0;
|
|
||||||
|
|
||||||
v = curl_pushheader_byname(hp, ":scheme");
|
|
||||||
if(v) {
|
|
||||||
uc = curl_url_set(u, CURLUPART_SCHEME, v, 0);
|
|
||||||
- if(uc)
|
|
||||||
- return 1;
|
|
||||||
+ if(uc) {
|
|
||||||
+ rc = 1;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
v = curl_pushheader_byname(hp, ":authority");
|
|
||||||
if(v) {
|
|
||||||
uc = curl_url_set(u, CURLUPART_HOST, v, 0);
|
|
||||||
- if(uc)
|
|
||||||
- return 2;
|
|
||||||
+ if(uc) {
|
|
||||||
+ rc = 2;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
v = curl_pushheader_byname(hp, ":path");
|
|
||||||
if(v) {
|
|
||||||
uc = curl_url_set(u, CURLUPART_PATH, v, 0);
|
|
||||||
- if(uc)
|
|
||||||
- return 3;
|
|
||||||
+ if(uc) {
|
|
||||||
+ rc = 3;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
uc = curl_url_get(u, CURLUPART_URL, &url, 0);
|
|
||||||
if(uc)
|
|
||||||
- return 4;
|
|
||||||
+ rc = 4;
|
|
||||||
+ fail:
|
|
||||||
curl_url_cleanup(u);
|
|
||||||
+ if(rc)
|
|
||||||
+ return rc;
|
|
||||||
|
|
||||||
if(data->state.url_alloc)
|
|
||||||
free(data->state.url);
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
||||||
|
|
||||||
From 92ad72983f8462be1d5a5228672657ddf4d7ed72 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
Date: Fri, 30 Apr 2021 18:18:02 +0200
|
|
||||||
Subject: [PATCH 2/2] http2: fix a resource leak in push_promise()
|
|
||||||
|
|
||||||
... detected by Coverity:
|
|
||||||
|
|
||||||
Error: RESOURCE_LEAK (CWE-772):
|
|
||||||
lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
|
|
||||||
lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
|
|
||||||
lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
|
|
||||||
lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.
|
|
||||||
|
|
||||||
Closes #6986
|
|
||||||
|
|
||||||
Upstream-commit: 3a6058cb976981ec1db870f9657c73c9a1162822
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/http2.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/lib/http2.c b/lib/http2.c
|
|
||||||
index d5ba89b..d0f69ea 100644
|
|
||||||
--- a/lib/http2.c
|
|
||||||
+++ b/lib/http2.c
|
|
||||||
@@ -581,6 +581,7 @@ static int push_promise(struct Curl_easy *data,
|
|
||||||
|
|
||||||
rv = set_transfer_url(newhandle, &heads);
|
|
||||||
if(rv) {
|
|
||||||
+ (void)Curl_close(&newhandle);
|
|
||||||
rv = CURL_PUSH_DENY;
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
28
SOURCES/0002-curl-7.61.1-tlsv1.0-man.patch
Normal file
28
SOURCES/0002-curl-7.61.1-tlsv1.0-man.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From c574e05b0035f0d78e6bf6040d3f80430112ab4f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Fri, 7 Sep 2018 16:50:45 +0200
|
||||||
|
Subject: [PATCH] docs/cmdline-opts: update the documentation of --tlsv1.0
|
||||||
|
|
||||||
|
... to reflect the changes in 6015cefb1b2cfde4b4850121c42405275e5e77d9
|
||||||
|
|
||||||
|
Closes #2955
|
||||||
|
|
||||||
|
Upstream-commit: 9ba22ce6b52751ed1e2abdd177b0a1d241819b4e
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
docs/cmdline-opts/tlsv1.0.d | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/docs/cmdline-opts/tlsv1.0.d b/docs/cmdline-opts/tlsv1.0.d
|
||||||
|
index 8789025e0..54e259682 100644
|
||||||
|
--- a/docs/cmdline-opts/tlsv1.0.d
|
||||||
|
+++ b/docs/cmdline-opts/tlsv1.0.d
|
||||||
|
@@ -3,4 +3,4 @@ Help: Use TLSv1.0
|
||||||
|
Protocols: TLS
|
||||||
|
Added: 7.34.0
|
||||||
|
---
|
||||||
|
-Forces curl to use TLS version 1.0 when connecting to a remote TLS server.
|
||||||
|
+Forces curl to use TLS version 1.0 or later when connecting to a remote TLS server.
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
46
SOURCES/0003-curl-7.61.1-TLS-1.3-PHA.patch
Normal file
46
SOURCES/0003-curl-7.61.1-TLS-1.3-PHA.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From bb8ad3da3fb4ab3f6556daa1f67b259c12a3c7de Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <christian@python.org>
|
||||||
|
Date: Fri, 21 Sep 2018 10:37:43 +0200
|
||||||
|
Subject: [PATCH] OpenSSL: enable TLS 1.3 post-handshake auth
|
||||||
|
|
||||||
|
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
|
||||||
|
authentication.
|
||||||
|
|
||||||
|
Fixes: https://github.com/curl/curl/issues/3026
|
||||||
|
Signed-off-by: Christian Heimes <christian@python.org>
|
||||||
|
|
||||||
|
Closes https://github.com/curl/curl/pull/3027
|
||||||
|
|
||||||
|
Upstream-commit: b939bc47b27cd57c6ebb852ad653933e4124b452
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/openssl.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index a487f55..78970d1 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -178,6 +178,7 @@ static unsigned long OpenSSL_version_num(void)
|
||||||
|
!defined(LIBRESSL_VERSION_NUMBER) && \
|
||||||
|
!defined(OPENSSL_IS_BORINGSSL))
|
||||||
|
#define HAVE_SSL_CTX_SET_CIPHERSUITES
|
||||||
|
+#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
@@ -2467,6 +2468,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
|
||||||
|
+ /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
|
||||||
|
+ SSL_CTX_set_post_handshake_auth(BACKEND->ctx, 1);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
||||||
|
char * const ssl_username = SSL_SET_OPTION(username);
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
81
SOURCES/0004-curl-7.61.1-CVE-2018-16842.patch
Normal file
81
SOURCES/0004-curl-7.61.1-CVE-2018-16842.patch
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
From 27d6c92acdac671ddf8f77f72956b2181561f774 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Sun, 28 Oct 2018 01:33:23 +0200
|
||||||
|
Subject: [PATCH 1/2] voutf: fix bad arethmetic when outputting warnings to
|
||||||
|
stderr
|
||||||
|
|
||||||
|
CVE-2018-16842
|
||||||
|
Reported-by: Brian Carpenter
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2018-16842.html
|
||||||
|
|
||||||
|
Upstream-commit: d530e92f59ae9bb2d47066c3c460b25d2ffeb211
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
src/tool_msgs.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/tool_msgs.c b/src/tool_msgs.c
|
||||||
|
index 9cce806..05bec39 100644
|
||||||
|
--- a/src/tool_msgs.c
|
||||||
|
+++ b/src/tool_msgs.c
|
||||||
|
@@ -67,7 +67,7 @@ static void voutf(struct GlobalConfig *config,
|
||||||
|
(void)fwrite(ptr, cut + 1, 1, config->errors);
|
||||||
|
fputs("\n", config->errors);
|
||||||
|
ptr += cut + 1; /* skip the space too */
|
||||||
|
- len -= cut;
|
||||||
|
+ len -= cut + 1;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
fputs(ptr, config->errors);
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
||||||
|
|
||||||
|
From 23f8c641b02e6c302d0e8cc5a5ee225a33b01f28 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Sun, 28 Oct 2018 10:43:57 +0100
|
||||||
|
Subject: [PATCH 2/2] test2080: verify the fix for CVE-2018-16842
|
||||||
|
|
||||||
|
Upstream-commit: 350306e4726b71b5b386fc30e3fecc039a807157
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 4 ++--
|
||||||
|
tests/data/test2080 | Bin 0 -> 20659 bytes
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 tests/data/test2080
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index e045748..aa5fff0 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -198,7 +198,7 @@ test2048 test2049 test2050 test2051 test2052 test2053 test2054 test2055 \
|
||||||
|
test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
|
||||||
|
test2064 test2065 test2066 test2067 test2068 test2069 \
|
||||||
|
\
|
||||||
|
-test2070 test2071 test2072 test2073 \
|
||||||
|
-test2074 test2075 \
|
||||||
|
+test2070 test2071 test2072 test2073 test2074 test2075 \
|
||||||
|
+test2080 \
|
||||||
|
\
|
||||||
|
test3000 test3001
|
||||||
|
diff --git a/tests/data/test2080 b/tests/data/test2080
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000000000000000000000000000000..47e376ecb5d7879c0a98e392bff48ccc52e9db0a
|
||||||
|
GIT binary patch
|
||||||
|
literal 20659
|
||||||
|
zcmeI)Pj3@35QkyT{uI*`iBshYE(n>u@JB+F3kdG+t~asjwJY0gl}``eO+)FONU8ef
|
||||||
|
zl6Ca+%<OZ|nCeRHZE>A4K8~q<UAgUD%0ubY=PwtZRG;GL*UIRJ-;Lfy)u}p_A1>dz
|
||||||
|
zd{+G6l*#ToY+DU||F9%J1n*+KPxQ;7MapuoQ!&MMQSXmpqMh0_yS6g=;N;HNjilBk
|
||||||
|
zY$c?)mULZxib{;$g~jw~nrs|8b@sJI)_QmS_4(WLrNld}2Y0LEO$e>m->_NA&o$n!
|
||||||
|
z9^YDZ>cvMs2q1s}0tg_000PG)@a?$9VHyMwKmY**5I_I{1Q0m1z~!MEP#*yV5I_I{
|
||||||
|
z1Q0*~0R#|0009ILKmY**4ldvh-hl=PAb<b@2q1s}0tg`Rgaqum{m<+P&C93=Ab<b@
|
||||||
|
z2q1s}0tg_0z|jf3Ji3V(2mu5TK;StGoIK~3=iL!N0D=D{@VjlsoA=?(>-+Xw`j-8D
|
||||||
|
zzg+g?Rt8(G*s;1Sb>n1S94H%G<kGn)tFlRTrA%AW*RoyP3pi(fe!mc3WU^sQd2)l4
|
||||||
|
jB)+~1L0rx$OS-AbERTH}TH`mZ^*=|W_vMU!*i-li)g+9V
|
||||||
|
|
||||||
|
literal 0
|
||||||
|
HcmV?d00001
|
||||||
|
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 39b68b3f82535d06e50443db4c191dbaa00df4eb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Patrick Monnerat <patrick@monnerat.net>
|
|
||||||
Date: Fri, 23 Apr 2021 00:33:46 +0200
|
|
||||||
Subject: [PATCH] vtls: reset ssl use flag upon negotiation failure
|
|
||||||
|
|
||||||
Fixes the segfault in ldaps disconnect.
|
|
||||||
|
|
||||||
Reported-by: Illarion Taev
|
|
||||||
Fixes #6934
|
|
||||||
Closes #6937
|
|
||||||
|
|
||||||
Upstream-commit: a4554b2c5e7c5788c8198001598818599c60ff7d
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/vtls/vtls.c | 6 +++++-
|
|
||||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
|
||||||
index 22cfb88..fa8a6fa 100644
|
|
||||||
--- a/lib/vtls/vtls.c
|
|
||||||
+++ b/lib/vtls/vtls.c
|
|
||||||
@@ -315,6 +315,8 @@ Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
|
|
||||||
|
|
||||||
if(!result)
|
|
||||||
Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
|
|
||||||
+ else
|
|
||||||
+ conn->ssl[sockindex].use = FALSE;
|
|
||||||
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
@@ -338,7 +340,9 @@ Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
|
|
||||||
/* mark this is being ssl requested from here on. */
|
|
||||||
conn->ssl[sockindex].use = TRUE;
|
|
||||||
result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
|
|
||||||
- if(!result && *done)
|
|
||||||
+ if(result)
|
|
||||||
+ conn->ssl[sockindex].use = FALSE;
|
|
||||||
+ else if(*done)
|
|
||||||
Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
39
SOURCES/0005-curl-7.61.1-CVE-2018-16840.patch
Normal file
39
SOURCES/0005-curl-7.61.1-CVE-2018-16840.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From 235f209a0e62edee654be441a50bb0c154edeaa5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 18 Oct 2018 15:07:15 +0200
|
||||||
|
Subject: [PATCH] Curl_close: clear data->multi_easy on free to avoid
|
||||||
|
use-after-free
|
||||||
|
|
||||||
|
Regression from b46cfbc068 (7.59.0)
|
||||||
|
CVE-2018-16840
|
||||||
|
Reported-by: Brian Carpenter (Geeknik Labs)
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
|
||||||
|
|
||||||
|
Upstream-commit: 81d135d67155c5295b1033679c606165d4e28f3f
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/url.c | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index f159008..dcc1ecc 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -319,10 +319,12 @@ CURLcode Curl_close(struct Curl_easy *data)
|
||||||
|
and detach this handle from there. */
|
||||||
|
curl_multi_remove_handle(data->multi, data);
|
||||||
|
|
||||||
|
- if(data->multi_easy)
|
||||||
|
+ if(data->multi_easy) {
|
||||||
|
/* when curl_easy_perform() is used, it creates its own multi handle to
|
||||||
|
use and this is the one */
|
||||||
|
curl_multi_cleanup(data->multi_easy);
|
||||||
|
+ data->multi_easy = NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Destroy the timeout list that is held in the easy handle. It is
|
||||||
|
/normally/ done by curl_multi_remove_handle() but this is "just in
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
@ -1,279 +0,0 @@
|
|||||||
From 30c7b4dd01734b6ba20bfc7790b9fe8bc0500214 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Sat, 19 Jun 2021 00:42:28 +0200
|
|
||||||
Subject: [PATCH] vtls: fix connection reuse checks for issuer cert and case
|
|
||||||
sensitivity
|
|
||||||
|
|
||||||
CVE-2021-22924
|
|
||||||
|
|
||||||
Reported-by: Harry Sintonen
|
|
||||||
Bug: https://curl.se/docs/CVE-2021-22924.html
|
|
||||||
|
|
||||||
Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/url.c | 10 ++++++----
|
|
||||||
lib/urldata.h | 4 ++--
|
|
||||||
lib/vtls/gtls.c | 10 +++++-----
|
|
||||||
lib/vtls/nss.c | 4 ++--
|
|
||||||
lib/vtls/openssl.c | 18 +++++++++---------
|
|
||||||
lib/vtls/vtls.c | 26 +++++++++++++++++++++-----
|
|
||||||
6 files changed, 45 insertions(+), 27 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/url.c b/lib/url.c
|
|
||||||
index 9f2c9f2..bdcb095 100644
|
|
||||||
--- a/lib/url.c
|
|
||||||
+++ b/lib/url.c
|
|
||||||
@@ -3723,6 +3723,8 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
||||||
*/
|
|
||||||
data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
|
|
||||||
data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
|
|
||||||
+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
|
||||||
+ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
|
|
||||||
data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
|
|
||||||
data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
|
|
||||||
data->set.ssl.primary.cipher_list =
|
|
||||||
@@ -3747,8 +3749,11 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
||||||
data->set.proxy_ssl.primary.pinned_key =
|
|
||||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
|
|
||||||
data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
|
|
||||||
+ data->set.proxy_ssl.primary.issuercert =
|
|
||||||
+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
|
||||||
+ data->set.proxy_ssl.primary.issuercert_blob =
|
|
||||||
+ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
|
|
||||||
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
|
||||||
- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
|
||||||
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
|
|
||||||
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
|
|
||||||
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
|
|
||||||
@@ -3757,7 +3762,6 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
||||||
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
|
|
||||||
#endif
|
|
||||||
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
|
||||||
- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
|
||||||
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
|
||||||
data->set.ssl.key = data->set.str[STRING_KEY];
|
|
||||||
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
|
|
||||||
@@ -3771,9 +3775,7 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
||||||
data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
|
||||||
#endif
|
|
||||||
#endif
|
|
||||||
-
|
|
||||||
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
|
|
||||||
- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
|
|
||||||
|
|
||||||
if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
|
|
||||||
&conn->ssl_config)) {
|
|
||||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
||||||
index 2bb7d81..7cf63d0 100644
|
|
||||||
--- a/lib/urldata.h
|
|
||||||
+++ b/lib/urldata.h
|
|
||||||
@@ -246,6 +246,7 @@ struct ssl_primary_config {
|
|
||||||
long version_max; /* max supported version the client wants to use*/
|
|
||||||
char *CApath; /* certificate dir (doesn't work on windows) */
|
|
||||||
char *CAfile; /* certificate to verify peer against */
|
|
||||||
+ char *issuercert; /* optional issuer certificate filename */
|
|
||||||
char *clientcert;
|
|
||||||
char *random_file; /* path to file containing "random" data */
|
|
||||||
char *egdsocket; /* path to file containing the EGD daemon socket */
|
|
||||||
@@ -253,6 +254,7 @@ struct ssl_primary_config {
|
|
||||||
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
|
||||||
char *pinned_key;
|
|
||||||
struct curl_blob *cert_blob;
|
|
||||||
+ struct curl_blob *issuercert_blob;
|
|
||||||
char *curves; /* list of curves to use */
|
|
||||||
BIT(verifypeer); /* set TRUE if this is desired */
|
|
||||||
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
|
|
||||||
@@ -264,8 +266,6 @@ struct ssl_config_data {
|
|
||||||
struct ssl_primary_config primary;
|
|
||||||
long certverifyresult; /* result from the certificate verification */
|
|
||||||
char *CRLfile; /* CRL to check certificate revocation */
|
|
||||||
- char *issuercert;/* optional issuer certificate filename */
|
|
||||||
- struct curl_blob *issuercert_blob;
|
|
||||||
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
|
||||||
void *fsslctxp; /* parameter for call back */
|
|
||||||
char *cert_type; /* format for certificate (default: PEM)*/
|
|
||||||
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
|
||||||
index ea54fe3..ccc5ce8 100644
|
|
||||||
--- a/lib/vtls/gtls.c
|
|
||||||
+++ b/lib/vtls/gtls.c
|
|
||||||
@@ -849,7 +849,7 @@ gtls_connect_step3(struct Curl_easy *data,
|
|
||||||
if(!chainp) {
|
|
||||||
if(SSL_CONN_CONFIG(verifypeer) ||
|
|
||||||
SSL_CONN_CONFIG(verifyhost) ||
|
|
||||||
- SSL_SET_OPTION(issuercert)) {
|
|
||||||
+ SSL_CONN_CONFIG(issuercert)) {
|
|
||||||
#ifdef HAVE_GNUTLS_SRP
|
|
||||||
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
|
||||||
&& SSL_SET_OPTION(username) != NULL
|
|
||||||
@@ -1033,21 +1033,21 @@ gtls_connect_step3(struct Curl_easy *data,
|
|
||||||
gnutls_x509_crt_t format */
|
|
||||||
gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
|
|
||||||
|
|
||||||
- if(SSL_SET_OPTION(issuercert)) {
|
|
||||||
+ if(SSL_CONN_CONFIG(issuercert)) {
|
|
||||||
gnutls_x509_crt_init(&x509_issuer);
|
|
||||||
- issuerp = load_file(SSL_SET_OPTION(issuercert));
|
|
||||||
+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
|
|
||||||
gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
|
|
||||||
rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
|
|
||||||
gnutls_x509_crt_deinit(x509_issuer);
|
|
||||||
unload_file(issuerp);
|
|
||||||
if(rc <= 0) {
|
|
||||||
failf(data, "server certificate issuer check failed (IssuerCert: %s)",
|
|
||||||
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
|
||||||
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
|
||||||
gnutls_x509_crt_deinit(x509_cert);
|
|
||||||
return CURLE_SSL_ISSUER_ERROR;
|
|
||||||
}
|
|
||||||
infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
|
|
||||||
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
|
||||||
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
|
||||||
}
|
|
||||||
|
|
||||||
size = sizeof(certname);
|
|
||||||
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
|
||||||
index ae3945c..b0b1e8c 100644
|
|
||||||
--- a/lib/vtls/nss.c
|
|
||||||
+++ b/lib/vtls/nss.c
|
|
||||||
@@ -2156,9 +2156,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data,
|
|
||||||
if(result)
|
|
||||||
goto error;
|
|
||||||
|
|
||||||
- if(SSL_SET_OPTION(issuercert)) {
|
|
||||||
+ if(SSL_CONN_CONFIG(issuercert)) {
|
|
||||||
SECStatus ret = SECFailure;
|
|
||||||
- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
|
|
||||||
+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
|
|
||||||
if(nickname) {
|
|
||||||
/* we support only nicknames in case of issuercert for now */
|
|
||||||
ret = check_issuer_cert(backend->handle, nickname);
|
|
||||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
|
||||||
index 2404393..be7b811 100644
|
|
||||||
--- a/lib/vtls/openssl.c
|
|
||||||
+++ b/lib/vtls/openssl.c
|
|
||||||
@@ -3872,10 +3872,10 @@ static CURLcode servercert(struct Curl_easy *data,
|
|
||||||
deallocating the certificate. */
|
|
||||||
|
|
||||||
/* e.g. match issuer name with provided issuer certificate */
|
|
||||||
- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
|
|
||||||
- if(SSL_SET_OPTION(issuercert_blob))
|
|
||||||
- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
|
|
||||||
- (int)SSL_SET_OPTION(issuercert_blob)->len);
|
|
||||||
+ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
|
|
||||||
+ if(SSL_CONN_CONFIG(issuercert_blob))
|
|
||||||
+ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
|
|
||||||
+ (int)SSL_CONN_CONFIG(issuercert_blob)->len);
|
|
||||||
else {
|
|
||||||
fp = BIO_new(BIO_s_file());
|
|
||||||
if(fp == NULL) {
|
|
||||||
@@ -3889,10 +3889,10 @@ static CURLcode servercert(struct Curl_easy *data,
|
|
||||||
return CURLE_OUT_OF_MEMORY;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
|
|
||||||
+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
|
|
||||||
if(strict)
|
|
||||||
failf(data, "SSL: Unable to open issuer cert (%s)",
|
|
||||||
- SSL_SET_OPTION(issuercert));
|
|
||||||
+ SSL_CONN_CONFIG(issuercert));
|
|
||||||
BIO_free(fp);
|
|
||||||
X509_free(backend->server_cert);
|
|
||||||
backend->server_cert = NULL;
|
|
||||||
@@ -3904,7 +3904,7 @@ static CURLcode servercert(struct Curl_easy *data,
|
|
||||||
if(!issuer) {
|
|
||||||
if(strict)
|
|
||||||
failf(data, "SSL: Unable to read issuer cert (%s)",
|
|
||||||
- SSL_SET_OPTION(issuercert));
|
|
||||||
+ SSL_CONN_CONFIG(issuercert));
|
|
||||||
BIO_free(fp);
|
|
||||||
X509_free(issuer);
|
|
||||||
X509_free(backend->server_cert);
|
|
||||||
@@ -3915,7 +3915,7 @@ static CURLcode servercert(struct Curl_easy *data,
|
|
||||||
if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
|
|
||||||
if(strict)
|
|
||||||
failf(data, "SSL: Certificate issuer check failed (%s)",
|
|
||||||
- SSL_SET_OPTION(issuercert));
|
|
||||||
+ SSL_CONN_CONFIG(issuercert));
|
|
||||||
BIO_free(fp);
|
|
||||||
X509_free(issuer);
|
|
||||||
X509_free(backend->server_cert);
|
|
||||||
@@ -3924,7 +3924,7 @@ static CURLcode servercert(struct Curl_easy *data,
|
|
||||||
}
|
|
||||||
|
|
||||||
infof(data, " SSL certificate issuer check ok (%s)\n",
|
|
||||||
- SSL_SET_OPTION(issuercert));
|
|
||||||
+ SSL_CONN_CONFIG(issuercert));
|
|
||||||
BIO_free(fp);
|
|
||||||
X509_free(issuer);
|
|
||||||
}
|
|
||||||
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
|
||||||
index fa8a6fa..1aa6fc8 100644
|
|
||||||
--- a/lib/vtls/vtls.c
|
|
||||||
+++ b/lib/vtls/vtls.c
|
|
||||||
@@ -125,6 +125,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
|
|
||||||
return !memcmp(first->data, second->data, first->len); /* same data */
|
|
||||||
}
|
|
||||||
|
|
||||||
+static bool safecmp(char *a, char *b)
|
|
||||||
+{
|
|
||||||
+ if(a && b)
|
|
||||||
+ return !strcmp(a, b);
|
|
||||||
+ else if(!a && !b)
|
|
||||||
+ return TRUE; /* match */
|
|
||||||
+ return FALSE; /* no match */
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
bool
|
|
||||||
Curl_ssl_config_matches(struct ssl_primary_config *data,
|
|
||||||
struct ssl_primary_config *needle)
|
|
||||||
@@ -135,11 +145,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
|
||||||
(data->verifyhost == needle->verifyhost) &&
|
|
||||||
(data->verifystatus == needle->verifystatus) &&
|
|
||||||
blobcmp(data->cert_blob, needle->cert_blob) &&
|
|
||||||
- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
|
|
||||||
- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
|
|
||||||
- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
|
|
||||||
- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
|
|
||||||
- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
|
|
||||||
+ blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
|
|
||||||
+ safecmp(data->CApath, needle->CApath) &&
|
|
||||||
+ safecmp(data->CAfile, needle->CAfile) &&
|
|
||||||
+ safecmp(data->issuercert, needle->issuercert) &&
|
|
||||||
+ safecmp(data->clientcert, needle->clientcert) &&
|
|
||||||
+ safecmp(data->random_file, needle->random_file) &&
|
|
||||||
+ safecmp(data->egdsocket, needle->egdsocket) &&
|
|
||||||
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
|
||||||
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
|
||||||
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
|
||||||
@@ -161,8 +173,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
|
||||||
dest->sessionid = source->sessionid;
|
|
||||||
|
|
||||||
CLONE_BLOB(cert_blob);
|
|
||||||
+ CLONE_BLOB(issuercert_blob);
|
|
||||||
CLONE_STRING(CApath);
|
|
||||||
CLONE_STRING(CAfile);
|
|
||||||
+ CLONE_STRING(issuercert);
|
|
||||||
CLONE_STRING(clientcert);
|
|
||||||
CLONE_STRING(random_file);
|
|
||||||
CLONE_STRING(egdsocket);
|
|
||||||
@@ -178,6 +192,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
|
||||||
{
|
|
||||||
Curl_safefree(sslc->CApath);
|
|
||||||
Curl_safefree(sslc->CAfile);
|
|
||||||
+ Curl_safefree(sslc->issuercert);
|
|
||||||
Curl_safefree(sslc->clientcert);
|
|
||||||
Curl_safefree(sslc->random_file);
|
|
||||||
Curl_safefree(sslc->egdsocket);
|
|
||||||
@@ -185,6 +200,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
|
||||||
Curl_safefree(sslc->cipher_list13);
|
|
||||||
Curl_safefree(sslc->pinned_key);
|
|
||||||
Curl_safefree(sslc->cert_blob);
|
|
||||||
+ Curl_safefree(sslc->issuercert_blob);
|
|
||||||
Curl_safefree(sslc->curves);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
31
SOURCES/0006-curl-7.61.1-CVE-2018-16839.patch
Normal file
31
SOURCES/0006-curl-7.61.1-CVE-2018-16839.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Fri, 28 Sep 2018 16:08:16 +0200
|
||||||
|
Subject: [PATCH] Curl_auth_create_plain_message: fix too-large-input-check
|
||||||
|
|
||||||
|
CVE-2018-16839
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
|
||||||
|
|
||||||
|
Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vauth/cleartext.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
|
||||||
|
index 5d61ce6..1367143 100644
|
||||||
|
--- a/lib/vauth/cleartext.c
|
||||||
|
+++ b/lib/vauth/cleartext.c
|
||||||
|
@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
|
||||||
|
plen = strlen(passwdp);
|
||||||
|
|
||||||
|
/* Compute binary message length. Check for overflows. */
|
||||||
|
- if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
|
||||||
|
+ if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
plainlen = 2 * ulen + plen + 2;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
116
SOURCES/0007-curl-7.63.0-JO-preserve-local-file.patch
Normal file
116
SOURCES/0007-curl-7.63.0-JO-preserve-local-file.patch
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
From ff74657fb645e7175971128a171ef7d5ece40d77 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 17 Dec 2018 12:51:51 +0100
|
||||||
|
Subject: [PATCH] curl -J: do not append to the destination file
|
||||||
|
|
||||||
|
Reported-by: Kamil Dudka
|
||||||
|
Fixes #3380
|
||||||
|
Closes #3381
|
||||||
|
|
||||||
|
Upstream-commit: 4849267197682e69cfa056c2bd7a44acd123a917
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
src/tool_cb_hdr.c | 6 +++---
|
||||||
|
src/tool_cb_wrt.c | 9 ++++-----
|
||||||
|
src/tool_cb_wrt.h | 2 +-
|
||||||
|
src/tool_operate.c | 2 +-
|
||||||
|
4 files changed, 9 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
|
||||||
|
index 84b0d9c..3844904 100644
|
||||||
|
--- a/src/tool_cb_hdr.c
|
||||||
|
+++ b/src/tool_cb_hdr.c
|
||||||
|
@@ -148,12 +148,12 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
|
||||||
|
outs->filename = filename;
|
||||||
|
outs->alloc_filename = TRUE;
|
||||||
|
hdrcbdata->honor_cd_filename = FALSE; /* done now! */
|
||||||
|
- if(!tool_create_output_file(outs, TRUE))
|
||||||
|
+ if(!tool_create_output_file(outs))
|
||||||
|
return failure;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
- if(!outs->stream && !tool_create_output_file(outs, FALSE))
|
||||||
|
+ if(!outs->stream && !tool_create_output_file(outs))
|
||||||
|
return failure;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -162,7 +162,7 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
|
||||||
|
/* bold headers only happen for HTTP(S) and RTSP */
|
||||||
|
char *value = NULL;
|
||||||
|
|
||||||
|
- if(!outs->stream && !tool_create_output_file(outs, FALSE))
|
||||||
|
+ if(!outs->stream && !tool_create_output_file(outs))
|
||||||
|
return failure;
|
||||||
|
|
||||||
|
if(hdrcbdata->global->isatty && hdrcbdata->global->styled_output)
|
||||||
|
diff --git a/src/tool_cb_wrt.c b/src/tool_cb_wrt.c
|
||||||
|
index 2cb5e1b..195d6e7 100644
|
||||||
|
--- a/src/tool_cb_wrt.c
|
||||||
|
+++ b/src/tool_cb_wrt.c
|
||||||
|
@@ -32,8 +32,7 @@
|
||||||
|
#include "memdebug.h" /* keep this as LAST include */
|
||||||
|
|
||||||
|
/* create a local file for writing, return TRUE on success */
|
||||||
|
-bool tool_create_output_file(struct OutStruct *outs,
|
||||||
|
- bool append)
|
||||||
|
+bool tool_create_output_file(struct OutStruct *outs)
|
||||||
|
{
|
||||||
|
struct GlobalConfig *global = outs->config->global;
|
||||||
|
FILE *file;
|
||||||
|
@@ -43,7 +42,7 @@ bool tool_create_output_file(struct OutStruct *outs,
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if(outs->is_cd_filename && !append) {
|
||||||
|
+ if(outs->is_cd_filename) {
|
||||||
|
/* don't overwrite existing files */
|
||||||
|
file = fopen(outs->filename, "rb");
|
||||||
|
if(file) {
|
||||||
|
@@ -55,7 +54,7 @@ bool tool_create_output_file(struct OutStruct *outs,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* open file for writing */
|
||||||
|
- file = fopen(outs->filename, append?"ab":"wb");
|
||||||
|
+ file = fopen(outs->filename, "wb");
|
||||||
|
if(!file) {
|
||||||
|
warnf(global, "Failed to create the file %s: %s\n", outs->filename,
|
||||||
|
strerror(errno));
|
||||||
|
@@ -142,7 +141,7 @@ size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if(!outs->stream && !tool_create_output_file(outs, FALSE))
|
||||||
|
+ if(!outs->stream && !tool_create_output_file(outs))
|
||||||
|
return failure;
|
||||||
|
|
||||||
|
if(is_tty && (outs->bytes < 2000) && !config->terminal_binary_ok) {
|
||||||
|
diff --git a/src/tool_cb_wrt.h b/src/tool_cb_wrt.h
|
||||||
|
index 51e002b..188d3ea 100644
|
||||||
|
--- a/src/tool_cb_wrt.h
|
||||||
|
+++ b/src/tool_cb_wrt.h
|
||||||
|
@@ -30,7 +30,7 @@
|
||||||
|
size_t tool_write_cb(char *buffer, size_t sz, size_t nmemb, void *userdata);
|
||||||
|
|
||||||
|
/* create a local file for writing, return TRUE on success */
|
||||||
|
-bool tool_create_output_file(struct OutStruct *outs, bool append);
|
||||||
|
+bool tool_create_output_file(struct OutStruct *outs);
|
||||||
|
|
||||||
|
#endif /* HEADER_CURL_TOOL_CB_WRT_H */
|
||||||
|
|
||||||
|
diff --git a/src/tool_operate.c b/src/tool_operate.c
|
||||||
|
index e53a9d8..429e9cf 100644
|
||||||
|
--- a/src/tool_operate.c
|
||||||
|
+++ b/src/tool_operate.c
|
||||||
|
@@ -1581,7 +1581,7 @@ static CURLcode operate_do(struct GlobalConfig *global,
|
||||||
|
/* do not create (or even overwrite) the file in case we get no
|
||||||
|
data because of unmet condition */
|
||||||
|
curl_easy_getinfo(curl, CURLINFO_CONDITION_UNMET, &cond_unmet);
|
||||||
|
- if(!cond_unmet && !tool_create_output_file(&outs, FALSE))
|
||||||
|
+ if(!cond_unmet && !tool_create_output_file(&outs))
|
||||||
|
result = CURLE_WRITE_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
@ -1,33 +0,0 @@
|
|||||||
From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001
|
|
||||||
From: z2_ on hackerone <>
|
|
||||||
Date: Tue, 24 Aug 2021 09:50:33 +0200
|
|
||||||
Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds
|
|
||||||
|
|
||||||
CVE-2021-22945
|
|
||||||
|
|
||||||
Bug: https://curl.se/docs/CVE-2021-22945.html
|
|
||||||
|
|
||||||
Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/mqtt.c | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lib/mqtt.c b/lib/mqtt.c
|
|
||||||
index d88fa73..f3fc045 100644
|
|
||||||
--- a/lib/mqtt.c
|
|
||||||
+++ b/lib/mqtt.c
|
|
||||||
@@ -128,6 +128,10 @@ static CURLcode mqtt_send(struct Curl_easy *data,
|
|
||||||
mq->sendleftovers = sendleftovers;
|
|
||||||
mq->nsend = nsend;
|
|
||||||
}
|
|
||||||
+ else {
|
|
||||||
+ mq->sendleftovers = NULL;
|
|
||||||
+ mq->nsend = 0;
|
|
||||||
+ }
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
4776
SOURCES/0008-curl-7.61.1-CVE-2018-20483.patch
Normal file
4776
SOURCES/0008-curl-7.61.1-CVE-2018-20483.patch
Normal file
File diff suppressed because it is too large
Load Diff
36
SOURCES/0009-curl-7.61.1-CVE-2018-16890.patch
Normal file
36
SOURCES/0009-curl-7.61.1-CVE-2018-16890.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From 81c0e81531623251a0e78f7779c049f530abe733 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Wed, 2 Jan 2019 20:33:08 +0100
|
||||||
|
Subject: [PATCH] NTLM: fix size check condition for type2 received data
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
|
||||||
|
Reported-by: Wenxiang Qian
|
||||||
|
CVE-2018-16890
|
||||||
|
|
||||||
|
Upstream-commit: b780b30d1377adb10bbe774835f49e9b237fb9bb
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vauth/ntlm.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
|
||||||
|
index cdb8d8f..b614cda 100644
|
||||||
|
--- a/lib/vauth/ntlm.c
|
||||||
|
+++ b/lib/vauth/ntlm.c
|
||||||
|
@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
|
||||||
|
target_info_len = Curl_read16_le(&buffer[40]);
|
||||||
|
target_info_offset = Curl_read32_le(&buffer[44]);
|
||||||
|
if(target_info_len > 0) {
|
||||||
|
- if(((target_info_offset + target_info_len) > size) ||
|
||||||
|
+ if((target_info_offset >= size) ||
|
||||||
|
+ ((target_info_offset + target_info_len) > size) ||
|
||||||
|
(target_info_offset < 48)) {
|
||||||
|
infof(data, "NTLM handshake failure (bad type-2 message). "
|
||||||
|
- "Target Info Offset Len is set incorrect by the peer\n");
|
||||||
|
+ "Target Info Offset Len is set incorrect by the peer\n");
|
||||||
|
return CURLE_BAD_CONTENT_ENCODING;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
41
SOURCES/0010-curl-7.61.1-CVE-2019-3822.patch
Normal file
41
SOURCES/0010-curl-7.61.1-CVE-2019-3822.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From ab22e3a00f04b458039c21111cfa448051e5777d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 3 Jan 2019 12:59:28 +0100
|
||||||
|
Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
|
||||||
|
Reported-by: Wenxiang Qian
|
||||||
|
CVE-2019-3822
|
||||||
|
|
||||||
|
Upstream-commit: 50c9484278c63b958655a717844f0721263939cc
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vauth/ntlm.c | 11 +++++++----
|
||||||
|
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
|
||||||
|
index b614cda..a3a55d9 100644
|
||||||
|
--- a/lib/vauth/ntlm.c
|
||||||
|
+++ b/lib/vauth/ntlm.c
|
||||||
|
@@ -777,11 +777,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
|
||||||
|
});
|
||||||
|
|
||||||
|
#ifdef USE_NTRESPONSES
|
||||||
|
- if(size < (NTLM_BUFSIZE - ntresplen)) {
|
||||||
|
- DEBUGASSERT(size == (size_t)ntrespoff);
|
||||||
|
- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
|
||||||
|
- size += ntresplen;
|
||||||
|
+ /* ntresplen + size should not be risking an integer overflow here */
|
||||||
|
+ if(ntresplen + size > sizeof(ntlmbuf)) {
|
||||||
|
+ failf(data, "incoming NTLM message too big");
|
||||||
|
+ return CURLE_OUT_OF_MEMORY;
|
||||||
|
}
|
||||||
|
+ DEBUGASSERT(size == (size_t)ntrespoff);
|
||||||
|
+ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
|
||||||
|
+ size += ntresplen;
|
||||||
|
|
||||||
|
DEBUG_OUT({
|
||||||
|
fprintf(stderr, "\n ntresp=");
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
@ -1,148 +0,0 @@
|
|||||||
From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Patrick Monnerat <patrick@monnerat.net>
|
|
||||||
Date: Mon, 25 Apr 2022 11:44:05 +0200
|
|
||||||
Subject: [PATCH] url: check sasl additional parameters for connection reuse.
|
|
||||||
|
|
||||||
Also move static function safecmp() as non-static Curl_safecmp() since
|
|
||||||
its purpose is needed at several places.
|
|
||||||
|
|
||||||
Bug: https://curl.se/docs/CVE-2022-22576.html
|
|
||||||
|
|
||||||
CVE-2022-22576
|
|
||||||
|
|
||||||
Closes #8746
|
|
||||||
|
|
||||||
Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/strcase.c | 10 ++++++++++
|
|
||||||
lib/strcase.h | 2 ++
|
|
||||||
lib/url.c | 13 ++++++++++++-
|
|
||||||
lib/urldata.h | 1 +
|
|
||||||
lib/vtls/vtls.c | 21 ++++++---------------
|
|
||||||
5 files changed, 31 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/strcase.c b/lib/strcase.c
|
|
||||||
index dd46ca1..692a3f1 100644
|
|
||||||
--- a/lib/strcase.c
|
|
||||||
+++ b/lib/strcase.c
|
|
||||||
@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
|
|
||||||
} while(*src++ && --n);
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* Compare case-sensitive NUL-terminated strings, taking care of possible
|
|
||||||
+ * null pointers. Return true if arguments match.
|
|
||||||
+ */
|
|
||||||
+bool Curl_safecmp(char *a, char *b)
|
|
||||||
+{
|
|
||||||
+ if(a && b)
|
|
||||||
+ return !strcmp(a, b);
|
|
||||||
+ return !a && !b;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* --- public functions --- */
|
|
||||||
|
|
||||||
int curl_strequal(const char *first, const char *second)
|
|
||||||
diff --git a/lib/strcase.h b/lib/strcase.h
|
|
||||||
index b628656..382b80a 100644
|
|
||||||
--- a/lib/strcase.h
|
|
||||||
+++ b/lib/strcase.h
|
|
||||||
@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in);
|
|
||||||
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
|
||||||
void Curl_strntolower(char *dest, const char *src, size_t n);
|
|
||||||
|
|
||||||
+bool Curl_safecmp(char *a, char *b);
|
|
||||||
+
|
|
||||||
#endif /* HEADER_CURL_STRCASE_H */
|
|
||||||
diff --git a/lib/url.c b/lib/url.c
|
|
||||||
index adef2cd..94e3406 100644
|
|
||||||
--- a/lib/url.c
|
|
||||||
+++ b/lib/url.c
|
|
||||||
@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn)
|
|
||||||
Curl_safefree(conn->passwd);
|
|
||||||
Curl_safefree(conn->sasl_authzid);
|
|
||||||
Curl_safefree(conn->options);
|
|
||||||
+ Curl_safefree(conn->oauth_bearer);
|
|
||||||
Curl_dyn_free(&conn->trailer);
|
|
||||||
Curl_safefree(conn->host.rawalloc); /* host name buffer */
|
|
||||||
Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
|
|
||||||
@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data,
|
|
||||||
/* This protocol requires credentials per connection,
|
|
||||||
so verify that we're using the same name and password as well */
|
|
||||||
if(strcmp(needle->user, check->user) ||
|
|
||||||
- strcmp(needle->passwd, check->passwd)) {
|
|
||||||
+ strcmp(needle->passwd, check->passwd) ||
|
|
||||||
+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
|
|
||||||
+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
|
|
||||||
/* one of them was different */
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if(data->set.str[STRING_BEARER]) {
|
|
||||||
+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
|
|
||||||
+ if(!conn->oauth_bearer) {
|
|
||||||
+ result = CURLE_OUT_OF_MEMORY;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
#ifdef USE_UNIX_SOCKETS
|
|
||||||
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
|
|
||||||
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
|
|
||||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
||||||
index cc8a600..03da59a 100644
|
|
||||||
--- a/lib/urldata.h
|
|
||||||
+++ b/lib/urldata.h
|
|
||||||
@@ -991,6 +991,7 @@ struct connectdata {
|
|
||||||
char *passwd; /* password string, allocated */
|
|
||||||
char *options; /* options string, allocated */
|
|
||||||
char *sasl_authzid; /* authorisation identity string, allocated */
|
|
||||||
+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
|
|
||||||
unsigned char httpversion; /* the HTTP version*10 reported by the server */
|
|
||||||
struct curltime now; /* "current" time */
|
|
||||||
struct curltime created; /* creation time */
|
|
||||||
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
|
||||||
index 03b85ba..a40ac06 100644
|
|
||||||
--- a/lib/vtls/vtls.c
|
|
||||||
+++ b/lib/vtls/vtls.c
|
|
||||||
@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
|
|
||||||
return !memcmp(first->data, second->data, first->len); /* same data */
|
|
||||||
}
|
|
||||||
|
|
||||||
-static bool safecmp(char *a, char *b)
|
|
||||||
-{
|
|
||||||
- if(a && b)
|
|
||||||
- return !strcmp(a, b);
|
|
||||||
- else if(!a && !b)
|
|
||||||
- return TRUE; /* match */
|
|
||||||
- return FALSE; /* no match */
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
|
|
||||||
bool
|
|
||||||
Curl_ssl_config_matches(struct ssl_primary_config *data,
|
|
||||||
@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
|
||||||
(data->verifystatus == needle->verifystatus) &&
|
|
||||||
blobcmp(data->cert_blob, needle->cert_blob) &&
|
|
||||||
blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
|
|
||||||
- safecmp(data->CApath, needle->CApath) &&
|
|
||||||
- safecmp(data->CAfile, needle->CAfile) &&
|
|
||||||
- safecmp(data->issuercert, needle->issuercert) &&
|
|
||||||
- safecmp(data->clientcert, needle->clientcert) &&
|
|
||||||
- safecmp(data->random_file, needle->random_file) &&
|
|
||||||
- safecmp(data->egdsocket, needle->egdsocket) &&
|
|
||||||
+ Curl_safecmp(data->CApath, needle->CApath) &&
|
|
||||||
+ Curl_safecmp(data->CAfile, needle->CAfile) &&
|
|
||||||
+ Curl_safecmp(data->issuercert, needle->issuercert) &&
|
|
||||||
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
|
|
||||||
+ Curl_safecmp(data->random_file, needle->random_file) &&
|
|
||||||
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
|
||||||
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
|
||||||
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
|
||||||
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
50
SOURCES/0011-curl-7.61.1-CVE-2019-3823.patch
Normal file
50
SOURCES/0011-curl-7.61.1-CVE-2019-3823.patch
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
From d26f1025d0a0a6c602d758a2e0917759492473e9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Gustafsson <daniel@yesql.se>
|
||||||
|
Date: Sat, 19 Jan 2019 00:42:47 +0100
|
||||||
|
Subject: [PATCH] smtp: avoid risk of buffer overflow in strtol
|
||||||
|
|
||||||
|
If the incoming len 5, but the buffer does not have a termination
|
||||||
|
after 5 bytes, the strtol() call may keep reading through the line
|
||||||
|
buffer until is exceeds its boundary. Fix by ensuring that we are
|
||||||
|
using a bounded read with a temporary buffer on the stack.
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
|
||||||
|
Reported-by: Brian Carpenter (Geeknik Labs)
|
||||||
|
CVE-2019-3823
|
||||||
|
|
||||||
|
Upstream-commit: 39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/smtp.c | 8 ++++++--
|
||||||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/smtp.c b/lib/smtp.c
|
||||||
|
index ecf10a4..1b9f92d 100644
|
||||||
|
--- a/lib/smtp.c
|
||||||
|
+++ b/lib/smtp.c
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
* | (__| |_| | _ <| |___
|
||||||
|
* \___|\___/|_| \_\_____|
|
||||||
|
*
|
||||||
|
- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
*
|
||||||
|
* This software is licensed as described in the file COPYING, which
|
||||||
|
* you should have received as part of this distribution. The terms
|
||||||
|
@@ -207,8 +207,12 @@ static bool smtp_endofresp(struct connectdata *conn, char *line, size_t len,
|
||||||
|
Section 4. Examples of RFC-4954 but some e-mail servers ignore this and
|
||||||
|
only send the response code instead as per Section 4.2. */
|
||||||
|
if(line[3] == ' ' || len == 5) {
|
||||||
|
+ char tmpline[6];
|
||||||
|
+
|
||||||
|
result = TRUE;
|
||||||
|
- *resp = curlx_sltosi(strtol(line, NULL, 10));
|
||||||
|
+ memset(tmpline, '\0', sizeof(tmpline));
|
||||||
|
+ memcpy(tmpline, line, (len == 5 ? 5 : 3));
|
||||||
|
+ *resp = curlx_sltosi(strtol(tmpline, NULL, 10));
|
||||||
|
|
||||||
|
/* Make sure real server never sends internal value */
|
||||||
|
if(*resp == 1)
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
@ -1,40 +0,0 @@
|
|||||||
From 187d0795030ccb4f410eb6089e265ac3571e56dd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Mon, 25 Apr 2022 11:48:00 +0200
|
|
||||||
Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey
|
|
||||||
|
|
||||||
Make connections to two separate IPv6 zone ids create separate
|
|
||||||
connections.
|
|
||||||
|
|
||||||
Reported-by: Harry Sintonen
|
|
||||||
Bug: https://curl.se/docs/CVE-2022-27775.html
|
|
||||||
Closes #8747
|
|
||||||
|
|
||||||
Upstream-commit: 058f98dc3fe595f21dc26a5b9b1699e519ba5705
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/conncache.c | 8 ++++++--
|
|
||||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/conncache.c b/lib/conncache.c
|
|
||||||
index cd5756a..9b9f683 100644
|
|
||||||
--- a/lib/conncache.c
|
|
||||||
+++ b/lib/conncache.c
|
|
||||||
@@ -159,8 +159,12 @@ static void hashkey(struct connectdata *conn, char *buf,
|
|
||||||
/* report back which name we used */
|
|
||||||
*hostp = hostname;
|
|
||||||
|
|
||||||
- /* put the number first so that the hostname gets cut off if too long */
|
|
||||||
- msnprintf(buf, len, "%ld%s", port, hostname);
|
|
||||||
+ /* put the numbers first so that the hostname gets cut off if too long */
|
|
||||||
+#ifdef ENABLE_IPV6
|
|
||||||
+ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname);
|
|
||||||
+#else
|
|
||||||
+ msnprintf(buf, len, "%ld/%s", port, hostname);
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Returns number of connections currently held in the connection cache.
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
@ -1,243 +0,0 @@
|
|||||||
From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Mon, 25 Apr 2022 13:05:40 +0200
|
|
||||||
Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port
|
|
||||||
|
|
||||||
CVE-2022-27776
|
|
||||||
|
|
||||||
Reported-by: Harry Sintonen
|
|
||||||
Bug: https://curl.se/docs/CVE-2022-27776.html
|
|
||||||
Closes #8749
|
|
||||||
|
|
||||||
Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/http.c | 33 +++++++++++++++++++++------------
|
|
||||||
lib/urldata.h | 16 +++++++++-------
|
|
||||||
2 files changed, 30 insertions(+), 19 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/http.c b/lib/http.c
|
|
||||||
index 799d4fb..0791dcf 100644
|
|
||||||
--- a/lib/http.c
|
|
||||||
+++ b/lib/http.c
|
|
||||||
@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
|
|
||||||
return CURLE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
|
|
||||||
+ * data" can (still) be sent to this host.
|
|
||||||
+ */
|
|
||||||
+static bool allow_auth_to_host(struct Curl_easy *data)
|
|
||||||
+{
|
|
||||||
+ struct connectdata *conn = data->conn;
|
|
||||||
+ return (!data->state.this_is_a_follow ||
|
|
||||||
+ data->set.allow_auth_to_other_hosts ||
|
|
||||||
+ (data->state.first_host &&
|
|
||||||
+ strcasecompare(data->state.first_host, conn->host.name) &&
|
|
||||||
+ (data->state.first_remote_port == conn->remote_port) &&
|
|
||||||
+ (data->state.first_remote_protocol == conn->handler->protocol)));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* Curl_http_output_auth() setups the authentication headers for the
|
|
||||||
* host/proxy and the correct authentication
|
|
||||||
@@ -847,15 +862,11 @@ Curl_http_output_auth(struct Curl_easy *data,
|
|
||||||
with it */
|
|
||||||
authproxy->done = TRUE;
|
|
||||||
|
|
||||||
- /* To prevent the user+password to get sent to other than the original
|
|
||||||
- host due to a location-follow, we do some weirdo checks here */
|
|
||||||
- if(!data->state.this_is_a_follow ||
|
|
||||||
- conn->bits.netrc ||
|
|
||||||
- !data->state.first_host ||
|
|
||||||
- data->set.allow_auth_to_other_hosts ||
|
|
||||||
- strcasecompare(data->state.first_host, conn->host.name)) {
|
|
||||||
+ /* To prevent the user+password to get sent to other than the original host
|
|
||||||
+ due to a location-follow */
|
|
||||||
+ if(allow_auth_to_host(data)
|
|
||||||
+ || conn->bits.netrc)
|
|
||||||
result = output_auth_headers(data, conn, authhost, request, path, FALSE);
|
|
||||||
- }
|
|
||||||
else
|
|
||||||
authhost->done = TRUE;
|
|
||||||
|
|
||||||
@@ -1906,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
|
|
||||||
checkprefix("Cookie:", compare)) &&
|
|
||||||
/* be careful of sending this potentially sensitive header to
|
|
||||||
other hosts */
|
|
||||||
- (data->state.this_is_a_follow &&
|
|
||||||
- data->state.first_host &&
|
|
||||||
- !data->set.allow_auth_to_other_hosts &&
|
|
||||||
- !strcasecompare(data->state.first_host, conn->host.name)))
|
|
||||||
+ !allow_auth_to_host(data))
|
|
||||||
;
|
|
||||||
else {
|
|
||||||
#ifdef USE_HYPER
|
|
||||||
@@ -2081,6 +2089,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
|
|
||||||
return CURLE_OUT_OF_MEMORY;
|
|
||||||
|
|
||||||
data->state.first_remote_port = conn->remote_port;
|
|
||||||
+ data->state.first_remote_protocol = conn->handler->protocol;
|
|
||||||
}
|
|
||||||
Curl_safefree(data->state.aptr.host);
|
|
||||||
|
|
||||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
||||||
index 03da59a..f92052a 100644
|
|
||||||
--- a/lib/urldata.h
|
|
||||||
+++ b/lib/urldata.h
|
|
||||||
@@ -1336,14 +1336,16 @@ struct UrlState {
|
|
||||||
char *ulbuf; /* allocated upload buffer or NULL */
|
|
||||||
curl_off_t current_speed; /* the ProgressShow() function sets this,
|
|
||||||
bytes / second */
|
|
||||||
- char *first_host; /* host name of the first (not followed) request.
|
|
||||||
- if set, this should be the host name that we will
|
|
||||||
- sent authorization to, no else. Used to make Location:
|
|
||||||
- following not keep sending user+password... This is
|
|
||||||
- strdup() data.
|
|
||||||
- */
|
|
||||||
+
|
|
||||||
+ /* host name, port number and protocol of the first (not followed) request.
|
|
||||||
+ if set, this should be the host name that we will sent authorization to,
|
|
||||||
+ no else. Used to make Location: following not keep sending user+password.
|
|
||||||
+ This is strdup()ed data. */
|
|
||||||
+ char *first_host;
|
|
||||||
+ int first_remote_port;
|
|
||||||
+ unsigned int first_remote_protocol;
|
|
||||||
+
|
|
||||||
int retrycount; /* number of retries on a new connection */
|
|
||||||
- int first_remote_port; /* remote port of the first (not followed) request */
|
|
||||||
struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
|
|
||||||
long sessionage; /* number of the most recent session */
|
|
||||||
struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
|
|
||||||
From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Mon, 25 Apr 2022 13:05:47 +0200
|
|
||||||
Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776
|
|
||||||
|
|
||||||
Do not pass on Authorization headers on redirects to another port
|
|
||||||
|
|
||||||
Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
tests/data/Makefile.inc | 2 +-
|
|
||||||
tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
2 files changed, 91 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 tests/data/test898
|
|
||||||
|
|
||||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
||||||
index 59d46bc..7ae2cf8 100644
|
|
||||||
--- a/tests/data/Makefile.inc
|
|
||||||
+++ b/tests/data/Makefile.inc
|
|
||||||
@@ -106,7 +106,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \
|
|
||||||
test863 test864 test865 test866 test867 test868 test869 test870 test871 \
|
|
||||||
test872 test873 test874 test875 test876 test877 test878 test879 test880 \
|
|
||||||
test881 test882 test883 test884 test885 test886 test887 test888 test889 \
|
|
||||||
-test890 test891 test892 test893 test894 test895 test896 \
|
|
||||||
+test890 test891 test892 test893 test894 test895 test896 test898 \
|
|
||||||
\
|
|
||||||
test900 test901 test902 test903 test904 test905 test906 test907 test908 \
|
|
||||||
test909 test910 test911 test912 test913 test914 test915 test916 test917 \
|
|
||||||
diff --git a/tests/data/test898 b/tests/data/test898
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..5cbb7d8
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test898
|
|
||||||
@@ -0,0 +1,90 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+HTTP
|
|
||||||
+--location
|
|
||||||
+Authorization
|
|
||||||
+Cookie
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Server-side
|
|
||||||
+<reply>
|
|
||||||
+<data>
|
|
||||||
+HTTP/1.1 301 redirect
|
|
||||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
||||||
+Server: test-server/fake
|
|
||||||
+Content-Length: 0
|
|
||||||
+Connection: close
|
|
||||||
+Content-Type: text/html
|
|
||||||
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
|
||||||
+
|
|
||||||
+</data>
|
|
||||||
+<data2>
|
|
||||||
+HTTP/1.1 200 OK
|
|
||||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
||||||
+Server: test-server/fake
|
|
||||||
+Content-Length: 4
|
|
||||||
+Connection: close
|
|
||||||
+Content-Type: text/html
|
|
||||||
+
|
|
||||||
+hey
|
|
||||||
+</data2>
|
|
||||||
+
|
|
||||||
+<datacheck>
|
|
||||||
+HTTP/1.1 301 redirect
|
|
||||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
||||||
+Server: test-server/fake
|
|
||||||
+Content-Length: 0
|
|
||||||
+Connection: close
|
|
||||||
+Content-Type: text/html
|
|
||||||
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
|
||||||
+
|
|
||||||
+HTTP/1.1 200 OK
|
|
||||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
||||||
+Server: test-server/fake
|
|
||||||
+Content-Length: 4
|
|
||||||
+Connection: close
|
|
||||||
+Content-Type: text/html
|
|
||||||
+
|
|
||||||
+hey
|
|
||||||
+</datacheck>
|
|
||||||
+
|
|
||||||
+</reply>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<server>
|
|
||||||
+http
|
|
||||||
+</server>
|
|
||||||
+ <name>
|
|
||||||
+HTTP with custom auth and cookies redirected to HTTP on a diff port
|
|
||||||
+ </name>
|
|
||||||
+ <command>
|
|
||||||
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
|
|
||||||
+</command>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Verify data after the test has been "shot"
|
|
||||||
+<verify>
|
|
||||||
+<protocol>
|
|
||||||
+GET http://firsthost.com/ HTTP/1.1
|
|
||||||
+Host: firsthost.com
|
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
|
||||||
+Proxy-Connection: Keep-Alive
|
|
||||||
+Authorization: Basic am9lOnNlY3JldA==
|
|
||||||
+Cookie: userpwd=am9lOnNlY3JldA==
|
|
||||||
+
|
|
||||||
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
|
||||||
+Host: firsthost.com:9999
|
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
|
||||||
+Proxy-Connection: Keep-Alive
|
|
||||||
+
|
|
||||||
+</protocol>
|
|
||||||
+</verify>
|
|
||||||
+</testcase>
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
66
SOURCES/0014-curl-7.61.1-libssh-socket.patch
Normal file
66
SOURCES/0014-curl-7.61.1-libssh-socket.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
From 095d4cf3b1c388b2871e3783f8c41b1e01200a25 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
|
||||||
|
Date: Wed, 23 Jan 2019 23:47:55 +0100
|
||||||
|
Subject: [PATCH] libssh: do not let libssh create socket
|
||||||
|
|
||||||
|
By default, libssh creates a new socket, instead of using the socket
|
||||||
|
created by curl for SSH connections.
|
||||||
|
|
||||||
|
Pass the socket created by curl to libssh using ssh_options_set() with
|
||||||
|
SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket
|
||||||
|
instead of creating a new one.
|
||||||
|
|
||||||
|
This approach is very similar to what is done in the libssh2 code, where
|
||||||
|
the socket created by curl is passed to libssh2 when
|
||||||
|
libssh2_session_startup() is called.
|
||||||
|
|
||||||
|
Fixes #3491
|
||||||
|
Closes #3495
|
||||||
|
|
||||||
|
Upstream-commit: 15c94b310bf9e0c92d71fca5a88eb67a1e2548a6
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/ssh-libssh.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||||
|
index 7d59089..4110be2 100644
|
||||||
|
--- a/lib/ssh-libssh.c
|
||||||
|
+++ b/lib/ssh-libssh.c
|
||||||
|
@@ -549,6 +549,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
|
||||||
|
struct Curl_easy *data = conn->data;
|
||||||
|
struct SSHPROTO *protop = data->req.protop;
|
||||||
|
struct ssh_conn *sshc = &conn->proto.sshc;
|
||||||
|
+ curl_socket_t sock = conn->sock[FIRSTSOCKET];
|
||||||
|
int rc = SSH_NO_ERROR, err;
|
||||||
|
char *new_readdir_line;
|
||||||
|
int seekerr = CURL_SEEKFUNC_OK;
|
||||||
|
@@ -792,7 +793,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
|
||||||
|
|
||||||
|
Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSH is connected */
|
||||||
|
|
||||||
|
- conn->sockfd = ssh_get_fd(sshc->ssh_session);
|
||||||
|
+ conn->sockfd = sock;
|
||||||
|
conn->writesockfd = CURL_SOCKET_BAD;
|
||||||
|
|
||||||
|
if(conn->handler->protocol == CURLPROTO_SFTP) {
|
||||||
|
@@ -2048,6 +2049,7 @@ static CURLcode myssh_connect(struct connectdata *conn, bool *done)
|
||||||
|
{
|
||||||
|
struct ssh_conn *ssh;
|
||||||
|
CURLcode result;
|
||||||
|
+ curl_socket_t sock = conn->sock[FIRSTSOCKET];
|
||||||
|
struct Curl_easy *data = conn->data;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
@@ -2076,6 +2078,8 @@ static CURLcode myssh_connect(struct connectdata *conn, bool *done)
|
||||||
|
return CURLE_FAILED_INIT;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ ssh_options_set(ssh->ssh_session, SSH_OPTIONS_FD, &sock);
|
||||||
|
+
|
||||||
|
if(conn->user) {
|
||||||
|
infof(data, "User: %s\n", conn->user);
|
||||||
|
ssh_options_set(ssh->ssh_session, SSH_OPTIONS_USER, conn->user);
|
||||||
|
--
|
||||||
|
2.17.2
|
||||||
|
|
@ -1,101 +0,0 @@
|
|||||||
From 85a8c0e9992cee271145ecf009f60b9bee9b7a60 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
Date: Wed, 15 Sep 2021 09:59:14 +0200
|
|
||||||
Subject: [PATCH] tests/sshserver.pl: make it work with openssh-8.7p1
|
|
||||||
|
|
||||||
... by not using options with no argument where an argument is required:
|
|
||||||
|
|
||||||
=== Start of file tests/log/ssh_server.log
|
|
||||||
curl_sshd_config line 6: no argument after keyword "DenyGroups"
|
|
||||||
curl_sshd_config line 7: no argument after keyword "AllowGroups"
|
|
||||||
curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
|
|
||||||
curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
|
|
||||||
curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
|
|
||||||
curl_sshd_config line 40: Deprecated option RSAAuthentication
|
|
||||||
curl_sshd_config line 41: Deprecated option ServerKeyBits
|
|
||||||
curl_sshd_config line 45: Deprecated option UseLogin
|
|
||||||
curl_sshd_config line 56: no argument after keyword "AcceptEnv"
|
|
||||||
curl_sshd_config: terminating, 3 bad configuration options
|
|
||||||
=== End of file tests/log/ssh_server.log
|
|
||||||
|
|
||||||
=== Start of file log/sftp_server.log
|
|
||||||
curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
|
|
||||||
curl_sftp_config line 34: Unsupported option "rsaauthentication"
|
|
||||||
curl_sftp_config line 52: no argument after keyword "sendenv"
|
|
||||||
curl_sftp_config: terminating, 1 bad configuration options
|
|
||||||
Connection closed.
|
|
||||||
Connection closed
|
|
||||||
=== End of file log/sftp_server.log
|
|
||||||
|
|
||||||
Closes #7724
|
|
||||||
|
|
||||||
Upstream-commit: ab78d2c679dfb37b27e89f42ad050c3153fa7513
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
tests/sshserver.pl | 14 --------------
|
|
||||||
1 file changed, 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/sshserver.pl b/tests/sshserver.pl
|
|
||||||
index 9441939..2afaace 100644
|
|
||||||
--- a/tests/sshserver.pl
|
|
||||||
+++ b/tests/sshserver.pl
|
|
||||||
@@ -428,9 +428,7 @@ if ($sshdid =~ /OpenSSH-Windows/) {
|
|
||||||
# ssh daemon configuration file options we might use and version support
|
|
||||||
#
|
|
||||||
# AFSTokenPassing : OpenSSH 1.2.1 and later [1]
|
|
||||||
-# AcceptEnv : OpenSSH 3.9.0 and later
|
|
||||||
# AddressFamily : OpenSSH 4.0.0 and later
|
|
||||||
-# AllowGroups : OpenSSH 1.2.1 and later
|
|
||||||
# AllowTcpForwarding : OpenSSH 2.3.0 and later
|
|
||||||
# AllowUsers : OpenSSH 1.2.1 and later
|
|
||||||
# AuthorizedKeysFile : OpenSSH 2.9.9 and later
|
|
||||||
@@ -441,7 +439,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
|
|
||||||
# ClientAliveCountMax : OpenSSH 2.9.0 and later
|
|
||||||
# ClientAliveInterval : OpenSSH 2.9.0 and later
|
|
||||||
# Compression : OpenSSH 3.3.0 and later
|
|
||||||
-# DenyGroups : OpenSSH 1.2.1 and later
|
|
||||||
# DenyUsers : OpenSSH 1.2.1 and later
|
|
||||||
# ForceCommand : OpenSSH 4.4.0 and later [3]
|
|
||||||
# GatewayPorts : OpenSSH 2.1.0 and later
|
|
||||||
@@ -534,9 +531,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
|
|
||||||
push @cfgarr, "AllowUsers $username";
|
|
||||||
}
|
|
||||||
|
|
||||||
-push @cfgarr, 'DenyGroups';
|
|
||||||
-push @cfgarr, 'AllowGroups';
|
|
||||||
-push @cfgarr, '#';
|
|
||||||
push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config";
|
|
||||||
push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config";
|
|
||||||
push @cfgarr, "HostKey $hstprvkeyf_config";
|
|
||||||
@@ -684,9 +678,6 @@ push @cfgarr, '#';
|
|
||||||
#***************************************************************************
|
|
||||||
# Options that might be supported or not in sshd OpenSSH 2.9.9 and later
|
|
||||||
#
|
|
||||||
-if(sshd_supports_opt('AcceptEnv','')) {
|
|
||||||
- push @cfgarr, 'AcceptEnv';
|
|
||||||
-}
|
|
||||||
if(sshd_supports_opt('AddressFamily','any')) {
|
|
||||||
# Address family must be specified before ListenAddress
|
|
||||||
splice @cfgarr, 14, 0, 'AddressFamily any';
|
|
||||||
@@ -873,7 +864,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
|
|
||||||
# RemoteForward : OpenSSH 1.2.1 and later [3]
|
|
||||||
# RhostsRSAAuthentication : OpenSSH 1.2.1 and later
|
|
||||||
# RSAAuthentication : OpenSSH 1.2.1 and later
|
|
||||||
-# SendEnv : OpenSSH 3.9.0 and later
|
|
||||||
# ServerAliveCountMax : OpenSSH 3.8.0 and later
|
|
||||||
# ServerAliveInterval : OpenSSH 3.8.0 and later
|
|
||||||
# SmartcardDevice : OpenSSH 2.9.9 and later [1][3]
|
|
||||||
@@ -1028,10 +1018,6 @@ if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
|
|
||||||
push @cfgarr, 'RekeyLimit 1G';
|
|
||||||
}
|
|
||||||
|
|
||||||
-if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
|
|
||||||
- push @cfgarr, 'SendEnv';
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
|
|
||||||
(($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
|
|
||||||
push @cfgarr, 'ServerAliveCountMax 3';
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
31
SOURCES/0017-curl-7.64.0-CVE-2019-5436.patch
Normal file
31
SOURCES/0017-curl-7.64.0-CVE-2019-5436.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From 55a27027d5f024a0ecc2c23c81ed99de6192c9f3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Fri, 3 May 2019 22:20:37 +0200
|
||||||
|
Subject: [PATCH] tftp: use the current blksize for recvfrom()
|
||||||
|
|
||||||
|
bug: https://curl.haxx.se/docs/CVE-2019-5436.html
|
||||||
|
Reported-by: l00p3r on hackerone
|
||||||
|
CVE-2019-5436
|
||||||
|
|
||||||
|
Upstream-commit: 2576003415625d7b5f0e390902f8097830b82275
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/tftp.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tftp.c b/lib/tftp.c
|
||||||
|
index 269b3cd..4f2a131 100644
|
||||||
|
--- a/lib/tftp.c
|
||||||
|
+++ b/lib/tftp.c
|
||||||
|
@@ -1005,7 +1005,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||||
|
state->sockfd = state->conn->sock[FIRSTSOCKET];
|
||||||
|
state->state = TFTP_STATE_START;
|
||||||
|
state->error = TFTP_ERR_NONE;
|
||||||
|
- state->blksize = TFTP_BLKSIZE_DEFAULT;
|
||||||
|
+ state->blksize = blksize;
|
||||||
|
state->requested_blksize = blksize;
|
||||||
|
|
||||||
|
((struct sockaddr *)&state->local_addr)->sa_family =
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
158
SOURCES/0018-curl-7.65.3-CVE-2019-5482.patch
Normal file
158
SOURCES/0018-curl-7.65.3-CVE-2019-5482.patch
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
From 63f9837b4ccf600da79314e8667f91bda69988fc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Vegas <>
|
||||||
|
Date: Sat, 31 Aug 2019 16:59:56 +0200
|
||||||
|
Subject: [PATCH 1/2] tftp: return error when packet is too small for options
|
||||||
|
|
||||||
|
Upstream-commit: 82f3ba3806a34fe94dcf9e5c9b88deda6679ca1b
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/tftp.c | 53 +++++++++++++++++++++++++++++++++--------------------
|
||||||
|
1 file changed, 33 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tftp.c b/lib/tftp.c
|
||||||
|
index 289cda2..4532170 100644
|
||||||
|
--- a/lib/tftp.c
|
||||||
|
+++ b/lib/tftp.c
|
||||||
|
@@ -404,13 +404,14 @@ static CURLcode tftp_parse_option_ack(tftp_state_data_t *state,
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static size_t tftp_option_add(tftp_state_data_t *state, size_t csize,
|
||||||
|
- char *buf, const char *option)
|
||||||
|
+static CURLcode tftp_option_add(tftp_state_data_t *state, size_t *csize,
|
||||||
|
+ char *buf, const char *option)
|
||||||
|
{
|
||||||
|
- if(( strlen(option) + csize + 1) > (size_t)state->blksize)
|
||||||
|
- return 0;
|
||||||
|
+ if(( strlen(option) + *csize + 1) > (size_t)state->blksize)
|
||||||
|
+ return CURLE_TFTP_ILLEGAL;
|
||||||
|
strcpy(buf, option);
|
||||||
|
- return strlen(option) + 1;
|
||||||
|
+ *csize += strlen(option) + 1;
|
||||||
|
+ return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
static CURLcode tftp_connect_for_tx(tftp_state_data_t *state,
|
||||||
|
@@ -511,26 +512,38 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
|
||||||
|
else
|
||||||
|
strcpy(buf, "0"); /* the destination is large enough */
|
||||||
|
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes,
|
||||||
|
- TFTP_OPTION_TSIZE);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes,
|
||||||
|
+ TFTP_OPTION_TSIZE);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+
|
||||||
|
/* add blksize option */
|
||||||
|
snprintf(buf, sizeof(buf), "%d", state->requested_blksize);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes,
|
||||||
|
- TFTP_OPTION_BLKSIZE);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes,
|
||||||
|
+ TFTP_OPTION_BLKSIZE);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes, buf);
|
||||||
|
|
||||||
|
/* add timeout option */
|
||||||
|
snprintf(buf, sizeof(buf), "%d", state->retry_time);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes,
|
||||||
|
- TFTP_OPTION_INTERVAL);
|
||||||
|
- sbytes += tftp_option_add(state, sbytes,
|
||||||
|
- (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes,
|
||||||
|
+ TFTP_OPTION_INTERVAL);
|
||||||
|
+ if(result == CURLE_OK)
|
||||||
|
+ result = tftp_option_add(state, &sbytes,
|
||||||
|
+ (char *)state->spacket.data + sbytes, buf);
|
||||||
|
+
|
||||||
|
+ if(result != CURLE_OK) {
|
||||||
|
+ failf(data, "TFTP buffer too small for options");
|
||||||
|
+ free(filename);
|
||||||
|
+ return CURLE_TFTP_ILLEGAL;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* the typecase for the 3rd argument is mostly for systems that do
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
|
|
||||||
|
From b6b12a4cfe00c4850a1d6cee4cf267f00dee5987 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Thomas Vegas <>
|
||||||
|
Date: Sat, 31 Aug 2019 17:30:51 +0200
|
||||||
|
Subject: [PATCH 2/2] tftp: Alloc maximum blksize, and use default unless OACK
|
||||||
|
is received
|
||||||
|
|
||||||
|
Fixes potential buffer overflow from 'recvfrom()', should the server
|
||||||
|
return an OACK without blksize.
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
|
||||||
|
CVE-2019-5482
|
||||||
|
|
||||||
|
Upstream-commit: facb0e4662415b5f28163e853dc6742ac5fafb3d
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/tftp.c | 12 +++++++++---
|
||||||
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/tftp.c b/lib/tftp.c
|
||||||
|
index 4532170..5651b62 100644
|
||||||
|
--- a/lib/tftp.c
|
||||||
|
+++ b/lib/tftp.c
|
||||||
|
@@ -982,6 +982,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||||
|
{
|
||||||
|
tftp_state_data_t *state;
|
||||||
|
int blksize;
|
||||||
|
+ int need_blksize;
|
||||||
|
|
||||||
|
blksize = TFTP_BLKSIZE_DEFAULT;
|
||||||
|
|
||||||
|
@@ -996,15 +997,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||||
|
return CURLE_TFTP_ILLEGAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ need_blksize = blksize;
|
||||||
|
+ /* default size is the fallback when no OACK is received */
|
||||||
|
+ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
|
||||||
|
+ need_blksize = TFTP_BLKSIZE_DEFAULT;
|
||||||
|
+
|
||||||
|
if(!state->rpacket.data) {
|
||||||
|
- state->rpacket.data = calloc(1, blksize + 2 + 2);
|
||||||
|
+ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
|
||||||
|
|
||||||
|
if(!state->rpacket.data)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!state->spacket.data) {
|
||||||
|
- state->spacket.data = calloc(1, blksize + 2 + 2);
|
||||||
|
+ state->spacket.data = calloc(1, need_blksize + 2 + 2);
|
||||||
|
|
||||||
|
if(!state->spacket.data)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
@@ -1018,7 +1024,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
|
||||||
|
state->sockfd = state->conn->sock[FIRSTSOCKET];
|
||||||
|
state->state = TFTP_STATE_START;
|
||||||
|
state->error = TFTP_ERR_NONE;
|
||||||
|
- state->blksize = blksize;
|
||||||
|
+ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
|
||||||
|
state->requested_blksize = blksize;
|
||||||
|
|
||||||
|
((struct sockaddr *)&state->local_addr)->sa_family =
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
46
SOURCES/0019-curl-7.65.3-CVE-2019-5481.patch
Normal file
46
SOURCES/0019-curl-7.65.3-CVE-2019-5481.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From 13de299b112a59c373b330f0539166ecc9a7627b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Tue, 3 Sep 2019 22:59:32 +0200
|
||||||
|
Subject: [PATCH] security:read_data fix bad realloc()
|
||||||
|
|
||||||
|
... that could end up a double-free
|
||||||
|
|
||||||
|
CVE-2019-5481
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
|
||||||
|
|
||||||
|
Upstream-commit: 9069838b30fb3b48af0123e39f664cea683254a5
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/security.c | 6 ++----
|
||||||
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/security.c b/lib/security.c
|
||||||
|
index 550ea2d..c5e4e13 100644
|
||||||
|
--- a/lib/security.c
|
||||||
|
+++ b/lib/security.c
|
||||||
|
@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
|
struct krb5buffer *buf)
|
||||||
|
{
|
||||||
|
int len;
|
||||||
|
- void *tmp = NULL;
|
||||||
|
CURLcode result;
|
||||||
|
|
||||||
|
result = socket_read(fd, &len, sizeof(len));
|
||||||
|
@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
|
if(len) {
|
||||||
|
/* only realloc if there was a length */
|
||||||
|
len = ntohl(len);
|
||||||
|
- tmp = Curl_saferealloc(buf->data, len);
|
||||||
|
+ buf->data = Curl_saferealloc(buf->data, len);
|
||||||
|
}
|
||||||
|
- if(tmp == NULL)
|
||||||
|
+ if(!len || !buf->data)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
- buf->data = tmp;
|
||||||
|
result = socket_read(fd, buf->data, len);
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,425 +0,0 @@
|
|||||||
From 36b47377c2d1a8d141d1ef810102748f27384f5c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Wed, 25 May 2022 10:09:53 +0200
|
|
||||||
Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files
|
|
||||||
|
|
||||||
Bug: https://curl.se/docs/CVE-2022-32207.html
|
|
||||||
CVE-2022-32207
|
|
||||||
Reported-by: Harry Sintonen
|
|
||||||
Closes #9050
|
|
||||||
|
|
||||||
Upstream-commit: 20f9dd6bae50b7223171b17ba7798946e74f877f
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
CMakeLists.txt | 1 +
|
|
||||||
configure.ac | 1 +
|
|
||||||
lib/Makefile.inc | 2 +
|
|
||||||
lib/cookie.c | 17 ++----
|
|
||||||
lib/curl_config.h.cmake | 3 ++
|
|
||||||
lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
lib/fopen.h | 30 +++++++++++
|
|
||||||
7 files changed, 154 insertions(+), 13 deletions(-)
|
|
||||||
create mode 100644 lib/fopen.c
|
|
||||||
create mode 100644 lib/fopen.h
|
|
||||||
|
|
||||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
||||||
index b77de6d..a0bfaad 100644
|
|
||||||
--- a/CMakeLists.txt
|
|
||||||
+++ b/CMakeLists.txt
|
|
||||||
@@ -982,6 +982,7 @@ elseif(HAVE_LIBSOCKET)
|
|
||||||
set(CMAKE_REQUIRED_LIBRARIES socket)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
+check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD)
|
|
||||||
check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME)
|
|
||||||
check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET)
|
|
||||||
check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT)
|
|
||||||
diff --git a/configure.ac b/configure.ac
|
|
||||||
index d431870..7433bb9 100644
|
|
||||||
--- a/configure.ac
|
|
||||||
+++ b/configure.ac
|
|
||||||
@@ -4516,6 +4516,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
|
|
||||||
|
|
||||||
|
|
||||||
AC_CHECK_FUNCS([fnmatch \
|
|
||||||
+ fchmod \
|
|
||||||
geteuid \
|
|
||||||
getpass_r \
|
|
||||||
getppid \
|
|
||||||
diff --git a/lib/Makefile.inc b/lib/Makefile.inc
|
|
||||||
index e8f110f..5139b03 100644
|
|
||||||
--- a/lib/Makefile.inc
|
|
||||||
+++ b/lib/Makefile.inc
|
|
||||||
@@ -130,6 +130,7 @@ LIB_CFILES = \
|
|
||||||
escape.c \
|
|
||||||
file.c \
|
|
||||||
fileinfo.c \
|
|
||||||
+ fopen.c \
|
|
||||||
formdata.c \
|
|
||||||
ftp.c \
|
|
||||||
ftplistparser.c \
|
|
||||||
@@ -261,6 +262,7 @@ LIB_HFILES = \
|
|
||||||
escape.h \
|
|
||||||
file.h \
|
|
||||||
fileinfo.h \
|
|
||||||
+ fopen.h \
|
|
||||||
formdata.h \
|
|
||||||
ftp.h \
|
|
||||||
ftplistparser.h \
|
|
||||||
diff --git a/lib/cookie.c b/lib/cookie.c
|
|
||||||
index 8a6aa1a..cb0c03b 100644
|
|
||||||
--- a/lib/cookie.c
|
|
||||||
+++ b/lib/cookie.c
|
|
||||||
@@ -97,8 +97,8 @@ Example set of cookies:
|
|
||||||
#include "curl_memrchr.h"
|
|
||||||
#include "inet_pton.h"
|
|
||||||
#include "parsedate.h"
|
|
||||||
-#include "rand.h"
|
|
||||||
#include "rename.h"
|
|
||||||
+#include "fopen.h"
|
|
||||||
|
|
||||||
/* The last 3 #include files should be in this order */
|
|
||||||
#include "curl_printf.h"
|
|
||||||
@@ -1537,17 +1537,8 @@ static int cookie_output(struct Curl_easy *data,
|
|
||||||
use_stdout = TRUE;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
- unsigned char randsuffix[9];
|
|
||||||
-
|
|
||||||
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
|
|
||||||
- return 2;
|
|
||||||
-
|
|
||||||
- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
|
|
||||||
- if(!tempstore)
|
|
||||||
- return 1;
|
|
||||||
-
|
|
||||||
- out = fopen(tempstore, FOPEN_WRITETEXT);
|
|
||||||
- if(!out)
|
|
||||||
+ error = Curl_fopen(data, filename, &out, &tempstore);
|
|
||||||
+ if(error)
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1594,7 +1585,7 @@ static int cookie_output(struct Curl_easy *data,
|
|
||||||
if(!use_stdout) {
|
|
||||||
fclose(out);
|
|
||||||
out = NULL;
|
|
||||||
- if(Curl_rename(tempstore, filename)) {
|
|
||||||
+ if(tempstore && Curl_rename(tempstore, filename)) {
|
|
||||||
unlink(tempstore);
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
|
|
||||||
index d2a0f43..c254359 100644
|
|
||||||
--- a/lib/curl_config.h.cmake
|
|
||||||
+++ b/lib/curl_config.h.cmake
|
|
||||||
@@ -148,6 +148,9 @@
|
|
||||||
/* Define to 1 if you have the <assert.h> header file. */
|
|
||||||
#cmakedefine HAVE_ASSERT_H 1
|
|
||||||
|
|
||||||
+/* Define to 1 if you have the `fchmod' function. */
|
|
||||||
+#cmakedefine HAVE_FCHMOD 1
|
|
||||||
+
|
|
||||||
/* Define to 1 if you have the `basename' function. */
|
|
||||||
#cmakedefine HAVE_BASENAME 1
|
|
||||||
|
|
||||||
diff --git a/lib/fopen.c b/lib/fopen.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..ad3691b
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/lib/fopen.c
|
|
||||||
@@ -0,0 +1,113 @@
|
|
||||||
+/***************************************************************************
|
|
||||||
+ * _ _ ____ _
|
|
||||||
+ * Project ___| | | | _ \| |
|
|
||||||
+ * / __| | | | |_) | |
|
|
||||||
+ * | (__| |_| | _ <| |___
|
|
||||||
+ * \___|\___/|_| \_\_____|
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ *
|
|
||||||
+ * This software is licensed as described in the file COPYING, which
|
|
||||||
+ * you should have received as part of this distribution. The terms
|
|
||||||
+ * are also available at https://curl.se/docs/copyright.html.
|
|
||||||
+ *
|
|
||||||
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
||||||
+ * copies of the Software, and permit persons to whom the Software is
|
|
||||||
+ * furnished to do so, under the terms of the COPYING file.
|
|
||||||
+ *
|
|
||||||
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
||||||
+ * KIND, either express or implied.
|
|
||||||
+ *
|
|
||||||
+ * SPDX-License-Identifier: curl
|
|
||||||
+ *
|
|
||||||
+ ***************************************************************************/
|
|
||||||
+
|
|
||||||
+#include "curl_setup.h"
|
|
||||||
+
|
|
||||||
+#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \
|
|
||||||
+ defined(USE_HSTS)
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_FCNTL_H
|
|
||||||
+#include <fcntl.h>
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#include "urldata.h"
|
|
||||||
+#include "rand.h"
|
|
||||||
+#include "fopen.h"
|
|
||||||
+/* The last 3 #include files should be in this order */
|
|
||||||
+#include "curl_printf.h"
|
|
||||||
+#include "curl_memory.h"
|
|
||||||
+#include "memdebug.h"
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Curl_fopen() opens a file for writing with a temp name, to be renamed
|
|
||||||
+ * to the final name when completed. If there is an existing file using this
|
|
||||||
+ * name at the time of the open, this function will clone the mode from that
|
|
||||||
+ * file. if 'tempname' is non-NULL, it needs a rename after the file is
|
|
||||||
+ * written.
|
|
||||||
+ */
|
|
||||||
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
|
|
||||||
+ FILE **fh, char **tempname)
|
|
||||||
+{
|
|
||||||
+ CURLcode result = CURLE_WRITE_ERROR;
|
|
||||||
+ unsigned char randsuffix[9];
|
|
||||||
+ char *tempstore = NULL;
|
|
||||||
+ struct_stat sb;
|
|
||||||
+ int fd = -1;
|
|
||||||
+ *tempname = NULL;
|
|
||||||
+
|
|
||||||
+ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
|
|
||||||
+ /* a non-regular file, fallback to direct fopen() */
|
|
||||||
+ *fh = fopen(filename, FOPEN_WRITETEXT);
|
|
||||||
+ if(*fh)
|
|
||||||
+ return CURLE_OK;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
|
|
||||||
+ if(result)
|
|
||||||
+ goto fail;
|
|
||||||
+
|
|
||||||
+ tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
|
|
||||||
+ if(!tempstore) {
|
|
||||||
+ result = CURLE_OUT_OF_MEMORY;
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ result = CURLE_WRITE_ERROR;
|
|
||||||
+ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
|
|
||||||
+ if(fd == -1)
|
|
||||||
+ goto fail;
|
|
||||||
+
|
|
||||||
+#ifdef HAVE_FCHMOD
|
|
||||||
+ {
|
|
||||||
+ struct_stat nsb;
|
|
||||||
+ if((fstat(fd, &nsb) != -1) &&
|
|
||||||
+ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
|
|
||||||
+ /* if the user and group are the same, clone the original mode */
|
|
||||||
+ if(fchmod(fd, sb.st_mode) == -1)
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ *fh = fdopen(fd, FOPEN_WRITETEXT);
|
|
||||||
+ if(!*fh)
|
|
||||||
+ goto fail;
|
|
||||||
+
|
|
||||||
+ *tempname = tempstore;
|
|
||||||
+ return CURLE_OK;
|
|
||||||
+
|
|
||||||
+fail:
|
|
||||||
+ if(fd != -1) {
|
|
||||||
+ close(fd);
|
|
||||||
+ unlink(tempstore);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(tempstore);
|
|
||||||
+
|
|
||||||
+ *tempname = NULL;
|
|
||||||
+ return result;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#endif /* ! disabled */
|
|
||||||
diff --git a/lib/fopen.h b/lib/fopen.h
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..289e55f
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/lib/fopen.h
|
|
||||||
@@ -0,0 +1,30 @@
|
|
||||||
+#ifndef HEADER_CURL_FOPEN_H
|
|
||||||
+#define HEADER_CURL_FOPEN_H
|
|
||||||
+/***************************************************************************
|
|
||||||
+ * _ _ ____ _
|
|
||||||
+ * Project ___| | | | _ \| |
|
|
||||||
+ * / __| | | | |_) | |
|
|
||||||
+ * | (__| |_| | _ <| |___
|
|
||||||
+ * \___|\___/|_| \_\_____|
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ *
|
|
||||||
+ * This software is licensed as described in the file COPYING, which
|
|
||||||
+ * you should have received as part of this distribution. The terms
|
|
||||||
+ * are also available at https://curl.se/docs/copyright.html.
|
|
||||||
+ *
|
|
||||||
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
||||||
+ * copies of the Software, and permit persons to whom the Software is
|
|
||||||
+ * furnished to do so, under the terms of the COPYING file.
|
|
||||||
+ *
|
|
||||||
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
||||||
+ * KIND, either express or implied.
|
|
||||||
+ *
|
|
||||||
+ * SPDX-License-Identifier: curl
|
|
||||||
+ *
|
|
||||||
+ ***************************************************************************/
|
|
||||||
+
|
|
||||||
+CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
|
|
||||||
+ FILE **fh, char **tempname);
|
|
||||||
+
|
|
||||||
+#endif
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
||||||
|
|
||||||
From bd7af48238b058e9b46fdf2e1333b355920c341c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Wed, 25 May 2022 10:09:53 +0200
|
|
||||||
Subject: [PATCH 2/3] altsvc: use Curl_fopen()
|
|
||||||
|
|
||||||
Upstream-commit: fab970a5d19c1faa2052239ec1e2602b892cbeb2
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/altsvc.c | 22 ++++++----------------
|
|
||||||
1 file changed, 6 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/altsvc.c b/lib/altsvc.c
|
|
||||||
index 242733b..4dc4078 100644
|
|
||||||
--- a/lib/altsvc.c
|
|
||||||
+++ b/lib/altsvc.c
|
|
||||||
@@ -34,7 +34,7 @@
|
|
||||||
#include "parsedate.h"
|
|
||||||
#include "sendf.h"
|
|
||||||
#include "warnless.h"
|
|
||||||
-#include "rand.h"
|
|
||||||
+#include "fopen.h"
|
|
||||||
#include "rename.h"
|
|
||||||
|
|
||||||
/* The last 3 #include files should be in this order */
|
|
||||||
@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
|
|
||||||
struct Curl_llist_element *n;
|
|
||||||
CURLcode result = CURLE_OK;
|
|
||||||
FILE *out;
|
|
||||||
- char *tempstore;
|
|
||||||
- unsigned char randsuffix[9];
|
|
||||||
+ char *tempstore = NULL;
|
|
||||||
|
|
||||||
if(!altsvc)
|
|
||||||
/* no cache activated */
|
|
||||||
@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
|
|
||||||
/* marked as read-only, no file or zero length file name */
|
|
||||||
return CURLE_OK;
|
|
||||||
|
|
||||||
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
|
|
||||||
- return CURLE_FAILED_INIT;
|
|
||||||
-
|
|
||||||
- tempstore = aprintf("%s.%s.tmp", file, randsuffix);
|
|
||||||
- if(!tempstore)
|
|
||||||
- return CURLE_OUT_OF_MEMORY;
|
|
||||||
-
|
|
||||||
- out = fopen(tempstore, FOPEN_WRITETEXT);
|
|
||||||
- if(!out)
|
|
||||||
- result = CURLE_WRITE_ERROR;
|
|
||||||
- else {
|
|
||||||
+ result = Curl_fopen(data, file, &out, &tempstore);
|
|
||||||
+ if(!result) {
|
|
||||||
fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n"
|
|
||||||
"# This file was generated by libcurl! Edit at your own risk.\n",
|
|
||||||
out);
|
|
||||||
@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_easy *data,
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
fclose(out);
|
|
||||||
- if(!result && Curl_rename(tempstore, file))
|
|
||||||
+ if(!result && tempstore && Curl_rename(tempstore, file))
|
|
||||||
result = CURLE_WRITE_ERROR;
|
|
||||||
|
|
||||||
- if(result)
|
|
||||||
+ if(result && tempstore)
|
|
||||||
unlink(tempstore);
|
|
||||||
}
|
|
||||||
free(tempstore);
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
||||||
|
|
||||||
From 2011622a36fa715f38277422241e77e25dfdf0d0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Wed, 25 May 2022 10:09:54 +0200
|
|
||||||
Subject: [PATCH 3/3] hsts: use Curl_fopen()
|
|
||||||
|
|
||||||
Upstream-commit: d64115d7bb8ae4c136b620912da523c063f1d2ee
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/hsts.c | 22 ++++++----------------
|
|
||||||
1 file changed, 6 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/hsts.c b/lib/hsts.c
|
|
||||||
index b9fa6f7..9d54c82 100644
|
|
||||||
--- a/lib/hsts.c
|
|
||||||
+++ b/lib/hsts.c
|
|
||||||
@@ -35,7 +35,7 @@
|
|
||||||
#include "sendf.h"
|
|
||||||
#include "strtoofft.h"
|
|
||||||
#include "parsedate.h"
|
|
||||||
-#include "rand.h"
|
|
||||||
+#include "fopen.h"
|
|
||||||
#include "rename.h"
|
|
||||||
|
|
||||||
/* The last 3 #include files should be in this order */
|
|
||||||
@@ -316,8 +316,7 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
|
|
||||||
struct Curl_llist_element *n;
|
|
||||||
CURLcode result = CURLE_OK;
|
|
||||||
FILE *out;
|
|
||||||
- char *tempstore;
|
|
||||||
- unsigned char randsuffix[9];
|
|
||||||
+ char *tempstore = NULL;
|
|
||||||
|
|
||||||
if(!h)
|
|
||||||
/* no cache activated */
|
|
||||||
@@ -331,17 +330,8 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
|
|
||||||
/* marked as read-only, no file or zero length file name */
|
|
||||||
goto skipsave;
|
|
||||||
|
|
||||||
- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
|
|
||||||
- return CURLE_FAILED_INIT;
|
|
||||||
-
|
|
||||||
- tempstore = aprintf("%s.%s.tmp", file, randsuffix);
|
|
||||||
- if(!tempstore)
|
|
||||||
- return CURLE_OUT_OF_MEMORY;
|
|
||||||
-
|
|
||||||
- out = fopen(tempstore, FOPEN_WRITETEXT);
|
|
||||||
- if(!out)
|
|
||||||
- result = CURLE_WRITE_ERROR;
|
|
||||||
- else {
|
|
||||||
+ result = Curl_fopen(data, file, &out, &tempstore);
|
|
||||||
+ if(!result) {
|
|
||||||
fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n"
|
|
||||||
"# This file was generated by libcurl! Edit at your own risk.\n",
|
|
||||||
out);
|
|
||||||
@@ -353,10 +343,10 @@ CURLcode Curl_hsts_save(struct Curl_easy *data, struct hsts *h,
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
fclose(out);
|
|
||||||
- if(!result && Curl_rename(tempstore, file))
|
|
||||||
+ if(!result && tempstore && Curl_rename(tempstore, file))
|
|
||||||
result = CURLE_WRITE_ERROR;
|
|
||||||
|
|
||||||
- if(result)
|
|
||||||
+ if(result && tempstore)
|
|
||||||
unlink(tempstore);
|
|
||||||
}
|
|
||||||
free(tempstore);
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
33
SOURCES/0020-curl-7.61.1-openssl-engines.patch
Normal file
33
SOURCES/0020-curl-7.61.1-openssl-engines.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
From 032843be4cefcb163d15573d15a228680e771106 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 24 Sep 2018 08:26:58 +0200
|
||||||
|
Subject: [PATCH] openssl: load built-in engines too
|
||||||
|
|
||||||
|
Regression since 38203f1
|
||||||
|
|
||||||
|
Reported-by: Jean Fabrice
|
||||||
|
Fixes #3023
|
||||||
|
Closes #3040
|
||||||
|
|
||||||
|
Upstream-commit: e2dd435d473cdc97785df95d032276fafb4b7746
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/openssl.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 78970d1..d8bcc4f 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -979,7 +979,7 @@ static int Curl_ossl_init(void)
|
||||||
|
|
||||||
|
OPENSSL_load_builtin_modules();
|
||||||
|
|
||||||
|
-#ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
|
||||||
|
+#ifdef USE_OPENSSL_ENGINE
|
||||||
|
ENGINE_load_builtin_engines();
|
||||||
|
#endif
|
||||||
|
|
||||||
|
--
|
||||||
|
2.25.4
|
||||||
|
|
@ -1,186 +0,0 @@
|
|||||||
From c2acc48854be9f8590e57a7b44b649fb8537bed4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Tue, 4 May 2021 16:14:13 +0200
|
|
||||||
Subject: [PATCH] openldap: replace ldap_ prefix on private functions
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
|
|
||||||
least) there's a symbol collision because of that.
|
|
||||||
|
|
||||||
The private functions now use the 'oldap_' prefix where it previously
|
|
||||||
used 'ldap_'.
|
|
||||||
|
|
||||||
Reported-by: 3eka on github
|
|
||||||
Fixes #7004
|
|
||||||
Closes #7005
|
|
||||||
|
|
||||||
Upstream-commit: 8bdde6b14ce3b5fd71c772a578fcbd4b6fa6df19
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/openldap.c | 67 +++++++++++++++++++++++++-------------------------
|
|
||||||
1 file changed, 34 insertions(+), 33 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/openldap.c b/lib/openldap.c
|
|
||||||
index b515554..5a32c74 100644
|
|
||||||
--- a/lib/openldap.c
|
|
||||||
+++ b/lib/openldap.c
|
|
||||||
@@ -76,16 +76,16 @@ extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url,
|
|
||||||
LDAP **ld);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-static CURLcode ldap_setup_connection(struct Curl_easy *data,
|
|
||||||
- struct connectdata *conn);
|
|
||||||
-static CURLcode ldap_do(struct Curl_easy *data, bool *done);
|
|
||||||
-static CURLcode ldap_done(struct Curl_easy *data, CURLcode, bool);
|
|
||||||
-static CURLcode ldap_connect(struct Curl_easy *data, bool *done);
|
|
||||||
-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done);
|
|
||||||
-static CURLcode ldap_disconnect(struct Curl_easy *data,
|
|
||||||
- struct connectdata *conn, bool dead);
|
|
||||||
+static CURLcode oldap_setup_connection(struct Curl_easy *data,
|
|
||||||
+ struct connectdata *conn);
|
|
||||||
+static CURLcode oldap_do(struct Curl_easy *data, bool *done);
|
|
||||||
+static CURLcode oldap_done(struct Curl_easy *data, CURLcode, bool);
|
|
||||||
+static CURLcode oldap_connect(struct Curl_easy *data, bool *done);
|
|
||||||
+static CURLcode oldap_connecting(struct Curl_easy *data, bool *done);
|
|
||||||
+static CURLcode oldap_disconnect(struct Curl_easy *data,
|
|
||||||
+ struct connectdata *conn, bool dead);
|
|
||||||
|
|
||||||
-static Curl_recv ldap_recv;
|
|
||||||
+static Curl_recv oldap_recv;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* LDAP protocol handler.
|
|
||||||
@@ -93,18 +93,18 @@ static Curl_recv ldap_recv;
|
|
||||||
|
|
||||||
const struct Curl_handler Curl_handler_ldap = {
|
|
||||||
"LDAP", /* scheme */
|
|
||||||
- ldap_setup_connection, /* setup_connection */
|
|
||||||
- ldap_do, /* do_it */
|
|
||||||
- ldap_done, /* done */
|
|
||||||
+ oldap_setup_connection, /* setup_connection */
|
|
||||||
+ oldap_do, /* do_it */
|
|
||||||
+ oldap_done, /* done */
|
|
||||||
ZERO_NULL, /* do_more */
|
|
||||||
- ldap_connect, /* connect_it */
|
|
||||||
- ldap_connecting, /* connecting */
|
|
||||||
+ oldap_connect, /* connect_it */
|
|
||||||
+ oldap_connecting, /* connecting */
|
|
||||||
ZERO_NULL, /* doing */
|
|
||||||
ZERO_NULL, /* proto_getsock */
|
|
||||||
ZERO_NULL, /* doing_getsock */
|
|
||||||
ZERO_NULL, /* domore_getsock */
|
|
||||||
ZERO_NULL, /* perform_getsock */
|
|
||||||
- ldap_disconnect, /* disconnect */
|
|
||||||
+ oldap_disconnect, /* disconnect */
|
|
||||||
ZERO_NULL, /* readwrite */
|
|
||||||
ZERO_NULL, /* connection_check */
|
|
||||||
ZERO_NULL, /* attach connection */
|
|
||||||
@@ -121,18 +121,18 @@ const struct Curl_handler Curl_handler_ldap = {
|
|
||||||
|
|
||||||
const struct Curl_handler Curl_handler_ldaps = {
|
|
||||||
"LDAPS", /* scheme */
|
|
||||||
- ldap_setup_connection, /* setup_connection */
|
|
||||||
- ldap_do, /* do_it */
|
|
||||||
- ldap_done, /* done */
|
|
||||||
+ oldap_setup_connection, /* setup_connection */
|
|
||||||
+ oldap_do, /* do_it */
|
|
||||||
+ oldap_done, /* done */
|
|
||||||
ZERO_NULL, /* do_more */
|
|
||||||
- ldap_connect, /* connect_it */
|
|
||||||
- ldap_connecting, /* connecting */
|
|
||||||
+ oldap_connect, /* connect_it */
|
|
||||||
+ oldap_connecting, /* connecting */
|
|
||||||
ZERO_NULL, /* doing */
|
|
||||||
ZERO_NULL, /* proto_getsock */
|
|
||||||
ZERO_NULL, /* doing_getsock */
|
|
||||||
ZERO_NULL, /* domore_getsock */
|
|
||||||
ZERO_NULL, /* perform_getsock */
|
|
||||||
- ldap_disconnect, /* disconnect */
|
|
||||||
+ oldap_disconnect, /* disconnect */
|
|
||||||
ZERO_NULL, /* readwrite */
|
|
||||||
ZERO_NULL, /* connection_check */
|
|
||||||
ZERO_NULL, /* attach connection */
|
|
||||||
@@ -173,8 +173,8 @@ struct ldapreqinfo {
|
|
||||||
int nument;
|
|
||||||
};
|
|
||||||
|
|
||||||
-static CURLcode ldap_setup_connection(struct Curl_easy *data,
|
|
||||||
- struct connectdata *conn)
|
|
||||||
+static CURLcode oldap_setup_connection(struct Curl_easy *data,
|
|
||||||
+ struct connectdata *conn)
|
|
||||||
{
|
|
||||||
struct ldapconninfo *li;
|
|
||||||
LDAPURLDesc *lud;
|
|
||||||
@@ -209,7 +209,7 @@ static CURLcode ldap_setup_connection(struct Curl_easy *data,
|
|
||||||
static Sockbuf_IO ldapsb_tls;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-static CURLcode ldap_connect(struct Curl_easy *data, bool *done)
|
|
||||||
+static CURLcode oldap_connect(struct Curl_easy *data, bool *done)
|
|
||||||
{
|
|
||||||
struct connectdata *conn = data->conn;
|
|
||||||
struct ldapconninfo *li = conn->proto.ldapc;
|
|
||||||
@@ -257,7 +257,7 @@ static CURLcode ldap_connect(struct Curl_easy *data, bool *done)
|
|
||||||
return CURLE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static CURLcode ldap_connecting(struct Curl_easy *data, bool *done)
|
|
||||||
+static CURLcode oldap_connecting(struct Curl_easy *data, bool *done)
|
|
||||||
{
|
|
||||||
struct connectdata *conn = data->conn;
|
|
||||||
struct ldapconninfo *li = conn->proto.ldapc;
|
|
||||||
@@ -356,14 +356,15 @@ static CURLcode ldap_connecting(struct Curl_easy *data, bool *done)
|
|
||||||
|
|
||||||
if(info)
|
|
||||||
ldap_memfree(info);
|
|
||||||
- conn->recv[FIRSTSOCKET] = ldap_recv;
|
|
||||||
+ conn->recv[FIRSTSOCKET] = oldap_recv;
|
|
||||||
*done = TRUE;
|
|
||||||
|
|
||||||
return CURLE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static CURLcode ldap_disconnect(struct Curl_easy *data,
|
|
||||||
- struct connectdata *conn, bool dead_connection)
|
|
||||||
+static CURLcode oldap_disconnect(struct Curl_easy *data,
|
|
||||||
+ struct connectdata *conn,
|
|
||||||
+ bool dead_connection)
|
|
||||||
{
|
|
||||||
struct ldapconninfo *li = conn->proto.ldapc;
|
|
||||||
(void) dead_connection;
|
|
||||||
@@ -384,7 +385,7 @@ static CURLcode ldap_disconnect(struct Curl_easy *data,
|
|
||||||
return CURLE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static CURLcode ldap_do(struct Curl_easy *data, bool *done)
|
|
||||||
+static CURLcode oldap_do(struct Curl_easy *data, bool *done)
|
|
||||||
{
|
|
||||||
struct connectdata *conn = data->conn;
|
|
||||||
struct ldapconninfo *li = conn->proto.ldapc;
|
|
||||||
@@ -429,8 +430,8 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done)
|
|
||||||
return CURLE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static CURLcode ldap_done(struct Curl_easy *data, CURLcode res,
|
|
||||||
- bool premature)
|
|
||||||
+static CURLcode oldap_done(struct Curl_easy *data, CURLcode res,
|
|
||||||
+ bool premature)
|
|
||||||
{
|
|
||||||
struct connectdata *conn = data->conn;
|
|
||||||
struct ldapreqinfo *lr = data->req.p.ldap;
|
|
||||||
@@ -452,8 +453,8 @@ static CURLcode ldap_done(struct Curl_easy *data, CURLcode res,
|
|
||||||
return CURLE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static ssize_t ldap_recv(struct Curl_easy *data, int sockindex, char *buf,
|
|
||||||
- size_t len, CURLcode *err)
|
|
||||||
+static ssize_t oldap_recv(struct Curl_easy *data, int sockindex, char *buf,
|
|
||||||
+ size_t len, CURLcode *err)
|
|
||||||
{
|
|
||||||
struct connectdata *conn = data->conn;
|
|
||||||
struct ldapconninfo *li = conn->proto.ldapc;
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
59
SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
Normal file
59
SOURCES/0021-curl-7.61.1-CVE-2020-8177.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
From a6fcd8a32f3b1c5d80e524f8b2c1de32e6ecdb2b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Sun, 31 May 2020 23:09:59 +0200
|
||||||
|
Subject: [PATCH] tool_getparam: -i is not OK if -J is used
|
||||||
|
|
||||||
|
Reported-by: sn on hackerone
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
|
||||||
|
|
||||||
|
Upstream-commit: 8236aba58542c5f89f1d41ca09d84579efb05e22
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
src/tool_cb_hdr.c | 13 ++++---------
|
||||||
|
src/tool_getparam.c | 5 +++++
|
||||||
|
2 files changed, 9 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
|
||||||
|
index 3b10238..b80707f 100644
|
||||||
|
--- a/src/tool_cb_hdr.c
|
||||||
|
+++ b/src/tool_cb_hdr.c
|
||||||
|
@@ -132,16 +132,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
|
||||||
|
filename = parse_filename(p, len);
|
||||||
|
if(filename) {
|
||||||
|
if(outs->stream) {
|
||||||
|
- /* already opened and possibly written to */
|
||||||
|
- if(outs->fopened)
|
||||||
|
- fclose(outs->stream);
|
||||||
|
- outs->stream = NULL;
|
||||||
|
-
|
||||||
|
- /* rename the initial file name to the new file name */
|
||||||
|
- rename(outs->filename, filename);
|
||||||
|
- if(outs->alloc_filename)
|
||||||
|
- free(outs->filename);
|
||||||
|
+ /* indication of problem, get out! */
|
||||||
|
+ free(filename);
|
||||||
|
+ return failure;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
outs->is_cd_filename = TRUE;
|
||||||
|
outs->s_isreg = TRUE;
|
||||||
|
outs->fopened = FALSE;
|
||||||
|
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
|
||||||
|
index 764caa2..c5c7429 100644
|
||||||
|
--- a/src/tool_getparam.c
|
||||||
|
+++ b/src/tool_getparam.c
|
||||||
|
@@ -1745,6 +1745,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case 'i':
|
||||||
|
+ if(config->content_disposition) {
|
||||||
|
+ warnf(global,
|
||||||
|
+ "--include and --remote-header-name cannot be combined.\n");
|
||||||
|
+ return PARAM_BAD_USE;
|
||||||
|
+ }
|
||||||
|
config->show_headers = toggle; /* show the headers as well in the
|
||||||
|
general output stream */
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.21.3
|
||||||
|
|
143
SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
Normal file
143
SOURCES/0022-curl-7.61.1-CVE-2020-8231.patch
Normal file
@ -0,0 +1,143 @@
|
|||||||
|
From 7a26092a9e21f1e0dc3cad69a580a7e2c7822ad0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Sun, 16 Aug 2020 11:34:35 +0200
|
||||||
|
Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer
|
||||||
|
|
||||||
|
CVE-2020-8231
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
|
||||||
|
|
||||||
|
Reported-by: Marc Aldorasi
|
||||||
|
Closes #5824
|
||||||
|
|
||||||
|
Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/connect.c | 19 ++++++++++---------
|
||||||
|
lib/easy.c | 3 +--
|
||||||
|
lib/multi.c | 5 +++--
|
||||||
|
lib/url.c | 2 +-
|
||||||
|
lib/urldata.h | 2 +-
|
||||||
|
5 files changed, 16 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/connect.c b/lib/connect.c
|
||||||
|
index 41f2202..f724646 100644
|
||||||
|
--- a/lib/connect.c
|
||||||
|
+++ b/lib/connect.c
|
||||||
|
@@ -1214,15 +1214,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */
|
||||||
|
}
|
||||||
|
|
||||||
|
struct connfind {
|
||||||
|
- struct connectdata *tofind;
|
||||||
|
- bool found;
|
||||||
|
+ long id_tofind;
|
||||||
|
+ struct connectdata *found;
|
||||||
|
};
|
||||||
|
|
||||||
|
static int conn_is_conn(struct connectdata *conn, void *param)
|
||||||
|
{
|
||||||
|
struct connfind *f = (struct connfind *)param;
|
||||||
|
- if(conn == f->tofind) {
|
||||||
|
- f->found = TRUE;
|
||||||
|
+ if(conn->connection_id == f->id_tofind) {
|
||||||
|
+ f->found = conn;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
@@ -1244,21 +1244,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
|
||||||
|
* - that is associated with a multi handle, and whose connection
|
||||||
|
* was detached with CURLOPT_CONNECT_ONLY
|
||||||
|
*/
|
||||||
|
- if(data->state.lastconnect && (data->multi_easy || data->multi)) {
|
||||||
|
- struct connectdata *c = data->state.lastconnect;
|
||||||
|
+ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
|
||||||
|
+ struct connectdata *c;
|
||||||
|
struct connfind find;
|
||||||
|
- find.tofind = data->state.lastconnect;
|
||||||
|
- find.found = FALSE;
|
||||||
|
+ find.id_tofind = data->state.lastconnect_id;
|
||||||
|
+ find.found = NULL;
|
||||||
|
|
||||||
|
Curl_conncache_foreach(data, data->multi_easy?
|
||||||
|
&data->multi_easy->conn_cache:
|
||||||
|
&data->multi->conn_cache, &find, conn_is_conn);
|
||||||
|
|
||||||
|
if(!find.found) {
|
||||||
|
- data->state.lastconnect = NULL;
|
||||||
|
+ data->state.lastconnect_id = -1;
|
||||||
|
return CURL_SOCKET_BAD;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ c = find.found;
|
||||||
|
if(connp) {
|
||||||
|
/* only store this if the caller cares for it */
|
||||||
|
*connp = c;
|
||||||
|
diff --git a/lib/easy.c b/lib/easy.c
|
||||||
|
index 027d0be..fe61cdd 100644
|
||||||
|
--- a/lib/easy.c
|
||||||
|
+++ b/lib/easy.c
|
||||||
|
@@ -919,8 +919,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
|
||||||
|
|
||||||
|
/* the connection cache is setup on demand */
|
||||||
|
outcurl->state.conn_cache = NULL;
|
||||||
|
-
|
||||||
|
- outcurl->state.lastconnect = NULL;
|
||||||
|
+ outcurl->state.lastconnect_id = -1;
|
||||||
|
|
||||||
|
outcurl->progress.flags = data->progress.flags;
|
||||||
|
outcurl->progress.callback = data->progress.callback;
|
||||||
|
diff --git a/lib/multi.c b/lib/multi.c
|
||||||
|
index 0caf943..0f57fd5 100644
|
||||||
|
--- a/lib/multi.c
|
||||||
|
+++ b/lib/multi.c
|
||||||
|
@@ -427,6 +427,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
|
||||||
|
data->state.conn_cache = &data->share->conn_cache;
|
||||||
|
else
|
||||||
|
data->state.conn_cache = &multi->conn_cache;
|
||||||
|
+ data->state.lastconnect_id = -1;
|
||||||
|
|
||||||
|
#ifdef USE_LIBPSL
|
||||||
|
/* Do the same for PSL. */
|
||||||
|
@@ -644,11 +645,11 @@ static CURLcode multi_done(struct connectdata **connp,
|
||||||
|
/* the connection is no longer in use by this transfer */
|
||||||
|
if(Curl_conncache_return_conn(conn)) {
|
||||||
|
/* remember the most recently used connection */
|
||||||
|
- data->state.lastconnect = conn;
|
||||||
|
+ data->state.lastconnect_id = conn->connection_id;
|
||||||
|
infof(data, "%s\n", buffer);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
- data->state.lastconnect = NULL;
|
||||||
|
+ data->state.lastconnect_id = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
*connp = NULL; /* to make the caller of this function better detect that
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index dcc6cc8..d65d17d 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -592,7 +592,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
|
||||||
|
Curl_initinfo(data);
|
||||||
|
|
||||||
|
/* most recent connection is not yet defined */
|
||||||
|
- data->state.lastconnect = NULL;
|
||||||
|
+ data->state.lastconnect_id = -1;
|
||||||
|
|
||||||
|
data->progress.flags |= PGRS_HIDE;
|
||||||
|
data->state.current_speed = -1; /* init to negative == impossible */
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 67db3b2..4b70cc5 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -1219,7 +1219,7 @@ struct UrlState {
|
||||||
|
/* buffers to store authentication data in, as parsed from input options */
|
||||||
|
struct curltime keeps_speed; /* for the progress meter really */
|
||||||
|
|
||||||
|
- struct connectdata *lastconnect; /* The last connection, NULL if undefined */
|
||||||
|
+ long lastconnect_id; /* The last connection, -1 if undefined */
|
||||||
|
|
||||||
|
char *headerbuff; /* allocated buffer to store headers in */
|
||||||
|
size_t headersize; /* size of the allocation */
|
||||||
|
--
|
||||||
|
2.25.4
|
||||||
|
|
@ -1,251 +0,0 @@
|
|||||||
From 08a53016db649bdf4f65c42a9704d35e052be7eb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Thu, 15 Sep 2022 09:22:45 +0200
|
|
||||||
Subject: [PATCH 1/2] setopt: when POST is set, reset the 'upload' field
|
|
||||||
|
|
||||||
Reported-by: RobBotic1 on github
|
|
||||||
Fixes #9507
|
|
||||||
Closes #9511
|
|
||||||
|
|
||||||
Upstream-commit: a64e3e59938abd7d667e4470a18072a24d7e9de9
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/setopt.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
|
||||||
index d5e3b50..b8793b4 100644
|
|
||||||
--- a/lib/setopt.c
|
|
||||||
+++ b/lib/setopt.c
|
|
||||||
@@ -628,6 +628,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
|
||||||
}
|
|
||||||
else
|
|
||||||
data->set.method = HTTPREQ_GET;
|
|
||||||
+ data->set.upload = FALSE;
|
|
||||||
break;
|
|
||||||
|
|
||||||
case CURLOPT_HTTPPOST:
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From a5e36349807b98d31a16bd220f6434289465e16a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Thu, 15 Sep 2022 09:23:33 +0200
|
|
||||||
Subject: [PATCH 2/2] test1948: verify PUT + POST reusing the same handle
|
|
||||||
|
|
||||||
Reproduced #9507, verifies the fix
|
|
||||||
|
|
||||||
Upstream-commit: 1edb15925e350be3b891f8a8de86600b22c0bb20
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
tests/data/Makefile.inc | 1 +
|
|
||||||
tests/data/test1948 | 73 +++++++++++++++++++++++++++++++++++
|
|
||||||
tests/libtest/Makefile.inc | 5 +++
|
|
||||||
tests/libtest/lib1948.c | 79 ++++++++++++++++++++++++++++++++++++++
|
|
||||||
4 files changed, 158 insertions(+)
|
|
||||||
create mode 100644 tests/data/test1948
|
|
||||||
create mode 100644 tests/libtest/lib1948.c
|
|
||||||
|
|
||||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
||||||
index 818ee08..0cfab9b 100644
|
|
||||||
--- a/tests/data/Makefile.inc
|
|
||||||
+++ b/tests/data/Makefile.inc
|
|
||||||
@@ -217,6 +217,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \
|
|
||||||
test1916 test1917 test1918 \
|
|
||||||
\
|
|
||||||
test1933 test1934 test1935 test1936 \
|
|
||||||
+test1948 \
|
|
||||||
\
|
|
||||||
test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \
|
|
||||||
test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \
|
|
||||||
diff --git a/tests/data/test1948 b/tests/data/test1948
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..639523d
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test1948
|
|
||||||
@@ -0,0 +1,73 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+HTTP
|
|
||||||
+HTTP POST
|
|
||||||
+HTTP PUT
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+# Server-side
|
|
||||||
+<reply>
|
|
||||||
+<data>
|
|
||||||
+HTTP/1.1 200 OK
|
|
||||||
+Date: Thu, 01 Nov 2001 14:49:00 GMT
|
|
||||||
+Content-Type: text/html
|
|
||||||
+Content-Length: 6
|
|
||||||
+
|
|
||||||
+hello
|
|
||||||
+</data>
|
|
||||||
+<datacheck>
|
|
||||||
+HTTP/1.1 200 OK
|
|
||||||
+Date: Thu, 01 Nov 2001 14:49:00 GMT
|
|
||||||
+Content-Type: text/html
|
|
||||||
+Content-Length: 6
|
|
||||||
+
|
|
||||||
+hello
|
|
||||||
+HTTP/1.1 200 OK
|
|
||||||
+Date: Thu, 01 Nov 2001 14:49:00 GMT
|
|
||||||
+Content-Type: text/html
|
|
||||||
+Content-Length: 6
|
|
||||||
+
|
|
||||||
+hello
|
|
||||||
+</datacheck>
|
|
||||||
+</reply>
|
|
||||||
+
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<server>
|
|
||||||
+http
|
|
||||||
+</server>
|
|
||||||
+
|
|
||||||
+<name>
|
|
||||||
+CURLOPT_POST after CURLOPT_UPLOAD reusing handle
|
|
||||||
+</name>
|
|
||||||
+<tool>
|
|
||||||
+lib%TESTNUMBER
|
|
||||||
+</tool>
|
|
||||||
+
|
|
||||||
+<command>
|
|
||||||
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER
|
|
||||||
+</command>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+# Verify data after the test has been "shot"
|
|
||||||
+<verify>
|
|
||||||
+<protocol>
|
|
||||||
+PUT /%TESTNUMBER HTTP/1.1
|
|
||||||
+Host: %HOSTIP:%HTTPPORT
|
|
||||||
+Accept: */*
|
|
||||||
+Content-Length: 22
|
|
||||||
+Expect: 100-continue
|
|
||||||
+
|
|
||||||
+This is test PUT data
|
|
||||||
+POST /1948 HTTP/1.1
|
|
||||||
+Host: %HOSTIP:%HTTPPORT
|
|
||||||
+Accept: */*
|
|
||||||
+Content-Length: 22
|
|
||||||
+Content-Type: application/x-www-form-urlencoded
|
|
||||||
+
|
|
||||||
+This is test PUT data
|
|
||||||
+</protocol>
|
|
||||||
+</verify>
|
|
||||||
+</testcase>
|
|
||||||
diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
|
||||||
index 83a8af4..3192eca 100644
|
|
||||||
--- a/tests/libtest/Makefile.inc
|
|
||||||
+++ b/tests/libtest/Makefile.inc
|
|
||||||
@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \
|
|
||||||
lib1591 lib1592 lib1593 lib1594 lib1596 \
|
|
||||||
lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \
|
|
||||||
lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \
|
|
||||||
+ lib1948 \
|
|
||||||
lib3010
|
|
||||||
|
|
||||||
chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \
|
|
||||||
@@ -690,6 +691,10 @@ lib1936_SOURCES = lib1936.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
|
||||||
lib1936_LDADD = $(TESTUTIL_LIBS)
|
|
||||||
lib1936_CPPFLAGS = $(AM_CPPFLAGS)
|
|
||||||
|
|
||||||
+lib1948_SOURCES = lib1948.c $(SUPPORTFILES)
|
|
||||||
+lib1948_LDADD = $(TESTUTIL_LIBS)
|
|
||||||
+lib1948_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1948
|
|
||||||
+
|
|
||||||
lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
|
||||||
lib3010_LDADD = $(TESTUTIL_LIBS)
|
|
||||||
lib3010_CPPFLAGS = $(AM_CPPFLAGS)
|
|
||||||
diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..7c891a2
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/libtest/lib1948.c
|
|
||||||
@@ -0,0 +1,79 @@
|
|
||||||
+/***************************************************************************
|
|
||||||
+ * _ _ ____ _
|
|
||||||
+ * Project ___| | | | _ \| |
|
|
||||||
+ * / __| | | | |_) | |
|
|
||||||
+ * | (__| |_| | _ <| |___
|
|
||||||
+ * \___|\___/|_| \_\_____|
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ *
|
|
||||||
+ * This software is licensed as described in the file COPYING, which
|
|
||||||
+ * you should have received as part of this distribution. The terms
|
|
||||||
+ * are also available at https://curl.haxx.se/docs/copyright.html.
|
|
||||||
+ *
|
|
||||||
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
||||||
+ * copies of the Software, and permit persons to whom the Software is
|
|
||||||
+ * furnished to do so, under the terms of the COPYING file.
|
|
||||||
+ *
|
|
||||||
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
||||||
+ * KIND, either express or implied.
|
|
||||||
+ *
|
|
||||||
+ * SPDX-License-Identifier: curl
|
|
||||||
+ *
|
|
||||||
+ ***************************************************************************/
|
|
||||||
+
|
|
||||||
+#include "test.h"
|
|
||||||
+
|
|
||||||
+typedef struct
|
|
||||||
+{
|
|
||||||
+ char *buf;
|
|
||||||
+ size_t len;
|
|
||||||
+} put_buffer;
|
|
||||||
+
|
|
||||||
+static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream)
|
|
||||||
+{
|
|
||||||
+ put_buffer *putdata = (put_buffer *)stream;
|
|
||||||
+ size_t totalsize = size * nmemb;
|
|
||||||
+ size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize;
|
|
||||||
+ memcpy(ptr, putdata->buf, tocopy);
|
|
||||||
+ putdata->len -= tocopy;
|
|
||||||
+ putdata->buf += tocopy;
|
|
||||||
+ return tocopy;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int test(char *URL)
|
|
||||||
+{
|
|
||||||
+ CURL *curl;
|
|
||||||
+ CURLcode res = CURLE_OUT_OF_MEMORY;
|
|
||||||
+
|
|
||||||
+ curl_global_init(CURL_GLOBAL_DEFAULT);
|
|
||||||
+
|
|
||||||
+ curl = curl_easy_init();
|
|
||||||
+ if(curl) {
|
|
||||||
+ const char *testput = "This is test PUT data\n";
|
|
||||||
+ put_buffer pbuf;
|
|
||||||
+
|
|
||||||
+ /* PUT */
|
|
||||||
+ curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L);
|
|
||||||
+ curl_easy_setopt(curl, CURLOPT_HEADER, 1L);
|
|
||||||
+ curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback);
|
|
||||||
+ pbuf.buf = (char *)testput;
|
|
||||||
+ pbuf.len = strlen(testput);
|
|
||||||
+ curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf);
|
|
||||||
+ curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput));
|
|
||||||
+ res = curl_easy_setopt(curl, CURLOPT_URL, URL);
|
|
||||||
+ if(!res)
|
|
||||||
+ res = curl_easy_perform(curl);
|
|
||||||
+ if(!res) {
|
|
||||||
+ /* POST */
|
|
||||||
+ curl_easy_setopt(curl, CURLOPT_POST, 1L);
|
|
||||||
+ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput);
|
|
||||||
+ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput));
|
|
||||||
+ res = curl_easy_perform(curl);
|
|
||||||
+ }
|
|
||||||
+ curl_easy_cleanup(curl);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ curl_global_cleanup();
|
|
||||||
+ return (int)res;
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
60
SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
Normal file
60
SOURCES/0023-curl-7.61.1-no-https-proxy-crash.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 9d5903ebcbcbcc4f3a997ec7d5552721c5383b9f Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Martin=20Ba=C5=A1ti?= <mbasti@redhat.com>
|
||||||
|
Date: Thu, 27 Aug 2020 23:09:56 +0200
|
||||||
|
Subject: [PATCH] http_proxy: do not crash with HTTPS_PROXY and NO_PROXY set
|
||||||
|
|
||||||
|
... in case NO_PROXY takes an effect
|
||||||
|
|
||||||
|
Without this patch, the following command crashes:
|
||||||
|
|
||||||
|
$ GIT_CURL_VERBOSE=1 NO_PROXY=github.com HTTPS_PROXY=https://example.com \
|
||||||
|
git clone https://github.com/curl/curl.git
|
||||||
|
|
||||||
|
Minimal libcurl-based reproducer:
|
||||||
|
|
||||||
|
#include <curl/curl.h>
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
CURL *curl = curl_easy_init();
|
||||||
|
if(curl) {
|
||||||
|
CURLcode ret;
|
||||||
|
curl_easy_setopt(curl, CURLOPT_URL, "https://github.com/");
|
||||||
|
curl_easy_setopt(curl, CURLOPT_PROXY, "example.com");
|
||||||
|
/* set the proxy type */
|
||||||
|
curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
|
||||||
|
curl_easy_setopt(curl, CURLOPT_NOPROXY, "github.com");
|
||||||
|
curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
|
||||||
|
ret = curl_easy_perform(curl);
|
||||||
|
curl_easy_cleanup(curl);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
Assisted-by: Kamil Dudka
|
||||||
|
Bug: https://bugzilla.redhat.com/1873327
|
||||||
|
Closes #5902
|
||||||
|
|
||||||
|
Upstream-commit: 3eff1c5092e542819ac7e6454a70c94b36ab2a40
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/url.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index d65d17d..e77f391 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -3074,6 +3074,9 @@ static CURLcode create_conn_helper_init_proxy(struct connectdata *conn)
|
||||||
|
conn->bits.socksproxy = FALSE;
|
||||||
|
conn->bits.proxy_user_passwd = FALSE;
|
||||||
|
conn->bits.tunnel_proxy = FALSE;
|
||||||
|
+ /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need
|
||||||
|
+ to signal that CURLPROXY_HTTPS is not used for this connection */
|
||||||
|
+ conn->http_proxy.proxytype = CURLPROXY_HTTP;
|
||||||
|
}
|
||||||
|
|
||||||
|
out:
|
||||||
|
--
|
||||||
|
2.25.4
|
||||||
|
|
291
SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
Normal file
291
SOURCES/0024-curl-7.61.1-openssl-partial-chain.patch
Normal file
@ -0,0 +1,291 @@
|
|||||||
|
From 673adb0a7a21ca3a877ee03dc9e197d5be15a9d3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 2 Dec 2019 10:45:55 +0100
|
||||||
|
Subject: [PATCH 1/3] openssl: set X509_V_FLAG_PARTIAL_CHAIN
|
||||||
|
|
||||||
|
Have intermediate certificates in the trust store be treated as
|
||||||
|
trust-anchors, in the same way as self-signed root CA certificates
|
||||||
|
are. This allows users to verify servers using the intermediate cert
|
||||||
|
only, instead of needing the whole chain.
|
||||||
|
|
||||||
|
Other TLS backends already accept partial chains.
|
||||||
|
|
||||||
|
Reported-by: Jeffrey Walton
|
||||||
|
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
|
||||||
|
|
||||||
|
Upstream-commit: 94f1f771586913addf5c68f9219e176036c50115
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/openssl.c | 26 +++++++++++++++++---------
|
||||||
|
1 file changed, 17 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index d8bcc4f..8e791b9 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -2551,19 +2551,27 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||||
|
infof(data, " CRLfile: %s\n", ssl_crlfile);
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Try building a chain using issuers in the trusted store first to avoid
|
||||||
|
- problems with server-sent legacy intermediates.
|
||||||
|
- Newer versions of OpenSSL do alternate chain checking by default which
|
||||||
|
- gives us the same fix without as much of a performance hit (slight), so we
|
||||||
|
- prefer that if available.
|
||||||
|
- https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
|
||||||
|
- */
|
||||||
|
-#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
|
||||||
|
if(verifypeer) {
|
||||||
|
+ /* Try building a chain using issuers in the trusted store first to avoid
|
||||||
|
+ problems with server-sent legacy intermediates. Newer versions of
|
||||||
|
+ OpenSSL do alternate chain checking by default which gives us the same
|
||||||
|
+ fix without as much of a performance hit (slight), so we prefer that if
|
||||||
|
+ available.
|
||||||
|
+ https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
|
||||||
|
+ */
|
||||||
|
+#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
|
||||||
|
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||||
|
X509_V_FLAG_TRUSTED_FIRST);
|
||||||
|
- }
|
||||||
|
#endif
|
||||||
|
+#ifdef X509_V_FLAG_PARTIAL_CHAIN
|
||||||
|
+ /* Have intermediate certificates in the trust store be treated as
|
||||||
|
+ trust-anchors, in the same way as self-signed root CA certificates
|
||||||
|
+ are. This allows users to verify servers using the intermediate cert
|
||||||
|
+ only, instead of needing the whole chain. */
|
||||||
|
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||||
|
+ X509_V_FLAG_PARTIAL_CHAIN);
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* SSL always tries to verify the peer, this only says whether it should
|
||||||
|
* fail to connect if the verification fails, or if it should continue
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
||||||
|
|
||||||
|
From b2e6e39b60e1722aecf250ff79a69867df5d3aa8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 2 Dec 2019 10:55:33 +0100
|
||||||
|
Subject: [PATCH 2/3] openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial
|
||||||
|
cert chains
|
||||||
|
|
||||||
|
Closes #4655
|
||||||
|
|
||||||
|
Upstream-commit: 564d88a8bd190a21b362d6da535fccf74d33394d
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 | 40 +++++++++++++------------
|
||||||
|
docs/libcurl/symbols-in-versions | 1 +
|
||||||
|
include/curl/curl.h | 4 +++
|
||||||
|
lib/setopt.c | 1 +
|
||||||
|
lib/urldata.h | 1 +
|
||||||
|
lib/vtls/openssl.c | 14 +++++----
|
||||||
|
6 files changed, 36 insertions(+), 25 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
|
||||||
|
index d781434..6286a64 100644
|
||||||
|
--- a/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
|
||||||
|
+++ b/docs/libcurl/opts/CURLOPT_SSL_OPTIONS.3
|
||||||
|
@@ -29,25 +29,27 @@ CURLOPT_SSL_OPTIONS \- set SSL behavior options
|
||||||
|
|
||||||
|
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_OPTIONS, long bitmask);
|
||||||
|
.SH DESCRIPTION
|
||||||
|
-Pass a long with a bitmask to tell libcurl about specific SSL behaviors.
|
||||||
|
-
|
||||||
|
-\fICURLSSLOPT_ALLOW_BEAST\fP tells libcurl to not attempt to use any
|
||||||
|
-workarounds for a security flaw in the SSL3 and TLS1.0 protocols. If this
|
||||||
|
-option isn't used or this bit is set to 0, the SSL layer libcurl uses may use a
|
||||||
|
-work-around for this flaw although it might cause interoperability problems
|
||||||
|
-with some (older) SSL implementations. WARNING: avoiding this work-around
|
||||||
|
-lessens the security, and by setting this option to 1 you ask for exactly that.
|
||||||
|
-This option is only supported for DarwinSSL, NSS and OpenSSL.
|
||||||
|
-
|
||||||
|
-Added in 7.44.0:
|
||||||
|
-
|
||||||
|
-\fICURLSSLOPT_NO_REVOKE\fP tells libcurl to disable certificate revocation
|
||||||
|
-checks for those SSL backends where such behavior is present. \fBCurrently this
|
||||||
|
-option is only supported for WinSSL (the native Windows SSL library), with an
|
||||||
|
-exception in the case of Windows' Untrusted Publishers blacklist which it seems
|
||||||
|
-can't be bypassed.\fP This option may have broader support to accommodate other
|
||||||
|
-SSL backends in the future.
|
||||||
|
-https://curl.haxx.se/docs/ssl-compared.html
|
||||||
|
+Pass a long with a bitmask to tell libcurl about specific SSL
|
||||||
|
+behaviors. Available bits:
|
||||||
|
+.IP CURLSSLOPT_ALLOW_BEAST
|
||||||
|
+Tells libcurl to not attempt to use any workarounds for a security flaw in the
|
||||||
|
+SSL3 and TLS1.0 protocols. If this option isn't used or this bit is set to 0,
|
||||||
|
+the SSL layer libcurl uses may use a work-around for this flaw although it
|
||||||
|
+might cause interoperability problems with some (older) SSL
|
||||||
|
+implementations. WARNING: avoiding this work-around lessens the security, and
|
||||||
|
+by setting this option to 1 you ask for exactly that. This option is only
|
||||||
|
+supported for DarwinSSL, NSS and OpenSSL.
|
||||||
|
+.IP CURLSSLOPT_NO_REVOKE
|
||||||
|
+Tells libcurl to disable certificate revocation checks for those SSL backends
|
||||||
|
+where such behavior is present. This option is only supported for Schannel
|
||||||
|
+(the native Windows SSL library), with an exception in the case of Windows'
|
||||||
|
+Untrusted Publishers blacklist which it seems can't be bypassed. (Added in
|
||||||
|
+7.44.0)
|
||||||
|
+.IP CURLSSLOPT_NO_PARTIALCHAIN
|
||||||
|
+Tells libcurl to not accept "partial" certificate chains, which it otherwise
|
||||||
|
+does by default. This option is only supported for OpenSSL and will fail the
|
||||||
|
+certificate verification if the chain ends with an intermediate certificate
|
||||||
|
+and not with a root cert. (Added in 7.68.0)
|
||||||
|
.SH DEFAULT
|
||||||
|
0
|
||||||
|
.SH PROTOCOLS
|
||||||
|
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
|
||||||
|
index 3b3861f..54923d0 100644
|
||||||
|
--- a/docs/libcurl/symbols-in-versions
|
||||||
|
+++ b/docs/libcurl/symbols-in-versions
|
||||||
|
@@ -713,6 +713,7 @@ CURLSSLBACKEND_QSOSSL 7.34.0 - 7.38.1
|
||||||
|
CURLSSLBACKEND_SCHANNEL 7.34.0
|
||||||
|
CURLSSLBACKEND_WOLFSSL 7.49.0
|
||||||
|
CURLSSLOPT_ALLOW_BEAST 7.25.0
|
||||||
|
+CURLSSLOPT_NO_PARTIALCHAIN 7.68.0
|
||||||
|
CURLSSLOPT_NO_REVOKE 7.44.0
|
||||||
|
CURLSSLSET_NO_BACKENDS 7.56.0
|
||||||
|
CURLSSLSET_OK 7.56.0
|
||||||
|
diff --git a/include/curl/curl.h b/include/curl/curl.h
|
||||||
|
index 8f473e2..75f9384 100644
|
||||||
|
--- a/include/curl/curl.h
|
||||||
|
+++ b/include/curl/curl.h
|
||||||
|
@@ -795,6 +795,10 @@ typedef enum {
|
||||||
|
SSL backends where such behavior is present. */
|
||||||
|
#define CURLSSLOPT_NO_REVOKE (1<<1)
|
||||||
|
|
||||||
|
+/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain
|
||||||
|
+ if possible. The OpenSSL backend has this ability. */
|
||||||
|
+#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2)
|
||||||
|
+
|
||||||
|
/* The default connection attempt delay in milliseconds for happy eyeballs.
|
||||||
|
CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document
|
||||||
|
this value, keep them in sync. */
|
||||||
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||||
|
index 5c5f4b3..4f04962 100644
|
||||||
|
--- a/lib/setopt.c
|
||||||
|
+++ b/lib/setopt.c
|
||||||
|
@@ -2046,6 +2046,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
arg = va_arg(param, long);
|
||||||
|
data->set.ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
|
||||||
|
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||||
|
+ data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case CURLOPT_PROXY_SSL_OPTIONS:
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 4b70cc5..c70290a 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -235,6 +235,7 @@ struct ssl_config_data {
|
||||||
|
bool enable_beast; /* especially allow this flaw for interoperability's
|
||||||
|
sake*/
|
||||||
|
bool no_revoke; /* disable SSL certificate revocation checks */
|
||||||
|
+ bool no_partialchain; /* don't accept partial certificate chains */
|
||||||
|
long certverifyresult; /* result from the certificate verification */
|
||||||
|
char *CRLfile; /* CRL to check certificate revocation */
|
||||||
|
char *issuercert;/* optional issuer certificate filename */
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 8e791b9..87f6c4c 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -2564,12 +2564,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||||
|
X509_V_FLAG_TRUSTED_FIRST);
|
||||||
|
#endif
|
||||||
|
#ifdef X509_V_FLAG_PARTIAL_CHAIN
|
||||||
|
- /* Have intermediate certificates in the trust store be treated as
|
||||||
|
- trust-anchors, in the same way as self-signed root CA certificates
|
||||||
|
- are. This allows users to verify servers using the intermediate cert
|
||||||
|
- only, instead of needing the whole chain. */
|
||||||
|
- X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||||
|
- X509_V_FLAG_PARTIAL_CHAIN);
|
||||||
|
+ if(!SSL_SET_OPTION(no_partialchain)) {
|
||||||
|
+ /* Have intermediate certificates in the trust store be treated as
|
||||||
|
+ trust-anchors, in the same way as self-signed root CA certificates
|
||||||
|
+ are. This allows users to verify servers using the intermediate cert
|
||||||
|
+ only, instead of needing the whole chain. */
|
||||||
|
+ X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||||
|
+ X509_V_FLAG_PARTIAL_CHAIN);
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
||||||
|
|
||||||
|
From d149ba12f302e5275b408d82ffb349eac16b9226 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 11 May 2020 23:00:31 +0200
|
||||||
|
Subject: [PATCH 3/3] OpenSSL: have CURLOPT_CRLFILE imply
|
||||||
|
CURLSSLOPT_NO_PARTIALCHAIN
|
||||||
|
|
||||||
|
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
|
||||||
|
|
||||||
|
Reported-by: Michael Kaufmann
|
||||||
|
Fixes #5374
|
||||||
|
Closes #5376
|
||||||
|
|
||||||
|
Upstream-commit: 81a54b12c631e8126e3eb484c74040b991e78f0c
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
docs/libcurl/opts/CURLOPT_CRLFILE.3 | 13 ++++++++-----
|
||||||
|
lib/vtls/openssl.c | 8 ++++++--
|
||||||
|
2 files changed, 14 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/libcurl/opts/CURLOPT_CRLFILE.3 b/docs/libcurl/opts/CURLOPT_CRLFILE.3
|
||||||
|
index 080caa7..f111585 100644
|
||||||
|
--- a/docs/libcurl/opts/CURLOPT_CRLFILE.3
|
||||||
|
+++ b/docs/libcurl/opts/CURLOPT_CRLFILE.3
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
.\" * | (__| |_| | _ <| |___
|
||||||
|
.\" * \___|\___/|_| \_\_____|
|
||||||
|
.\" *
|
||||||
|
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
.\" *
|
||||||
|
.\" * This software is licensed as described in the file COPYING, which
|
||||||
|
.\" * you should have received as part of this distribution. The terms
|
||||||
|
@@ -34,10 +34,13 @@ concatenation of CRL (in PEM format) to use in the certificate validation that
|
||||||
|
occurs during the SSL exchange.
|
||||||
|
|
||||||
|
When curl is built to use NSS or GnuTLS, there is no way to influence the use
|
||||||
|
-of CRL passed to help in the verification process. When libcurl is built with
|
||||||
|
-OpenSSL support, X509_V_FLAG_CRL_CHECK and X509_V_FLAG_CRL_CHECK_ALL are both
|
||||||
|
-set, requiring CRL check against all the elements of the certificate chain if
|
||||||
|
-a CRL file is passed.
|
||||||
|
+of CRL passed to help in the verification process.
|
||||||
|
+
|
||||||
|
+When libcurl is built with OpenSSL support, X509_V_FLAG_CRL_CHECK and
|
||||||
|
+X509_V_FLAG_CRL_CHECK_ALL are both set, requiring CRL check against all the
|
||||||
|
+elements of the certificate chain if a CRL file is passed. Also note that
|
||||||
|
+\fICURLOPT_CRLFILE(3)\fP will imply \fBCURLSSLOPT_NO_PARTIALCHAIN\fP (see
|
||||||
|
+\fICURLOPT_SSL_OPTIONS(3)\fP) since curl 7.71.0 due to an OpenSSL bug.
|
||||||
|
|
||||||
|
This option makes sense only when used in combination with the
|
||||||
|
\fICURLOPT_SSL_VERIFYPEER(3)\fP option.
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 87f6c4c..9476773 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -2564,11 +2564,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||||
|
X509_V_FLAG_TRUSTED_FIRST);
|
||||||
|
#endif
|
||||||
|
#ifdef X509_V_FLAG_PARTIAL_CHAIN
|
||||||
|
- if(!SSL_SET_OPTION(no_partialchain)) {
|
||||||
|
+ if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {
|
||||||
|
/* Have intermediate certificates in the trust store be treated as
|
||||||
|
trust-anchors, in the same way as self-signed root CA certificates
|
||||||
|
are. This allows users to verify servers using the intermediate cert
|
||||||
|
- only, instead of needing the whole chain. */
|
||||||
|
+ only, instead of needing the whole chain.
|
||||||
|
+
|
||||||
|
+ Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
|
||||||
|
+ cannot do partial chains with CRL check.
|
||||||
|
+ */
|
||||||
|
X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
|
||||||
|
X509_V_FLAG_PARTIAL_CHAIN);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -1,678 +0,0 @@
|
|||||||
From 95f873ff983a1ae57415b3c16a881e74432cf8b8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Fabian Keil <fk@fabiankeil.de>
|
|
||||||
Date: Tue, 9 Feb 2021 14:04:32 +0100
|
|
||||||
Subject: [PATCH 1/4] runtests.pl: support the nonewline attribute for the data
|
|
||||||
part
|
|
||||||
|
|
||||||
Added to FILEFORMAT
|
|
||||||
|
|
||||||
Closes #8239
|
|
||||||
|
|
||||||
Upstream-commit: 736847611a40c01e7c290407e22e2f0f5f8efd6a
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
tests/FILEFORMAT.md | 5 ++++-
|
|
||||||
tests/runtests.pl | 7 +++++++
|
|
||||||
tests/server/getpart.c | 11 ++++++++++-
|
|
||||||
3 files changed, 21 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
|
|
||||||
index b75a02a..0b98787 100644
|
|
||||||
--- a/tests/FILEFORMAT.md
|
|
||||||
+++ b/tests/FILEFORMAT.md
|
|
||||||
@@ -185,7 +185,7 @@ which are treated together as a single identifier.
|
|
||||||
|
|
||||||
## `<reply>`
|
|
||||||
|
|
||||||
-### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"]>`
|
|
||||||
+### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"]>`
|
|
||||||
|
|
||||||
data to be sent to the client on its request and later verified that it
|
|
||||||
arrived safely. Set `nocheck="yes"` to prevent the test script from verifying
|
|
||||||
@@ -211,6 +211,9 @@ much sense for other sections than "data").
|
|
||||||
`hex=yes` means that the data is a sequence of hex pairs. It will get decoded
|
|
||||||
and used as "raw" data.
|
|
||||||
|
|
||||||
+`nonewline=yes` means that the last byte (the trailing newline character)
|
|
||||||
+should be cut off from the data before sending or comparing it.
|
|
||||||
+
|
|
||||||
For FTP file listings, the `<data>` section will be used *only* if you make
|
|
||||||
sure that there has been a CWD done first to a directory named `test-[num]`
|
|
||||||
where [num] is the test case number. Otherwise the ftp server can't know from
|
|
||||||
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
|
||||||
index 40315aa..2e1500d 100755
|
|
||||||
--- a/tests/runtests.pl
|
|
||||||
+++ b/tests/runtests.pl
|
|
||||||
@@ -3837,6 +3837,13 @@ sub singletest {
|
|
||||||
else {
|
|
||||||
# check against the data section
|
|
||||||
@reply = getpart("reply", "data");
|
|
||||||
+ if(@reply) {
|
|
||||||
+ my %hash = getpartattr("reply", "data");
|
|
||||||
+ if($hash{'nonewline'}) {
|
|
||||||
+ # cut off the final newline from the final line of the data
|
|
||||||
+ chomp($reply[$#reply]);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
# get the mode attribute
|
|
||||||
my $filemode=$replyattr{'mode'};
|
|
||||||
if($filemode && ($filemode eq "text") && $has_textaware) {
|
|
||||||
diff --git a/tests/server/getpart.c b/tests/server/getpart.c
|
|
||||||
index 32b55bc..f8fe3f6 100644
|
|
||||||
--- a/tests/server/getpart.c
|
|
||||||
+++ b/tests/server/getpart.c
|
|
||||||
@@ -5,7 +5,7 @@
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
@@ -295,6 +295,7 @@ int getpart(char **outbuf, size_t *outlen,
|
|
||||||
size_t outalloc = 256;
|
|
||||||
int in_wanted_part = 0;
|
|
||||||
int base64 = 0;
|
|
||||||
+ int nonewline = 0;
|
|
||||||
int error;
|
|
||||||
|
|
||||||
enum {
|
|
||||||
@@ -360,6 +361,8 @@ int getpart(char **outbuf, size_t *outlen,
|
|
||||||
if(error)
|
|
||||||
return error;
|
|
||||||
}
|
|
||||||
+ if(nonewline)
|
|
||||||
+ (*outlen)--;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -377,6 +380,8 @@ int getpart(char **outbuf, size_t *outlen,
|
|
||||||
if(error)
|
|
||||||
return error;
|
|
||||||
}
|
|
||||||
+ if(nonewline)
|
|
||||||
+ (*outlen)--;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -451,6 +456,10 @@ int getpart(char **outbuf, size_t *outlen,
|
|
||||||
/* bit rough test, but "mostly" functional, */
|
|
||||||
/* treat wanted part data as base64 encoded */
|
|
||||||
base64 = 1;
|
|
||||||
+ if(strstr(patt, "nonewline=")) {
|
|
||||||
+ show(("* setting nonewline\n"));
|
|
||||||
+ nonewline = 1;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
|
|
||||||
From 6e244e1bcb04012e11c537253e76e6f968d8bb72 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Thu, 1 Dec 2022 09:21:04 +0100
|
|
||||||
Subject: [PATCH 2/4] runtests: do CRLF replacements per section only
|
|
||||||
|
|
||||||
The `crlf="yes"` attribute and "hyper mode" are now only applied on a
|
|
||||||
subset of dedicated sections: data, datacheck, stdout and protocol.
|
|
||||||
|
|
||||||
Updated test 2500 accordingly.
|
|
||||||
|
|
||||||
Also made test1 use crlf="yes" for <protocol>, mostly because it is
|
|
||||||
often used as a template test case. Going forward, using this attribute
|
|
||||||
we should be able to write test cases using linefeeds only and avoid
|
|
||||||
mixed line ending encodings.
|
|
||||||
|
|
||||||
Follow-up to ca15b7512e8d11
|
|
||||||
|
|
||||||
Fixes #10009
|
|
||||||
Closes #10010
|
|
||||||
|
|
||||||
Upstream-commit: 2f34a7347f315513bfda9ef14770d287fb246bcd
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
tests/FILEFORMAT.md | 22 +++++++++++++++------
|
|
||||||
tests/data/test1 | 14 ++++++-------
|
|
||||||
tests/runtests.pl | 48 ++++++++++++++++++++++++++++++++++++++++++---
|
|
||||||
3 files changed, 68 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
|
|
||||||
index c1fbc57..dcb5695 100644
|
|
||||||
--- a/tests/FILEFORMAT.md
|
|
||||||
+++ b/tests/FILEFORMAT.md
|
|
||||||
@@ -185,7 +185,7 @@ which are treated together as a single identifier.
|
|
||||||
|
|
||||||
## `<reply>`
|
|
||||||
|
|
||||||
-### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"]>`
|
|
||||||
+### `<data [nocheck="yes"] [sendzero="yes"] [base64="yes"] [hex="yes"] [nonewline="yes"] [crlf="yes"]>`
|
|
||||||
|
|
||||||
data to be sent to the client on its request and later verified that it
|
|
||||||
arrived safely. Set `nocheck="yes"` to prevent the test script from verifying
|
|
||||||
@@ -214,12 +214,16 @@ and used as "raw" data.
|
|
||||||
`nonewline=yes` means that the last byte (the trailing newline character)
|
|
||||||
should be cut off from the data before sending or comparing it.
|
|
||||||
|
|
||||||
+`crlf=yes` forces *header* newlines to become CRLF even if not written so in
|
|
||||||
+the source file. Note that this makes runtests.pl parse and "guess" what is a
|
|
||||||
+header and what is not in order to apply the CRLF line endings appropriately.
|
|
||||||
+
|
|
||||||
For FTP file listings, the `<data>` section will be used *only* if you make
|
|
||||||
sure that there has been a CWD done first to a directory named `test-[num]`
|
|
||||||
where [num] is the test case number. Otherwise the ftp server can't know from
|
|
||||||
which test file to load the list content.
|
|
||||||
|
|
||||||
-### `<dataNUM>`
|
|
||||||
+### `<dataNUM [crlf="yes"]>`
|
|
||||||
|
|
||||||
Send back this contents instead of the <data> one. The num is set by:
|
|
||||||
|
|
||||||
@@ -243,7 +247,7 @@ The connect section is used instead of the 'data' for all CONNECT
|
|
||||||
requests. The remainder of the rules for the data section then apply but with
|
|
||||||
a connect prefix.
|
|
||||||
|
|
||||||
-### `<datacheck [mode="text"] [nonewline="yes"]>`
|
|
||||||
+### `<datacheck [mode="text"] [nonewline="yes"] [crlf="yes"]>`
|
|
||||||
if the data is sent but this is what should be checked afterwards. If
|
|
||||||
`nonewline=yes` is set, runtests will cut off the trailing newline from the
|
|
||||||
data before comparing with the one actually received by the client.
|
|
||||||
@@ -251,7 +255,7 @@ data before comparing with the one actually received by the client.
|
|
||||||
Use the `mode="text"` attribute if the output is in text mode on platforms
|
|
||||||
that have a text/binary difference.
|
|
||||||
|
|
||||||
-### `<datacheckNUM [nonewline="yes"] [mode="text"]>`
|
|
||||||
+### `<datacheckNUM [nonewline="yes"] [mode="text"] [crlf="yes"]>`
|
|
||||||
The contents of numbered datacheck sections are appended to the non-numbered
|
|
||||||
one.
|
|
||||||
|
|
||||||
@@ -528,13 +532,16 @@ changing protocol data such as port numbers or user-agent strings.
|
|
||||||
One perl op per line that operates on the protocol dump. This is pretty
|
|
||||||
advanced. Example: `s/^EPRT .*/EPRT stripped/`.
|
|
||||||
|
|
||||||
-### `<protocol [nonewline="yes"]>`
|
|
||||||
+### `<protocol [nonewline="yes"] crlf="yes">`
|
|
||||||
|
|
||||||
the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
|
|
||||||
the trailing newline of this given data before comparing with the one actually
|
|
||||||
sent by the client The `<strip>` and `<strippart>` rules are applied before
|
|
||||||
comparisons are made.
|
|
||||||
|
|
||||||
+`crlf=yes` forces the newlines to become CRLF even if not written so in the
|
|
||||||
+test.
|
|
||||||
+
|
|
||||||
### `<proxy [nonewline="yes"]>`
|
|
||||||
|
|
||||||
The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
|
|
||||||
@@ -551,7 +558,7 @@ have a text/binary difference.
|
|
||||||
If 'nonewline' is set, we will cut off the trailing newline of this given data
|
|
||||||
before comparing with the one actually received by the client
|
|
||||||
|
|
||||||
-### `<stdout [mode="text"] [nonewline="yes"]>`
|
|
||||||
+### `<stdout [mode="text"] [nonewline="yes"] [crlf="yes"]>`
|
|
||||||
This verifies that this data was passed to stdout.
|
|
||||||
|
|
||||||
Use the mode="text" attribute if the output is in text mode on platforms that
|
|
||||||
@@ -560,6 +567,9 @@ have a text/binary difference.
|
|
||||||
If 'nonewline' is set, we will cut off the trailing newline of this given data
|
|
||||||
before comparing with the one actually received by the client
|
|
||||||
|
|
||||||
+`crlf=yes` forces the newlines to become CRLF even if not written so in the
|
|
||||||
+test.
|
|
||||||
+
|
|
||||||
### `<file name="log/filename" [mode="text"]>`
|
|
||||||
The file's contents must be identical to this after the test is complete. Use
|
|
||||||
the mode="text" attribute if the output is in text mode on platforms that have
|
|
||||||
diff --git a/tests/data/test1 b/tests/data/test1
|
|
||||||
index f39a08b..700bed8 100644
|
|
||||||
--- a/tests/data/test1
|
|
||||||
+++ b/tests/data/test1
|
|
||||||
@@ -9,7 +9,7 @@ HTTP GET
|
|
||||||
#
|
|
||||||
# Server-side
|
|
||||||
<reply>
|
|
||||||
-<data>
|
|
||||||
+<data crlf="yes">
|
|
||||||
HTTP/1.1 200 OK
|
|
||||||
Date: Tue, 09 Nov 2010 14:49:00 GMT
|
|
||||||
Server: test-server/fake
|
|
||||||
@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER
|
|
||||||
#
|
|
||||||
# Verify data after the test has been "shot"
|
|
||||||
<verify>
|
|
||||||
-<protocol>
|
|
||||||
-GET /%TESTNUMBER HTTP/1.1
|
|
||||||
-Host: %HOSTIP:%HTTPPORT
|
|
||||||
-User-Agent: curl/%VERSION
|
|
||||||
-Accept: */*
|
|
||||||
-
|
|
||||||
+<protocol crlf="yes">
|
|
||||||
+GET /%TESTNUMBER HTTP/1.1
|
|
||||||
+Host: %HOSTIP:%HTTPPORT
|
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
|
||||||
+
|
|
||||||
</protocol>
|
|
||||||
</verify>
|
|
||||||
</testcase>
|
|
||||||
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
|
||||||
index 72a9989..b12a42d 100755
|
|
||||||
--- a/tests/runtests.pl
|
|
||||||
+++ b/tests/runtests.pl
|
|
||||||
@@ -3410,7 +3410,13 @@ sub subBase64 {
|
|
||||||
|
|
||||||
my $prevupdate;
|
|
||||||
sub subNewlines {
|
|
||||||
- my ($thing) = @_;
|
|
||||||
+ my ($force, $thing) = @_;
|
|
||||||
+
|
|
||||||
+ if($force) {
|
|
||||||
+ # enforce CRLF newline
|
|
||||||
+ $$thing =~ s/\x0d*\x0a/\x0d\x0a/;
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
# When curl is built with Hyper, it gets all response headers delivered as
|
|
||||||
# name/value pairs and curl "invents" the newlines when it saves the
|
|
||||||
@@ -3424,7 +3430,7 @@ sub subNewlines {
|
|
||||||
# skip curl error messages
|
|
||||||
($$thing !~ /^curl: \(\d+\) /))) {
|
|
||||||
# enforce CRLF newline
|
|
||||||
- $$thing =~ s/\x0a/\x0d\x0a/;
|
|
||||||
+ $$thing =~ s/\x0d*\x0a/\x0d\x0a/;
|
|
||||||
$prevupdate = 1;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
@@ -3496,6 +3502,7 @@ sub prepro {
|
|
||||||
my (@entiretest) = @_;
|
|
||||||
my $show = 1;
|
|
||||||
my @out;
|
|
||||||
+ my $data_crlf;
|
|
||||||
for my $s (@entiretest) {
|
|
||||||
my $f = $s;
|
|
||||||
if($s =~ /^ *%if (.*)/) {
|
|
||||||
@@ -3519,9 +3526,19 @@ sub prepro {
|
|
||||||
next;
|
|
||||||
}
|
|
||||||
if($show) {
|
|
||||||
+ # The processor does CRLF replacements in the <data*> sections if
|
|
||||||
+ # necessary since those parts might be read by separate servers.
|
|
||||||
+ if($s =~ /^ *<data(.*)\>/) {
|
|
||||||
+ if($1 =~ /crlf="yes"/ || $has_hyper) {
|
|
||||||
+ $data_crlf = 1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ elsif(($s =~ /^ *<\/data/) && $data_crlf) {
|
|
||||||
+ $data_crlf = 0;
|
|
||||||
+ }
|
|
||||||
subVariables(\$s, $testnum, "%");
|
|
||||||
subBase64(\$s);
|
|
||||||
- subNewlines(\$s) if($has_hyper);
|
|
||||||
+ subNewlines(0, \$s) if($data_crlf);
|
|
||||||
push @out, $s;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -3830,6 +3847,11 @@ sub singletest {
|
|
||||||
# of the datacheck
|
|
||||||
chomp($replycheckpart[$#replycheckpart]);
|
|
||||||
}
|
|
||||||
+ if($replycheckpartattr{'crlf'} ||
|
|
||||||
+ ($has_hyper && ($keywords{"HTTP"}
|
|
||||||
+ || $keywords{"HTTPS"}))) {
|
|
||||||
+ map subNewlines(0, \$_), @replycheckpart;
|
|
||||||
+ }
|
|
||||||
push(@reply, @replycheckpart);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -3851,6 +3873,11 @@ sub singletest {
|
|
||||||
map s/\r\n/\n/g, @reply;
|
|
||||||
map s/\n/\r\n/g, @reply;
|
|
||||||
}
|
|
||||||
+ if($replyattr{'crlf'} ||
|
|
||||||
+ ($has_hyper && ($keywords{"HTTP"}
|
|
||||||
+ || $keywords{"HTTPS"}))) {
|
|
||||||
+ map subNewlines(0, \$_), @reply;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
# this is the valid protocol blurb curl should generate
|
|
||||||
@@ -4287,6 +4314,12 @@ sub singletest {
|
|
||||||
chomp($validstdout[$#validstdout]);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if($hash{'crlf'} ||
|
|
||||||
+ ($has_hyper && ($keywords{"HTTP"}
|
|
||||||
+ || $keywords{"HTTPS"}))) {
|
|
||||||
+ map subNewlines(0, \$_), @validstdout;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
$res = compare($testnum, $testname, "stdout", \@actual, \@validstdout);
|
|
||||||
if($res) {
|
|
||||||
return $errorreturncode;
|
|
||||||
@@ -4381,6 +4414,10 @@ sub singletest {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if($hash{'crlf'}) {
|
|
||||||
+ map subNewlines(1, \$_), @protstrip;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) {
|
|
||||||
logmsg "\n $testnum: protocol FAILED!\n".
|
|
||||||
" There was no content at all in the file $SERVERIN.\n".
|
|
||||||
@@ -4512,6 +4549,11 @@ sub singletest {
|
|
||||||
map s/\r\n/\n/g, @outfile;
|
|
||||||
map s/\n/\r\n/g, @outfile;
|
|
||||||
}
|
|
||||||
+ if($hash{'crlf'} ||
|
|
||||||
+ ($has_hyper && ($keywords{"HTTP"}
|
|
||||||
+ || $keywords{"HTTPS"}))) {
|
|
||||||
+ map subNewlines(0, \$_), @outfile;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
my $strip;
|
|
||||||
for $strip (@stripfile) {
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
|
|
||||||
From 228ed11bf33c63d9208a3fb38fe5a0d19c0764bd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Tue, 27 Dec 2022 11:50:23 +0100
|
|
||||||
Subject: [PATCH 3/4] runtests: support crlf="yes" for verify/proxy
|
|
||||||
|
|
||||||
Upstream-commit: dc0725244a3163f1e2d5f51165db3a1a430f3ba0
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
tests/FILEFORMAT.md | 4 ++--
|
|
||||||
tests/runtests.pl | 5 +++++
|
|
||||||
2 files changed, 7 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
|
|
||||||
index dcb5695..6646793 100644
|
|
||||||
--- a/tests/FILEFORMAT.md
|
|
||||||
+++ b/tests/FILEFORMAT.md
|
|
||||||
@@ -532,7 +532,7 @@ changing protocol data such as port numbers or user-agent strings.
|
|
||||||
One perl op per line that operates on the protocol dump. This is pretty
|
|
||||||
advanced. Example: `s/^EPRT .*/EPRT stripped/`.
|
|
||||||
|
|
||||||
-### `<protocol [nonewline="yes"] crlf="yes">`
|
|
||||||
+### `<protocol [nonewline="yes"][crlf="yes"]>`
|
|
||||||
|
|
||||||
the protocol dump curl should transmit, if 'nonewline' is set, we will cut off
|
|
||||||
the trailing newline of this given data before comparing with the one actually
|
|
||||||
@@ -542,7 +542,7 @@ comparisons are made.
|
|
||||||
`crlf=yes` forces the newlines to become CRLF even if not written so in the
|
|
||||||
test.
|
|
||||||
|
|
||||||
-### `<proxy [nonewline="yes"]>`
|
|
||||||
+### `<proxy [nonewline="yes"][crlf="yes"]>`
|
|
||||||
|
|
||||||
The protocol dump curl should transmit to a HTTP proxy (when the http-proxy
|
|
||||||
server is used), if 'nonewline' is set, we will cut off the trailing newline
|
|
||||||
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
|
||||||
index b12a42d..5cdc83d 100755
|
|
||||||
--- a/tests/runtests.pl
|
|
||||||
+++ b/tests/runtests.pl
|
|
||||||
@@ -4510,6 +4510,11 @@ sub singletest {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if($hash{'crlf'} ||
|
|
||||||
+ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) {
|
|
||||||
+ map subNewlines(0, \$_), @protstrip;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
$res = compare($testnum, $testname, "proxy", \@out, \@protstrip);
|
|
||||||
if($res) {
|
|
||||||
return $errorreturncode;
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
|
|
||||||
From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Patrick Monnerat <patrick@monnerat.net>
|
|
||||||
Date: Mon, 13 Feb 2023 08:33:09 +0100
|
|
||||||
Subject: [PATCH 4/4] content_encoding: do not reset stage counter for each
|
|
||||||
header
|
|
||||||
|
|
||||||
Test 418 verifies
|
|
||||||
|
|
||||||
Closes #10492
|
|
||||||
|
|
||||||
Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/content_encoding.c | 7 +-
|
|
||||||
lib/urldata.h | 1 +
|
|
||||||
tests/data/Makefile.inc | 1 +
|
|
||||||
tests/data/test387 | 2 +-
|
|
||||||
tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++
|
|
||||||
5 files changed, 158 insertions(+), 5 deletions(-)
|
|
||||||
create mode 100644 tests/data/test418
|
|
||||||
|
|
||||||
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
|
|
||||||
index bfc13e2..94344d6 100644
|
|
||||||
--- a/lib/content_encoding.c
|
|
||||||
+++ b/lib/content_encoding.c
|
|
||||||
@@ -1033,7 +1033,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
|
||||||
const char *enclist, int maybechunked)
|
|
||||||
{
|
|
||||||
struct SingleRequest *k = &data->req;
|
|
||||||
- int counter = 0;
|
|
||||||
|
|
||||||
do {
|
|
||||||
const char *name;
|
|
||||||
@@ -1068,9 +1067,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
|
||||||
if(!encoding)
|
|
||||||
encoding = &error_encoding; /* Defer error at stack use. */
|
|
||||||
|
|
||||||
- if(++counter >= MAX_ENCODE_STACK) {
|
|
||||||
- failf(data, "Reject response due to %u content encodings",
|
|
||||||
- counter);
|
|
||||||
+ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
|
|
||||||
+ failf(data, "Reject response due to more than %u content encodings",
|
|
||||||
+ MAX_ENCODE_STACK);
|
|
||||||
return CURLE_BAD_CONTENT_ENCODING;
|
|
||||||
}
|
|
||||||
/* Stack the unencoding stage. */
|
|
||||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
||||||
index 5b4b34f..8c8c20b 100644
|
|
||||||
--- a/lib/urldata.h
|
|
||||||
+++ b/lib/urldata.h
|
|
||||||
@@ -700,6 +700,7 @@ struct SingleRequest {
|
|
||||||
#ifndef CURL_DISABLE_DOH
|
|
||||||
struct dohdata *doh; /* DoH specific data for this request */
|
|
||||||
#endif
|
|
||||||
+ unsigned char writer_stack_depth; /* Unencoding stack depth. */
|
|
||||||
BIT(header); /* incoming data has HTTP header */
|
|
||||||
BIT(content_range); /* set TRUE if Content-Range: was found */
|
|
||||||
BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding
|
|
||||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
||||||
index fb51cd6..86b6f85 100644
|
|
||||||
--- a/tests/data/Makefile.inc
|
|
||||||
+++ b/tests/data/Makefile.inc
|
|
||||||
@@ -67,6 +67,7 @@ test393 test394 test395 test396 test397 \
|
|
||||||
\
|
|
||||||
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
|
|
||||||
test409 test410 \
|
|
||||||
+ test418 \
|
|
||||||
\
|
|
||||||
test430 test431 test432 test433 test434 \
|
|
||||||
\
|
|
||||||
diff --git a/tests/data/test387 b/tests/data/test387
|
|
||||||
index 015ec25..644fc7f 100644
|
|
||||||
--- a/tests/data/test387
|
|
||||||
+++ b/tests/data/test387
|
|
||||||
@@ -47,7 +47,7 @@ Accept: */*
|
|
||||||
61
|
|
||||||
</errorcode>
|
|
||||||
<stderr mode="text">
|
|
||||||
-curl: (61) Reject response due to 5 content encodings
|
|
||||||
+curl: (61) Reject response due to more than 5 content encodings
|
|
||||||
</stderr>
|
|
||||||
</verify>
|
|
||||||
</testcase>
|
|
||||||
diff --git a/tests/data/test418 b/tests/data/test418
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..50e974e
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test418
|
|
||||||
@@ -0,0 +1,152 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+HTTP
|
|
||||||
+gzip
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Server-side
|
|
||||||
+<reply>
|
|
||||||
+<data nocheck="yes">
|
|
||||||
+HTTP/1.1 200 OK
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+Transfer-Encoding: gzip
|
|
||||||
+
|
|
||||||
+-foo-
|
|
||||||
+</data>
|
|
||||||
+</reply>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<server>
|
|
||||||
+http
|
|
||||||
+</server>
|
|
||||||
+ <name>
|
|
||||||
+Response with multiple Transfer-Encoding headers
|
|
||||||
+ </name>
|
|
||||||
+ <command>
|
|
||||||
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
|
|
||||||
+</command>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Verify data after the test has been "shot"
|
|
||||||
+<verify>
|
|
||||||
+<protocol crlf="yes">
|
|
||||||
+GET /%TESTNUMBER HTTP/1.1
|
|
||||||
+Host: %HOSTIP:%HTTPPORT
|
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
|
||||||
+
|
|
||||||
+</protocol>
|
|
||||||
+
|
|
||||||
+# CURLE_BAD_CONTENT_ENCODING is 61
|
|
||||||
+<errorcode>
|
|
||||||
+61
|
|
||||||
+</errorcode>
|
|
||||||
+<stderr mode="text">
|
|
||||||
+curl: (61) Reject response due to more than 5 content encodings
|
|
||||||
+</stderr>
|
|
||||||
+</verify>
|
|
||||||
+</testcase>
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
208
SOURCES/0025-curl-7.61.1-CVE-2020-8284.patch
Normal file
208
SOURCES/0025-curl-7.61.1-CVE-2020-8284.patch
Normal file
@ -0,0 +1,208 @@
|
|||||||
|
From 2629f42d4cfdd04df0544007b03161e3d5d52d54 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Tue, 24 Nov 2020 14:56:57 +0100
|
||||||
|
Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
|
||||||
|
|
||||||
|
The command line tool also independently sets --ftp-skip-pasv-ip by
|
||||||
|
default.
|
||||||
|
|
||||||
|
Ten test cases updated to adapt the modified --libcurl output.
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2020-8284.html
|
||||||
|
CVE-2020-8284
|
||||||
|
|
||||||
|
Reported-by: Varnavas Papaioannou
|
||||||
|
|
||||||
|
Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++
|
||||||
|
docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
|
||||||
|
lib/url.c | 1 +
|
||||||
|
src/tool_cfgable.c | 1 +
|
||||||
|
tests/data/test1400 | 1 +
|
||||||
|
tests/data/test1401 | 1 +
|
||||||
|
tests/data/test1402 | 1 +
|
||||||
|
tests/data/test1403 | 1 +
|
||||||
|
tests/data/test1404 | 1 +
|
||||||
|
tests/data/test1405 | 1 +
|
||||||
|
tests/data/test1406 | 1 +
|
||||||
|
tests/data/test1407 | 1 +
|
||||||
|
tests/data/test1420 | 1 +
|
||||||
|
13 files changed, 18 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
||||||
|
index da6ab11..4be8b43 100644
|
||||||
|
--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
||||||
|
+++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
||||||
|
@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
|
||||||
|
will re-use the same IP address it already uses for the control
|
||||||
|
connection.
|
||||||
|
|
||||||
|
+Since curl 7.74.0 this option is enabled by default.
|
||||||
|
+
|
||||||
|
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
|
||||||
|
diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
||||||
|
index 4d3026a..4227ed6 100644
|
||||||
|
--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
||||||
|
+++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
.\" * | (__| |_| | _ <| |___
|
||||||
|
.\" * \___|\___/|_| \_\_____|
|
||||||
|
.\" *
|
||||||
|
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
.\" *
|
||||||
|
.\" * This software is licensed as described in the file COPYING, which
|
||||||
|
.\" * you should have received as part of this distribution. The terms
|
||||||
|
@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port
|
||||||
|
number from the 227-response.
|
||||||
|
|
||||||
|
This option thus allows libcurl to work around broken server installations
|
||||||
|
-that due to NATs, firewalls or incompetence report the wrong IP address back.
|
||||||
|
+that due to NATs, firewalls or incompetence report the wrong IP address
|
||||||
|
+back. Setting the option also reduces the risk for various sorts of client
|
||||||
|
+abuse by malicious servers.
|
||||||
|
|
||||||
|
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
|
||||||
|
.SH DEFAULT
|
||||||
|
-0
|
||||||
|
+1 since 7.74.0, was 0 before then.
|
||||||
|
.SH PROTOCOLS
|
||||||
|
FTP
|
||||||
|
.SH EXAMPLE
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index e77f391..b18db25 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -434,6 +434,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||||
|
set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */
|
||||||
|
set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */
|
||||||
|
set->ftp_filemethod = FTPFILE_MULTICWD;
|
||||||
|
+ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */
|
||||||
|
|
||||||
|
set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
|
||||||
|
|
||||||
|
diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
|
||||||
|
index 81e16c1..110191e 100644
|
||||||
|
--- a/src/tool_cfgable.c
|
||||||
|
+++ b/src/tool_cfgable.c
|
||||||
|
@@ -43,6 +43,7 @@ void config_init(struct OperationConfig* config)
|
||||||
|
config->proto_default = NULL;
|
||||||
|
config->tcp_nodelay = TRUE; /* enabled by default */
|
||||||
|
config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
|
||||||
|
+ config->ftp_skip_ip = TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void free_config_fields(struct OperationConfig *config)
|
||||||
|
diff --git a/tests/data/test1400 b/tests/data/test1400
|
||||||
|
index 10faef3..9d18a30 100644
|
||||||
|
--- a/tests/data/test1400
|
||||||
|
+++ b/tests/data/test1400
|
||||||
|
@@ -73,6 +73,7 @@ int main(int argc, char *argv[])
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||||
|
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||||
|
|
||||||
|
/* Here is a list of options the curl code used that cannot get generated
|
||||||
|
diff --git a/tests/data/test1401 b/tests/data/test1401
|
||||||
|
index f330931..99cb0cb 100644
|
||||||
|
--- a/tests/data/test1401
|
||||||
|
+++ b/tests/data/test1401
|
||||||
|
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||||
|
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
|
||||||
|
(long)CURLPROTO_FTP |
|
||||||
|
diff --git a/tests/data/test1402 b/tests/data/test1402
|
||||||
|
index 9a94283..ef55bd6 100644
|
||||||
|
--- a/tests/data/test1402
|
||||||
|
+++ b/tests/data/test1402
|
||||||
|
@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||||
|
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||||
|
|
||||||
|
/* Here is a list of options the curl code used that cannot get generated
|
||||||
|
diff --git a/tests/data/test1403 b/tests/data/test1403
|
||||||
|
index 79cdf49..78932c2 100644
|
||||||
|
--- a/tests/data/test1403
|
||||||
|
+++ b/tests/data/test1403
|
||||||
|
@@ -75,6 +75,7 @@ int main(int argc, char *argv[])
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||||
|
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||||
|
|
||||||
|
/* Here is a list of options the curl code used that cannot get generated
|
||||||
|
diff --git a/tests/data/test1404 b/tests/data/test1404
|
||||||
|
index 9c6f2e7..8ea5e04 100644
|
||||||
|
--- a/tests/data/test1404
|
||||||
|
+++ b/tests/data/test1404
|
||||||
|
@@ -144,6 +144,7 @@ int main(int argc, char *argv[])
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||||
|
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||||
|
|
||||||
|
/* Here is a list of options the curl code used that cannot get generated
|
||||||
|
diff --git a/tests/data/test1405 b/tests/data/test1405
|
||||||
|
index 73769ee..5a83b6e 100644
|
||||||
|
--- a/tests/data/test1405
|
||||||
|
+++ b/tests/data/test1405
|
||||||
|
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||||
|
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||||
|
|
||||||
|
/* Here is a list of options the curl code used that cannot get generated
|
||||||
|
diff --git a/tests/data/test1406 b/tests/data/test1406
|
||||||
|
index 796dd22..c941e00 100644
|
||||||
|
--- a/tests/data/test1406
|
||||||
|
+++ b/tests/data/test1406
|
||||||
|
@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||||
|
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
|
||||||
|
diff --git a/tests/data/test1407 b/tests/data/test1407
|
||||||
|
index 9800eee..ddba7b7 100644
|
||||||
|
--- a/tests/data/test1407
|
||||||
|
+++ b/tests/data/test1407
|
||||||
|
@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||||
|
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||||
|
|
||||||
|
/* Here is a list of options the curl code used that cannot get generated
|
||||||
|
diff --git a/tests/data/test1420 b/tests/data/test1420
|
||||||
|
index a5e1c52..72fb353 100644
|
||||||
|
--- a/tests/data/test1420
|
||||||
|
+++ b/tests/data/test1420
|
||||||
|
@@ -67,6 +67,7 @@ int main(int argc, char *argv[])
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;UID=1");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
||||||
|
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
||||||
|
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
||||||
|
|
||||||
|
/* Here is a list of options the curl code used that cannot get generated
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
258
SOURCES/0026-curl-7.61.1-CVE-2020-8285.patch
Normal file
258
SOURCES/0026-curl-7.61.1-CVE-2020-8285.patch
Normal file
@ -0,0 +1,258 @@
|
|||||||
|
From 22b3d1cf0216f4369f01678c587da265c2e465af Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Sat, 28 Nov 2020 00:27:21 +0100
|
||||||
|
Subject: [PATCH] ftp: make wc_statemach loop instead of recurse
|
||||||
|
|
||||||
|
CVE-2020-8285
|
||||||
|
|
||||||
|
Fixes #6255
|
||||||
|
Bug: https://curl.se/docs/CVE-2020-8285.html
|
||||||
|
Reported-by: xnynx on github
|
||||||
|
|
||||||
|
Upstream-commit: 69a358f2186e04cf44698b5100332cbf1ee7f01d
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/ftp.c | 204 +++++++++++++++++++++++++++---------------------------
|
||||||
|
1 file changed, 103 insertions(+), 101 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||||
|
index 7dbf080..482ab3a 100644
|
||||||
|
--- a/lib/ftp.c
|
||||||
|
+++ b/lib/ftp.c
|
||||||
|
@@ -3786,130 +3786,132 @@ static CURLcode init_wc_data(struct connectdata *conn)
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* This is called recursively */
|
||||||
|
static CURLcode wc_statemach(struct connectdata *conn)
|
||||||
|
{
|
||||||
|
struct WildcardData * const wildcard = &(conn->data->wildcard);
|
||||||
|
CURLcode result = CURLE_OK;
|
||||||
|
|
||||||
|
- switch(wildcard->state) {
|
||||||
|
- case CURLWC_INIT:
|
||||||
|
- result = init_wc_data(conn);
|
||||||
|
- if(wildcard->state == CURLWC_CLEAN)
|
||||||
|
- /* only listing! */
|
||||||
|
- break;
|
||||||
|
- wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
|
||||||
|
- break;
|
||||||
|
+ for(;;) {
|
||||||
|
+ switch(wildcard->state) {
|
||||||
|
+ case CURLWC_INIT:
|
||||||
|
+ result = init_wc_data(conn);
|
||||||
|
+ if(wildcard->state == CURLWC_CLEAN)
|
||||||
|
+ /* only listing! */
|
||||||
|
+ return result;
|
||||||
|
+ wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING;
|
||||||
|
+ return result;
|
||||||
|
|
||||||
|
- case CURLWC_MATCHING: {
|
||||||
|
- /* In this state is LIST response successfully parsed, so lets restore
|
||||||
|
- previous WRITEFUNCTION callback and WRITEDATA pointer */
|
||||||
|
- struct ftp_wc *ftpwc = wildcard->protdata;
|
||||||
|
- conn->data->set.fwrite_func = ftpwc->backup.write_function;
|
||||||
|
- conn->data->set.out = ftpwc->backup.file_descriptor;
|
||||||
|
- ftpwc->backup.write_function = ZERO_NULL;
|
||||||
|
- ftpwc->backup.file_descriptor = NULL;
|
||||||
|
- wildcard->state = CURLWC_DOWNLOADING;
|
||||||
|
-
|
||||||
|
- if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
|
||||||
|
- /* error found in LIST parsing */
|
||||||
|
- wildcard->state = CURLWC_CLEAN;
|
||||||
|
- return wc_statemach(conn);
|
||||||
|
- }
|
||||||
|
- if(wildcard->filelist.size == 0) {
|
||||||
|
- /* no corresponding file */
|
||||||
|
- wildcard->state = CURLWC_CLEAN;
|
||||||
|
- return CURLE_REMOTE_FILE_NOT_FOUND;
|
||||||
|
+ case CURLWC_MATCHING: {
|
||||||
|
+ /* In this state is LIST response successfully parsed, so lets restore
|
||||||
|
+ previous WRITEFUNCTION callback and WRITEDATA pointer */
|
||||||
|
+ struct ftp_wc *ftpwc = wildcard->protdata;
|
||||||
|
+ conn->data->set.fwrite_func = ftpwc->backup.write_function;
|
||||||
|
+ conn->data->set.out = ftpwc->backup.file_descriptor;
|
||||||
|
+ ftpwc->backup.write_function = ZERO_NULL;
|
||||||
|
+ ftpwc->backup.file_descriptor = NULL;
|
||||||
|
+ wildcard->state = CURLWC_DOWNLOADING;
|
||||||
|
+
|
||||||
|
+ if(Curl_ftp_parselist_geterror(ftpwc->parser)) {
|
||||||
|
+ /* error found in LIST parsing */
|
||||||
|
+ wildcard->state = CURLWC_CLEAN;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ if(wildcard->filelist.size == 0) {
|
||||||
|
+ /* no corresponding file */
|
||||||
|
+ wildcard->state = CURLWC_CLEAN;
|
||||||
|
+ return CURLE_REMOTE_FILE_NOT_FOUND;
|
||||||
|
+ }
|
||||||
|
+ continue;
|
||||||
|
}
|
||||||
|
- return wc_statemach(conn);
|
||||||
|
- }
|
||||||
|
|
||||||
|
- case CURLWC_DOWNLOADING: {
|
||||||
|
- /* filelist has at least one file, lets get first one */
|
||||||
|
- struct ftp_conn *ftpc = &conn->proto.ftpc;
|
||||||
|
- struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
|
||||||
|
+ case CURLWC_DOWNLOADING: {
|
||||||
|
+ /* filelist has at least one file, lets get first one */
|
||||||
|
+ struct ftp_conn *ftpc = &conn->proto.ftpc;
|
||||||
|
+ struct curl_fileinfo *finfo = wildcard->filelist.head->ptr;
|
||||||
|
|
||||||
|
- char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
|
||||||
|
- if(!tmp_path)
|
||||||
|
- return CURLE_OUT_OF_MEMORY;
|
||||||
|
+ char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename);
|
||||||
|
+ if(!tmp_path)
|
||||||
|
+ return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
- /* switch default "state.pathbuffer" and tmp_path, good to see
|
||||||
|
- ftp_parse_url_path function to understand this trick */
|
||||||
|
- Curl_safefree(conn->data->state.pathbuffer);
|
||||||
|
- conn->data->state.pathbuffer = tmp_path;
|
||||||
|
- conn->data->state.path = tmp_path;
|
||||||
|
-
|
||||||
|
- infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
|
||||||
|
- if(conn->data->set.chunk_bgn) {
|
||||||
|
- long userresponse;
|
||||||
|
- Curl_set_in_callback(conn->data, true);
|
||||||
|
- userresponse = conn->data->set.chunk_bgn(
|
||||||
|
- finfo, wildcard->customptr, (int)wildcard->filelist.size);
|
||||||
|
- Curl_set_in_callback(conn->data, false);
|
||||||
|
- switch(userresponse) {
|
||||||
|
- case CURL_CHUNK_BGN_FUNC_SKIP:
|
||||||
|
- infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
|
||||||
|
- finfo->filename);
|
||||||
|
- wildcard->state = CURLWC_SKIP;
|
||||||
|
- return wc_statemach(conn);
|
||||||
|
- case CURL_CHUNK_BGN_FUNC_FAIL:
|
||||||
|
- return CURLE_CHUNK_FAILED;
|
||||||
|
+ /* switch default "state.pathbuffer" and tmp_path, good to see
|
||||||
|
+ ftp_parse_url_path function to understand this trick */
|
||||||
|
+ Curl_safefree(conn->data->state.pathbuffer);
|
||||||
|
+ conn->data->state.pathbuffer = tmp_path;
|
||||||
|
+ conn->data->state.path = tmp_path;
|
||||||
|
+
|
||||||
|
+ infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename);
|
||||||
|
+ if(conn->data->set.chunk_bgn) {
|
||||||
|
+ long userresponse;
|
||||||
|
+ Curl_set_in_callback(conn->data, true);
|
||||||
|
+ userresponse = conn->data->set.chunk_bgn(
|
||||||
|
+ finfo, wildcard->customptr, (int)wildcard->filelist.size);
|
||||||
|
+ Curl_set_in_callback(conn->data, false);
|
||||||
|
+ switch(userresponse) {
|
||||||
|
+ case CURL_CHUNK_BGN_FUNC_SKIP:
|
||||||
|
+ infof(conn->data, "Wildcard - \"%s\" skipped by user\n",
|
||||||
|
+ finfo->filename);
|
||||||
|
+ wildcard->state = CURLWC_SKIP;
|
||||||
|
+ continue;
|
||||||
|
+ case CURL_CHUNK_BGN_FUNC_FAIL:
|
||||||
|
+ return CURLE_CHUNK_FAILED;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
|
||||||
|
- if(finfo->filetype != CURLFILETYPE_FILE) {
|
||||||
|
- wildcard->state = CURLWC_SKIP;
|
||||||
|
- return wc_statemach(conn);
|
||||||
|
- }
|
||||||
|
+ if(finfo->filetype != CURLFILETYPE_FILE) {
|
||||||
|
+ wildcard->state = CURLWC_SKIP;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
|
||||||
|
- ftpc->known_filesize = finfo->size;
|
||||||
|
+ if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE)
|
||||||
|
+ ftpc->known_filesize = finfo->size;
|
||||||
|
|
||||||
|
- result = ftp_parse_url_path(conn);
|
||||||
|
- if(result)
|
||||||
|
- return result;
|
||||||
|
+ result = ftp_parse_url_path(conn);
|
||||||
|
+ if(result)
|
||||||
|
+ return result;
|
||||||
|
|
||||||
|
- /* we don't need the Curl_fileinfo of first file anymore */
|
||||||
|
- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
|
||||||
|
+ /* we don't need the Curl_fileinfo of first file anymore */
|
||||||
|
+ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
|
||||||
|
|
||||||
|
- if(wildcard->filelist.size == 0) { /* remains only one file to down. */
|
||||||
|
- wildcard->state = CURLWC_CLEAN;
|
||||||
|
- /* after that will be ftp_do called once again and no transfer
|
||||||
|
- will be done because of CURLWC_CLEAN state */
|
||||||
|
- return CURLE_OK;
|
||||||
|
+ if(wildcard->filelist.size == 0) { /* remains only one file to down. */
|
||||||
|
+ wildcard->state = CURLWC_CLEAN;
|
||||||
|
+ /* after that will be ftp_do called once again and no transfer
|
||||||
|
+ will be done because of CURLWC_CLEAN state */
|
||||||
|
+ return CURLE_OK;
|
||||||
|
+ }
|
||||||
|
+ return result;
|
||||||
|
}
|
||||||
|
- } break;
|
||||||
|
|
||||||
|
- case CURLWC_SKIP: {
|
||||||
|
- if(conn->data->set.chunk_end) {
|
||||||
|
- Curl_set_in_callback(conn->data, true);
|
||||||
|
- conn->data->set.chunk_end(conn->data->wildcard.customptr);
|
||||||
|
- Curl_set_in_callback(conn->data, false);
|
||||||
|
+ case CURLWC_SKIP: {
|
||||||
|
+ if(conn->data->set.chunk_end) {
|
||||||
|
+ Curl_set_in_callback(conn->data, true);
|
||||||
|
+ conn->data->set.chunk_end(conn->data->wildcard.customptr);
|
||||||
|
+ Curl_set_in_callback(conn->data, false);
|
||||||
|
+ }
|
||||||
|
+ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
|
||||||
|
+ wildcard->state = (wildcard->filelist.size == 0) ?
|
||||||
|
+ CURLWC_CLEAN : CURLWC_DOWNLOADING;
|
||||||
|
+ continue;
|
||||||
|
}
|
||||||
|
- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL);
|
||||||
|
- wildcard->state = (wildcard->filelist.size == 0) ?
|
||||||
|
- CURLWC_CLEAN : CURLWC_DOWNLOADING;
|
||||||
|
- return wc_statemach(conn);
|
||||||
|
- }
|
||||||
|
|
||||||
|
- case CURLWC_CLEAN: {
|
||||||
|
- struct ftp_wc *ftpwc = wildcard->protdata;
|
||||||
|
- result = CURLE_OK;
|
||||||
|
- if(ftpwc)
|
||||||
|
- result = Curl_ftp_parselist_geterror(ftpwc->parser);
|
||||||
|
+ case CURLWC_CLEAN: {
|
||||||
|
+ struct ftp_wc *ftpwc = wildcard->protdata;
|
||||||
|
+ result = CURLE_OK;
|
||||||
|
+ if(ftpwc)
|
||||||
|
+ result = Curl_ftp_parselist_geterror(ftpwc->parser);
|
||||||
|
|
||||||
|
- wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
|
||||||
|
- } break;
|
||||||
|
+ wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE;
|
||||||
|
+ return result;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- case CURLWC_DONE:
|
||||||
|
- case CURLWC_ERROR:
|
||||||
|
- case CURLWC_CLEAR:
|
||||||
|
- if(wildcard->dtor)
|
||||||
|
- wildcard->dtor(wildcard->protdata);
|
||||||
|
- break;
|
||||||
|
+ case CURLWC_DONE:
|
||||||
|
+ case CURLWC_ERROR:
|
||||||
|
+ case CURLWC_CLEAR:
|
||||||
|
+ if(wildcard->dtor)
|
||||||
|
+ wildcard->dtor(wildcard->protdata);
|
||||||
|
+ return result;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- return result;
|
||||||
|
+ /* UNREACHABLE */
|
||||||
|
}
|
||||||
|
|
||||||
|
/***********************************************************************
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
129
SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch
Normal file
129
SOURCES/0027-curl-7.61.1-CVE-2020-8286.patch
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
From 2470bc91f62cc9b0ab1deac60a67f87b7cc95f6e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Wed, 2 Dec 2020 23:01:11 +0100
|
||||||
|
Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
|
||||||
|
|
||||||
|
CVE-2020-8286
|
||||||
|
|
||||||
|
Reported by anonymous
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2020-8286.html
|
||||||
|
|
||||||
|
Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++----------------
|
||||||
|
1 file changed, 54 insertions(+), 29 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 9476773..35cd652 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -1659,6 +1659,11 @@ static CURLcode verifystatus(struct connectdata *conn,
|
||||||
|
OCSP_BASICRESP *br = NULL;
|
||||||
|
X509_STORE *st = NULL;
|
||||||
|
STACK_OF(X509) *ch = NULL;
|
||||||
|
+ X509 *cert;
|
||||||
|
+ OCSP_CERTID *id = NULL;
|
||||||
|
+ int cert_status, crl_reason;
|
||||||
|
+ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
|
||||||
|
+ int ret;
|
||||||
|
|
||||||
|
long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);
|
||||||
|
|
||||||
|
@@ -1727,43 +1732,63 @@ static CURLcode verifystatus(struct connectdata *conn,
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
- for(i = 0; i < OCSP_resp_count(br); i++) {
|
||||||
|
- int cert_status, crl_reason;
|
||||||
|
- OCSP_SINGLERESP *single = NULL;
|
||||||
|
-
|
||||||
|
- ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
|
||||||
|
+ /* Compute the certificate's ID */
|
||||||
|
+ cert = SSL_get_peer_certificate(BACKEND->handle);
|
||||||
|
+ if(!cert) {
|
||||||
|
+ failf(data, "Error getting peer certficate");
|
||||||
|
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- single = OCSP_resp_get0(br, i);
|
||||||
|
- if(!single)
|
||||||
|
- continue;
|
||||||
|
+ for(i = 0; i < sk_X509_num(ch); i++) {
|
||||||
|
+ X509 *issuer = sk_X509_value(ch, i);
|
||||||
|
+ if(X509_check_issued(issuer, cert) == X509_V_OK) {
|
||||||
|
+ id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ X509_free(cert);
|
||||||
|
|
||||||
|
- cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
|
||||||
|
- &thisupd, &nextupd);
|
||||||
|
+ if(!id) {
|
||||||
|
+ failf(data, "Error computing OCSP ID");
|
||||||
|
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
|
||||||
|
- failf(data, "OCSP response has expired");
|
||||||
|
- result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
+ /* Find the single OCSP response corresponding to the certificate ID */
|
||||||
|
+ ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
|
||||||
|
+ &thisupd, &nextupd);
|
||||||
|
+ OCSP_CERTID_free(id);
|
||||||
|
+ if(ret != 1) {
|
||||||
|
+ failf(data, "Could not find certificate ID in OCSP response");
|
||||||
|
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- infof(data, "SSL certificate status: %s (%d)\n",
|
||||||
|
- OCSP_cert_status_str(cert_status), cert_status);
|
||||||
|
+ /* Validate the corresponding single OCSP response */
|
||||||
|
+ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
|
||||||
|
+ failf(data, "OCSP response has expired");
|
||||||
|
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||||
|
+ goto end;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- switch(cert_status) {
|
||||||
|
- case V_OCSP_CERTSTATUS_GOOD:
|
||||||
|
- break;
|
||||||
|
+ infof(data, "SSL certificate status: %s (%d)\n",
|
||||||
|
+ OCSP_cert_status_str(cert_status), cert_status);
|
||||||
|
|
||||||
|
- case V_OCSP_CERTSTATUS_REVOKED:
|
||||||
|
- result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||||
|
+ switch(cert_status) {
|
||||||
|
+ case V_OCSP_CERTSTATUS_GOOD:
|
||||||
|
+ break;
|
||||||
|
|
||||||
|
- failf(data, "SSL certificate revocation reason: %s (%d)",
|
||||||
|
- OCSP_crl_reason_str(crl_reason), crl_reason);
|
||||||
|
- goto end;
|
||||||
|
+ case V_OCSP_CERTSTATUS_REVOKED:
|
||||||
|
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||||
|
+ failf(data, "SSL certificate revocation reason: %s (%d)",
|
||||||
|
+ OCSP_crl_reason_str(crl_reason), crl_reason);
|
||||||
|
+ goto end;
|
||||||
|
|
||||||
|
- case V_OCSP_CERTSTATUS_UNKNOWN:
|
||||||
|
- result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||||
|
- goto end;
|
||||||
|
- }
|
||||||
|
+ case V_OCSP_CERTSTATUS_UNKNOWN:
|
||||||
|
+ default:
|
||||||
|
+ result = CURLE_SSL_INVALIDCERTSTATUS;
|
||||||
|
+ goto end;
|
||||||
|
}
|
||||||
|
|
||||||
|
end:
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
63
SOURCES/0028-curl-7.61.1-http-auth-payload.patch
Normal file
63
SOURCES/0028-curl-7.61.1-http-auth-payload.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 5a51924c2505c1d5616904aa732fdaedd74d3ffe Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marc Schlatter <mschlatter@gestour.com>
|
||||||
|
Date: Mon, 11 Mar 2019 17:15:34 +0100
|
||||||
|
Subject: [PATCH] http: send payload when (proxy) authentication is done
|
||||||
|
|
||||||
|
The check that prevents payload from sending in case of authentication
|
||||||
|
doesn't check properly if the authentication is done or not.
|
||||||
|
|
||||||
|
They're cases where the proxy respond "200 OK" before sending
|
||||||
|
authentication challenge. This change takes care of that.
|
||||||
|
|
||||||
|
Fixes #2431
|
||||||
|
Closes #3669
|
||||||
|
|
||||||
|
Upstream-commit: dd8a19f8a05b59394d1ab33c09497e8db884742a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http.c | 3 ++-
|
||||||
|
tests/data/test1097 | 5 +++--
|
||||||
|
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index e727ed8..26eb52d 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -1991,7 +1991,8 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
|
||||||
|
- if((data->state.authhost.multipass || data->state.authproxy.multipass) &&
|
||||||
|
+ if(((data->state.authhost.multipass && !data->state.authhost.done)
|
||||||
|
+ || (data->state.authproxy.multipass && !data->state.authproxy.done)) &&
|
||||||
|
(httpreq != HTTPREQ_GET) &&
|
||||||
|
(httpreq != HTTPREQ_HEAD)) {
|
||||||
|
/* Auth is required and we are not authenticated yet. Make a PUT or POST
|
||||||
|
diff --git a/tests/data/test1097 b/tests/data/test1097
|
||||||
|
index 7512a2e..7eb7b5f 100644
|
||||||
|
--- a/tests/data/test1097
|
||||||
|
+++ b/tests/data/test1097
|
||||||
|
@@ -60,7 +60,7 @@ http://test.a.galaxy.far.far.away.1097:%HTTPPORT/1097 --proxy http://%HOSTIP:%HT
|
||||||
|
<strip>
|
||||||
|
^User-Agent: curl/.*
|
||||||
|
</strip>
|
||||||
|
-<protocol>
|
||||||
|
+<protocol nonewline="yes">
|
||||||
|
CONNECT test.a.galaxy.far.far.away.1097:%HTTPPORT HTTP/1.1
|
||||||
|
Host: test.a.galaxy.far.far.away.1097:%HTTPPORT
|
||||||
|
Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
|
||||||
|
@@ -71,9 +71,10 @@ POST /1097 HTTP/1.1
|
||||||
|
User-Agent: curl/7.19.5-CVS (i686-pc-linux-gnu) libcurl/7.19.5-CVS OpenSSL/0.9.8g zlib/1.2.3.3 c-ares/1.6.1-CVS libidn/1.12 libssh2/1.0.1_CVS
|
||||||
|
Host: test.a.galaxy.far.far.away.1097:%HTTPPORT
|
||||||
|
Accept: */*
|
||||||
|
-Content-Length: 0
|
||||||
|
+Content-Length: 11
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
+dummy=value
|
||||||
|
</protocol>
|
||||||
|
|
||||||
|
</verify>
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
116
SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch
Normal file
116
SOURCES/0029-curl-7.61.1-CVE-2021-22876.patch
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
From 239f8d93866605b05f4e6b551f4327dc7fcb922b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Viktor Szakats <commit@vsz.me>
|
||||||
|
Date: Tue, 23 Feb 2021 14:54:46 +0100
|
||||||
|
Subject: [PATCH 1/2] transfer: strip credentials from the auto-referer header
|
||||||
|
field
|
||||||
|
|
||||||
|
Added test 2081 to verify.
|
||||||
|
|
||||||
|
CVE-2021-22876
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2021-22876.html
|
||||||
|
|
||||||
|
Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/transfer.c | 25 +++++++++++++++++++++++--
|
||||||
|
1 file changed, 23 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/transfer.c b/lib/transfer.c
|
||||||
|
index ecd1063..263b178 100644
|
||||||
|
--- a/lib/transfer.c
|
||||||
|
+++ b/lib/transfer.c
|
||||||
|
@@ -1473,6 +1473,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||||
|
/* Location: redirect */
|
||||||
|
bool disallowport = FALSE;
|
||||||
|
bool reachedmax = FALSE;
|
||||||
|
+ CURLUcode uc;
|
||||||
|
|
||||||
|
if(type == FOLLOW_REDIR) {
|
||||||
|
if((data->set.maxredirs != -1) &&
|
||||||
|
@@ -1488,6 +1489,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||||
|
data->set.followlocation++; /* count location-followers */
|
||||||
|
|
||||||
|
if(data->set.http_auto_referer) {
|
||||||
|
+ CURLU *u;
|
||||||
|
+ char *referer;
|
||||||
|
+
|
||||||
|
/* We are asked to automatically set the previous URL as the referer
|
||||||
|
when we get the next URL. We pick the ->url field, which may or may
|
||||||
|
not be 100% correct */
|
||||||
|
@@ -1497,9 +1501,26 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||||
|
data->change.referer_alloc = FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- data->change.referer = strdup(data->change.url);
|
||||||
|
- if(!data->change.referer)
|
||||||
|
+ /* Make a copy of the URL without crenditals and fragment */
|
||||||
|
+ u = curl_url();
|
||||||
|
+ if(!u)
|
||||||
|
+ return CURLE_OUT_OF_MEMORY;
|
||||||
|
+
|
||||||
|
+ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
|
||||||
|
+ if(!uc)
|
||||||
|
+ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
|
||||||
|
+ if(!uc)
|
||||||
|
+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
|
||||||
|
+ if(!uc)
|
||||||
|
+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
|
||||||
|
+ if(!uc)
|
||||||
|
+ uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
|
||||||
|
+
|
||||||
|
+ curl_url_cleanup(u);
|
||||||
|
+
|
||||||
|
+ if(uc || referer == NULL)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
+ data->change.referer = referer;
|
||||||
|
data->change.referer_alloc = TRUE; /* yes, free this later */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
||||||
|
|
||||||
|
From f7d1d478b87499ce31d6aa3251830b78447ad952 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 29 Mar 2021 09:32:14 +0200
|
||||||
|
Subject: [PATCH 2/2] transfer: clear 'referer' in declaration
|
||||||
|
|
||||||
|
To silence (false positive) compiler warnings about it.
|
||||||
|
|
||||||
|
Follow-up to 7214288898f5625
|
||||||
|
|
||||||
|
Reviewed-by: Marcel Raad
|
||||||
|
Closes #6810
|
||||||
|
|
||||||
|
Upstream-commit: 6bb028dbda6cbfe83f66de773544f71e4813160f
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/transfer.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/transfer.c b/lib/transfer.c
|
||||||
|
index 263b178..ad5a7ba 100644
|
||||||
|
--- a/lib/transfer.c
|
||||||
|
+++ b/lib/transfer.c
|
||||||
|
@@ -1490,7 +1490,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||||
|
|
||||||
|
if(data->set.http_auto_referer) {
|
||||||
|
CURLU *u;
|
||||||
|
- char *referer;
|
||||||
|
+ char *referer = NULL;
|
||||||
|
|
||||||
|
/* We are asked to automatically set the previous URL as the referer
|
||||||
|
when we get the next URL. We pick the ->url field, which may or may
|
||||||
|
@@ -1518,7 +1518,7 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||||
|
|
||||||
|
curl_url_cleanup(u);
|
||||||
|
|
||||||
|
- if(uc || referer == NULL)
|
||||||
|
+ if(uc || !referer)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
data->change.referer = referer;
|
||||||
|
data->change.referer_alloc = TRUE; /* yes, free this later */
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
693
SOURCES/0030-curl-7.61.1-file-head.patch
Normal file
693
SOURCES/0030-curl-7.61.1-file-head.patch
Normal file
@ -0,0 +1,693 @@
|
|||||||
|
From 87e3d094e0dc00efc1abeb2b142d453024cbca69 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 4 Oct 2018 23:53:32 +0200
|
||||||
|
Subject: [PATCH] FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
|
||||||
|
|
||||||
|
Now FILE transfers send headers to the header callback like HTTP and
|
||||||
|
other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...)
|
||||||
|
work for FILE in the callbacks.
|
||||||
|
|
||||||
|
Makes "curl -i file://.." and "curl -I file://.." work like before
|
||||||
|
again. Applied the bold header logic to them too.
|
||||||
|
|
||||||
|
Regression from c1c2762 (7.61.0)
|
||||||
|
|
||||||
|
Reported-by: Shaun Jackman
|
||||||
|
Fixes #3083
|
||||||
|
Closes #3101
|
||||||
|
|
||||||
|
Upstream-commit: e50a2002bd450a4800a165d2874ed79c95b33a07
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/file.c | 27 +++++++++++++--------------
|
||||||
|
lib/getinfo.c | 1 -
|
||||||
|
lib/url.c | 1 +
|
||||||
|
src/tool_cb_hdr.c | 5 +++--
|
||||||
|
tests/data/test1016 | 2 +-
|
||||||
|
tests/data/test1017 | 2 +-
|
||||||
|
tests/data/test1018 | 2 +-
|
||||||
|
tests/data/test1019 | 2 +-
|
||||||
|
tests/data/test1020 | 2 +-
|
||||||
|
tests/data/test1029 | 2 +-
|
||||||
|
tests/data/test1146 | 2 +-
|
||||||
|
tests/data/test1220 | 2 +-
|
||||||
|
tests/data/test200 | 2 +-
|
||||||
|
tests/data/test2000 | 2 +-
|
||||||
|
tests/data/test2001 | 13 +------------
|
||||||
|
tests/data/test2002 | 13 +------------
|
||||||
|
tests/data/test2003 | 26 ++------------------------
|
||||||
|
tests/data/test2004 | 2 +-
|
||||||
|
tests/data/test2006 | 8 ++++++++
|
||||||
|
tests/data/test2007 | 8 ++++++++
|
||||||
|
tests/data/test2008 | 8 ++++++++
|
||||||
|
tests/data/test2009 | 8 ++++++++
|
||||||
|
tests/data/test2010 | 8 ++++++++
|
||||||
|
tests/data/test202 | 2 +-
|
||||||
|
tests/data/test203 | 2 +-
|
||||||
|
tests/data/test204 | 2 +-
|
||||||
|
tests/data/test205 | 2 +-
|
||||||
|
tests/data/test2070 | 2 +-
|
||||||
|
tests/data/test2071 | 2 +-
|
||||||
|
tests/data/test2072 | 2 +-
|
||||||
|
tests/data/test210 | 2 +-
|
||||||
|
tests/data/test231 | 2 +-
|
||||||
|
tests/data/test288 | 2 +-
|
||||||
|
33 files changed, 82 insertions(+), 86 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/file.c b/lib/file.c
|
||||||
|
index e50e988..f780658 100644
|
||||||
|
--- a/lib/file.c
|
||||||
|
+++ b/lib/file.c
|
||||||
|
@@ -386,7 +386,6 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
|
||||||
|
|
||||||
|
*done = TRUE; /* unconditionally */
|
||||||
|
|
||||||
|
- Curl_initinfo(data);
|
||||||
|
Curl_pgrsStartNow(data);
|
||||||
|
|
||||||
|
if(data->set.upload)
|
||||||
|
@@ -413,21 +412,18 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* If we have selected NOBODY and HEADER, it means that we only want file
|
||||||
|
- information. Which for FILE can't be much more than the file size and
|
||||||
|
- date. */
|
||||||
|
- if(data->set.opt_no_body && data->set.include_header && fstated) {
|
||||||
|
+ if(fstated) {
|
||||||
|
time_t filetime;
|
||||||
|
struct tm buffer;
|
||||||
|
const struct tm *tm = &buffer;
|
||||||
|
char header[80];
|
||||||
|
snprintf(header, sizeof(header),
|
||||||
|
"Content-Length: %" CURL_FORMAT_CURL_OFF_T "\r\n", expected_size);
|
||||||
|
- result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0);
|
||||||
|
+ result = Curl_client_write(conn, CLIENTWRITE_HEADER, header, 0);
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
|
||||||
|
- result = Curl_client_write(conn, CLIENTWRITE_BOTH,
|
||||||
|
+ result = Curl_client_write(conn, CLIENTWRITE_HEADER,
|
||||||
|
(char *)"Accept-ranges: bytes\r\n", 0);
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
@@ -439,19 +435,22 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
|
||||||
|
|
||||||
|
/* format: "Tue, 15 Nov 1994 12:45:26 GMT" */
|
||||||
|
snprintf(header, sizeof(header),
|
||||||
|
- "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n",
|
||||||
|
+ "Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT\r\n%s",
|
||||||
|
Curl_wkday[tm->tm_wday?tm->tm_wday-1:6],
|
||||||
|
tm->tm_mday,
|
||||||
|
Curl_month[tm->tm_mon],
|
||||||
|
tm->tm_year + 1900,
|
||||||
|
tm->tm_hour,
|
||||||
|
tm->tm_min,
|
||||||
|
- tm->tm_sec);
|
||||||
|
- result = Curl_client_write(conn, CLIENTWRITE_BOTH, header, 0);
|
||||||
|
- if(!result)
|
||||||
|
- /* set the file size to make it available post transfer */
|
||||||
|
- Curl_pgrsSetDownloadSize(data, expected_size);
|
||||||
|
- return result;
|
||||||
|
+ tm->tm_sec,
|
||||||
|
+ data->set.opt_no_body ? "": "\r\n");
|
||||||
|
+ result = Curl_client_write(conn, CLIENTWRITE_HEADER, header, 0);
|
||||||
|
+ if(result)
|
||||||
|
+ return result;
|
||||||
|
+ /* set the file size to make it available post transfer */
|
||||||
|
+ Curl_pgrsSetDownloadSize(data, expected_size);
|
||||||
|
+ if(data->set.opt_no_body)
|
||||||
|
+ return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check whether file range has been specified */
|
||||||
|
diff --git a/lib/getinfo.c b/lib/getinfo.c
|
||||||
|
index 14b4562..54c2c2f 100644
|
||||||
|
--- a/lib/getinfo.c
|
||||||
|
+++ b/lib/getinfo.c
|
||||||
|
@@ -85,7 +85,6 @@ CURLcode Curl_initinfo(struct Curl_easy *data)
|
||||||
|
#ifdef USE_SSL
|
||||||
|
Curl_ssl_free_certinfo(data);
|
||||||
|
#endif
|
||||||
|
-
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index b18db25..bb9d107 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -4290,6 +4290,7 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
/* this is supposed to be the connect function so we better at least check
|
||||||
|
that the file is present here! */
|
||||||
|
DEBUGASSERT(conn->handler->connect_it);
|
||||||
|
+ Curl_persistconninfo(conn);
|
||||||
|
result = conn->handler->connect_it(conn, &done);
|
||||||
|
|
||||||
|
/* Setup a "faked" transfer that'll do nothing */
|
||||||
|
diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
|
||||||
|
index e91e8ac..4f21221 100644
|
||||||
|
--- a/src/tool_cb_hdr.c
|
||||||
|
+++ b/src/tool_cb_hdr.c
|
||||||
|
@@ -153,8 +153,9 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
|
||||||
|
}
|
||||||
|
|
||||||
|
if(hdrcbdata->config->show_headers &&
|
||||||
|
- (protocol & (CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_RTSP))) {
|
||||||
|
- /* bold headers only happen for HTTP(S) and RTSP */
|
||||||
|
+ (protocol &
|
||||||
|
+ (CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_RTSP|CURLPROTO_FILE))) {
|
||||||
|
+ /* bold headers only for selected protocols */
|
||||||
|
char *value = NULL;
|
||||||
|
|
||||||
|
if(!outs->stream && !tool_create_output_file(outs))
|
||||||
|
diff --git a/tests/data/test1016 b/tests/data/test1016
|
||||||
|
index b404cac..4927f9e 100644
|
||||||
|
--- a/tests/data/test1016
|
||||||
|
+++ b/tests/data/test1016
|
||||||
|
@@ -22,7 +22,7 @@ file
|
||||||
|
<name>
|
||||||
|
X-Y range on a file:// URL to stdout
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
-r 1-4 file://localhost/%PWD/log/test1016.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test1016.txt">
|
||||||
|
diff --git a/tests/data/test1017 b/tests/data/test1017
|
||||||
|
index 6fbc38a..cfdd80f 100644
|
||||||
|
--- a/tests/data/test1017
|
||||||
|
+++ b/tests/data/test1017
|
||||||
|
@@ -23,7 +23,7 @@ file
|
||||||
|
<name>
|
||||||
|
0-Y range on a file:// URL to stdout
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
-r 0-3 file://localhost/%PWD/log/test1017.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test1017.txt">
|
||||||
|
diff --git a/tests/data/test1018 b/tests/data/test1018
|
||||||
|
index 28a7027..5748701 100644
|
||||||
|
--- a/tests/data/test1018
|
||||||
|
+++ b/tests/data/test1018
|
||||||
|
@@ -22,7 +22,7 @@ file
|
||||||
|
<name>
|
||||||
|
X-X range on a file:// URL to stdout
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
-r 4-4 file://localhost/%PWD/log/test1018.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test1018.txt">
|
||||||
|
diff --git a/tests/data/test1019 b/tests/data/test1019
|
||||||
|
index 4d9872a..054e38d 100644
|
||||||
|
--- a/tests/data/test1019
|
||||||
|
+++ b/tests/data/test1019
|
||||||
|
@@ -23,7 +23,7 @@ file
|
||||||
|
<name>
|
||||||
|
X- range on a file:// URL to stdout
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
-r 7- file://localhost/%PWD/log/test1019.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test1019.txt">
|
||||||
|
diff --git a/tests/data/test1020 b/tests/data/test1020
|
||||||
|
index 735871d..e924529 100644
|
||||||
|
--- a/tests/data/test1020
|
||||||
|
+++ b/tests/data/test1020
|
||||||
|
@@ -23,7 +23,7 @@ file
|
||||||
|
<name>
|
||||||
|
-Y range on a file:// URL to stdout
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
-r -9 file://localhost/%PWD/log/test1020.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test1020.txt">
|
||||||
|
diff --git a/tests/data/test1029 b/tests/data/test1029
|
||||||
|
index 2ffc7c6..c77209c 100644
|
||||||
|
--- a/tests/data/test1029
|
||||||
|
+++ b/tests/data/test1029
|
||||||
|
@@ -29,7 +29,7 @@ http
|
||||||
|
<name>
|
||||||
|
HTTP Location: and 'redirect_url' check
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command>
|
||||||
|
http://%HOSTIP:%HTTPPORT/we/want/our/1029 -w '%{redirect_url}\n'
|
||||||
|
</command>
|
||||||
|
</client>
|
||||||
|
diff --git a/tests/data/test1146 b/tests/data/test1146
|
||||||
|
index 43f33b7..636748e 100644
|
||||||
|
--- a/tests/data/test1146
|
||||||
|
+++ b/tests/data/test1146
|
||||||
|
@@ -24,7 +24,7 @@ file
|
||||||
|
<name>
|
||||||
|
--proto-default file
|
||||||
|
</name>
|
||||||
|
-<command>
|
||||||
|
+<command option="no-include">
|
||||||
|
--proto-default file %PWD/log/test1146.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test1146.txt">
|
||||||
|
diff --git a/tests/data/test1220 b/tests/data/test1220
|
||||||
|
index 959abbf..6752eb5 100644
|
||||||
|
--- a/tests/data/test1220
|
||||||
|
+++ b/tests/data/test1220
|
||||||
|
@@ -20,7 +20,7 @@ file
|
||||||
|
<name>
|
||||||
|
file:// URLs with query string
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file://localhost/%PWD/log/test1220.txt?a_query=foobar#afragment
|
||||||
|
</command>
|
||||||
|
<file name="log/test1220.txt">
|
||||||
|
diff --git a/tests/data/test200 b/tests/data/test200
|
||||||
|
index 8be1de0..c27f7c0 100644
|
||||||
|
--- a/tests/data/test200
|
||||||
|
+++ b/tests/data/test200
|
||||||
|
@@ -23,7 +23,7 @@ file
|
||||||
|
<name>
|
||||||
|
basic file:// file
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file://localhost/%PWD/log/test200.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test200.txt">
|
||||||
|
diff --git a/tests/data/test2000 b/tests/data/test2000
|
||||||
|
index d3edb16..db1ba13 100644
|
||||||
|
--- a/tests/data/test2000
|
||||||
|
+++ b/tests/data/test2000
|
||||||
|
@@ -31,7 +31,7 @@ file
|
||||||
|
<name>
|
||||||
|
FTP RETR followed by FILE
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
ftp://%HOSTIP:%FTPPORT/2000 file://localhost/%PWD/log/test2000.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test2000.txt">
|
||||||
|
diff --git a/tests/data/test2001 b/tests/data/test2001
|
||||||
|
index 68c0df7..88a258e 100644
|
||||||
|
--- a/tests/data/test2001
|
||||||
|
+++ b/tests/data/test2001
|
||||||
|
@@ -48,7 +48,7 @@ file
|
||||||
|
<name>
|
||||||
|
HTTP GET followed by FTP RETR followed by FILE
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
http://%HOSTIP:%HTTPPORT/20010001 ftp://%HOSTIP:%FTPPORT/20010002 file://localhost/%PWD/log/test2001.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test2001.txt">
|
||||||
|
@@ -81,17 +81,6 @@ RETR 20010002
|
||||||
|
QUIT
|
||||||
|
</protocol>
|
||||||
|
<stdout>
|
||||||
|
-HTTP/1.1 200 OK
|
||||||
|
-Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
-Server: test-server/fake
|
||||||
|
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||||
|
-ETag: "21025-dc7-39462498"
|
||||||
|
-Accept-Ranges: bytes
|
||||||
|
-Content-Length: 6
|
||||||
|
-Connection: close
|
||||||
|
-Content-Type: text/html
|
||||||
|
-Funny-head: yesyes
|
||||||
|
-
|
||||||
|
-foo-
|
||||||
|
data
|
||||||
|
to
|
||||||
|
diff --git a/tests/data/test2002 b/tests/data/test2002
|
||||||
|
index db96bfe..6dd2f93 100644
|
||||||
|
--- a/tests/data/test2002
|
||||||
|
+++ b/tests/data/test2002
|
||||||
|
@@ -57,7 +57,7 @@ tftp
|
||||||
|
<name>
|
||||||
|
HTTP GET followed by FTP RETR followed by FILE followed by TFTP RRQ
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
http://%HOSTIP:%HTTPPORT/20020001 ftp://%HOSTIP:%FTPPORT/20020002 file://localhost/%PWD/log/test2002.txt tftp://%HOSTIP:%TFTPPORT//20020003
|
||||||
|
</command>
|
||||||
|
<file name="log/test2002.txt">
|
||||||
|
@@ -96,17 +96,6 @@ filename: /20020003
|
||||||
|
QUIT
|
||||||
|
</protocol>
|
||||||
|
<stdout>
|
||||||
|
-HTTP/1.1 200 OK
|
||||||
|
-Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
-Server: test-server/fake
|
||||||
|
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||||
|
-ETag: "21025-dc7-39462498"
|
||||||
|
-Accept-Ranges: bytes
|
||||||
|
-Content-Length: 6
|
||||||
|
-Connection: close
|
||||||
|
-Content-Type: text/html
|
||||||
|
-Funny-head: yesyes
|
||||||
|
-
|
||||||
|
-foo-
|
||||||
|
data
|
||||||
|
to
|
||||||
|
diff --git a/tests/data/test2003 b/tests/data/test2003
|
||||||
|
index 59a743f..09bee8e 100644
|
||||||
|
--- a/tests/data/test2003
|
||||||
|
+++ b/tests/data/test2003
|
||||||
|
@@ -57,8 +57,8 @@ tftp
|
||||||
|
<name>
|
||||||
|
HTTP GET followed by FTP RETR followed by FILE followed by TFTP RRQ then again in reverse order
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
-http://%HOSTIP:%HTTPPORT/20030001 ftp://%HOSTIP:%FTPPORT/20030002 file://localhost/%PWD/log/test2003.txt tftp://%HOSTIP:%TFTPPORT//20030003 tftp://%HOSTIP:%TFTPPORT//20030003 file://localhost/%PWD/log/test2003.txt ftp://%HOSTIP:%FTPPORT/20030002 http://%HOSTIP:%HTTPPORT/20030001
|
||||||
|
+<command option="no-include">
|
||||||
|
+http://%HOSTIP:%HTTPPORT/20030001 ftp://%HOSTIP:%FTPPORT/20030002 file://localhost/%PWD/log/test2003.txt tftp://%HOSTIP:%TFTPPORT//20030003 tftp://%HOSTIP:%TFTPPORT//20030003 file://localhost/%PWD/log/test2003.txt ftp://%HOSTIP:%FTPPORT/20030002 http://%HOSTIP:%HTTPPORT/20030001
|
||||||
|
</command>
|
||||||
|
<file name="log/test2003.txt">
|
||||||
|
foo
|
||||||
|
@@ -109,17 +109,6 @@ Accept: */*
|
||||||
|
QUIT
|
||||||
|
</protocol>
|
||||||
|
<stdout>
|
||||||
|
-HTTP/1.1 200 OK
|
||||||
|
-Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
-Server: test-server/fake
|
||||||
|
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||||
|
-ETag: "21025-dc7-39462498"
|
||||||
|
-Accept-Ranges: bytes
|
||||||
|
-Content-Length: 6
|
||||||
|
-Connection: close
|
||||||
|
-Content-Type: text/html
|
||||||
|
-Funny-head: yesyes
|
||||||
|
-
|
||||||
|
-foo-
|
||||||
|
data
|
||||||
|
to
|
||||||
|
@@ -151,17 +140,6 @@ data
|
||||||
|
that FTP
|
||||||
|
works
|
||||||
|
so does it?
|
||||||
|
-HTTP/1.1 200 OK
|
||||||
|
-Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
-Server: test-server/fake
|
||||||
|
-Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
|
||||||
|
-ETag: "21025-dc7-39462498"
|
||||||
|
-Accept-Ranges: bytes
|
||||||
|
-Content-Length: 6
|
||||||
|
-Connection: close
|
||||||
|
-Content-Type: text/html
|
||||||
|
-Funny-head: yesyes
|
||||||
|
-
|
||||||
|
-foo-
|
||||||
|
</stdout>
|
||||||
|
</verify>
|
||||||
|
diff --git a/tests/data/test2004 b/tests/data/test2004
|
||||||
|
index 4773f69..b17890b 100644
|
||||||
|
--- a/tests/data/test2004
|
||||||
|
+++ b/tests/data/test2004
|
||||||
|
@@ -29,7 +29,7 @@ sftp
|
||||||
|
<name>
|
||||||
|
TFTP RRQ followed by SFTP retrieval followed by FILE followed by SCP retrieval then again in reverse order
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
--key curl_client_key --pubkey curl_client_key.pub -u %USER: tftp://%HOSTIP:%TFTPPORT//2004 sftp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt file://localhost/%PWD/log/test2004.txt scp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt file://localhost/%PWD/log/test2004.txt sftp://%HOSTIP:%SSHPORT%POSIX_PWD/log/test2004.txt tftp://%HOSTIP:%TFTPPORT//2004 --insecure
|
||||||
|
</command>
|
||||||
|
<file name="log/test2004.txt">
|
||||||
|
diff --git a/tests/data/test2006 b/tests/data/test2006
|
||||||
|
index e25556f..3acbdae 100644
|
||||||
|
--- a/tests/data/test2006
|
||||||
|
+++ b/tests/data/test2006
|
||||||
|
@@ -4,6 +4,7 @@
|
||||||
|
Metalink
|
||||||
|
HTTP
|
||||||
|
HTTP GET
|
||||||
|
+FILE
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
@@ -85,6 +86,10 @@ Accept: */*
|
||||||
|
Some data delivered from an HTTP resource
|
||||||
|
</file1>
|
||||||
|
<file2 name="log/heads2006">
|
||||||
|
+Content-Length: 496
|
||||||
|
+Accept-ranges: bytes
|
||||||
|
+
|
||||||
|
+
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 21 Jun 2012 14:49:01 GMT
|
||||||
|
Server: test-server/fake
|
||||||
|
@@ -105,6 +110,9 @@ Metalink: fetching (log/download2006) from (http://%HOSTIP:%HTTPPORT/2006) OK
|
||||||
|
Metalink: validating (log/download2006)...
|
||||||
|
Metalink: validating (log/download2006) [sha-256] OK
|
||||||
|
</file4>
|
||||||
|
+<stripfile2>
|
||||||
|
+s/Last-Modified:.*//
|
||||||
|
+</stripfile2>
|
||||||
|
<stripfile4>
|
||||||
|
$_ = '' if (($_ !~ /^Metalink: /) && ($_ !~ /error/i) && ($_ !~ /warn/i))
|
||||||
|
</stripfile4>
|
||||||
|
diff --git a/tests/data/test2007 b/tests/data/test2007
|
||||||
|
index cc4bd8c..b169c49 100644
|
||||||
|
--- a/tests/data/test2007
|
||||||
|
+++ b/tests/data/test2007
|
||||||
|
@@ -5,6 +5,7 @@ Metalink
|
||||||
|
HTTP
|
||||||
|
HTTP GET
|
||||||
|
-J
|
||||||
|
+FILE
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
@@ -85,7 +86,14 @@ Accept: */*
|
||||||
|
<file1 name="log/download2007">
|
||||||
|
Something delivered from an HTTP resource
|
||||||
|
</file1>
|
||||||
|
+<stripfile2>
|
||||||
|
+s/Last-Modified:.*//
|
||||||
|
+</stripfile2>
|
||||||
|
<file2 name="log/heads2007">
|
||||||
|
+Content-Length: 496
|
||||||
|
+Accept-ranges: bytes
|
||||||
|
+
|
||||||
|
+
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 21 Jun 2012 14:50:02 GMT
|
||||||
|
Server: test-server/fake
|
||||||
|
diff --git a/tests/data/test2008 b/tests/data/test2008
|
||||||
|
index 5843792..012f221 100644
|
||||||
|
--- a/tests/data/test2008
|
||||||
|
+++ b/tests/data/test2008
|
||||||
|
@@ -4,6 +4,7 @@
|
||||||
|
Metalink
|
||||||
|
HTTP
|
||||||
|
HTTP GET
|
||||||
|
+FILE
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
@@ -77,7 +78,14 @@ Accept: */*
|
||||||
|
<file1 name="log/download2008">
|
||||||
|
Some stuff delivered from an HTTP resource
|
||||||
|
</file1>
|
||||||
|
+<stripfile2>
|
||||||
|
+s/Last-Modified:.*//
|
||||||
|
+</stripfile2>
|
||||||
|
<file2 name="log/heads2008">
|
||||||
|
+Content-Length: 496
|
||||||
|
+Accept-ranges: bytes
|
||||||
|
+
|
||||||
|
+
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 21 Jun 2012 15:23:48 GMT
|
||||||
|
Server: test-server/fake
|
||||||
|
diff --git a/tests/data/test2009 b/tests/data/test2009
|
||||||
|
index 84482ce..b0e5c6c 100644
|
||||||
|
--- a/tests/data/test2009
|
||||||
|
+++ b/tests/data/test2009
|
||||||
|
@@ -5,6 +5,7 @@ Metalink
|
||||||
|
HTTP
|
||||||
|
HTTP GET
|
||||||
|
-J
|
||||||
|
+FILE
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
@@ -78,7 +79,14 @@ Accept: */*
|
||||||
|
<file1 name="log/download2009">
|
||||||
|
Some contents delivered from an HTTP resource
|
||||||
|
</file1>
|
||||||
|
+<stripfile2>
|
||||||
|
+s/Last-Modified:.*//
|
||||||
|
+</stripfile2>
|
||||||
|
<file2 name="log/heads2009">
|
||||||
|
+Content-Length: 496
|
||||||
|
+Accept-ranges: bytes
|
||||||
|
+
|
||||||
|
+
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 21 Jun 2012 16:27:17 GMT
|
||||||
|
Server: test-server/fake
|
||||||
|
diff --git a/tests/data/test2010 b/tests/data/test2010
|
||||||
|
index 91a83f4..33bb309 100644
|
||||||
|
--- a/tests/data/test2010
|
||||||
|
+++ b/tests/data/test2010
|
||||||
|
@@ -4,6 +4,7 @@
|
||||||
|
Metalink
|
||||||
|
HTTP
|
||||||
|
HTTP GET
|
||||||
|
+FILE
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
@@ -77,7 +78,14 @@ Accept: */*
|
||||||
|
<file1 name="log/download2010">
|
||||||
|
Contents delivered from an HTTP resource
|
||||||
|
</file1>
|
||||||
|
+<stripfile2>
|
||||||
|
+s/Last-Modified:.*//
|
||||||
|
+</stripfile2>
|
||||||
|
<file2 name="log/heads2010">
|
||||||
|
+Content-Length: 496
|
||||||
|
+Accept-ranges: bytes
|
||||||
|
+
|
||||||
|
+
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Date: Thu, 21 Jun 2012 17:37:27 GMT
|
||||||
|
Server: test-server/fake
|
||||||
|
diff --git a/tests/data/test202 b/tests/data/test202
|
||||||
|
index f863ec5..0b324b1 100644
|
||||||
|
--- a/tests/data/test202
|
||||||
|
+++ b/tests/data/test202
|
||||||
|
@@ -19,7 +19,7 @@ file
|
||||||
|
<name>
|
||||||
|
two file:// URLs to stdout
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file://localhost/%PWD/log/test202.txt FILE://localhost/%PWD/log/test202.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test202.txt">
|
||||||
|
diff --git a/tests/data/test203 b/tests/data/test203
|
||||||
|
index 366cc2c..3938426 100644
|
||||||
|
--- a/tests/data/test203
|
||||||
|
+++ b/tests/data/test203
|
||||||
|
@@ -24,7 +24,7 @@ file
|
||||||
|
<name>
|
||||||
|
file:/path URL with a single slash
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file:%PWD/log/test203.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test203.txt">
|
||||||
|
diff --git a/tests/data/test204 b/tests/data/test204
|
||||||
|
index 9cc7b01..0ed9451 100644
|
||||||
|
--- a/tests/data/test204
|
||||||
|
+++ b/tests/data/test204
|
||||||
|
@@ -15,7 +15,7 @@ file
|
||||||
|
<name>
|
||||||
|
"upload" with file://
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file://localhost/%PWD/log/result204.txt -T log/upload204.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/upload204.txt">
|
||||||
|
diff --git a/tests/data/test205 b/tests/data/test205
|
||||||
|
index 4af93f6..f83c531 100644
|
||||||
|
--- a/tests/data/test205
|
||||||
|
+++ b/tests/data/test205
|
||||||
|
@@ -16,7 +16,7 @@ file
|
||||||
|
<name>
|
||||||
|
"upload" with file://
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file://localhost/%PWD/log/nonexisting/result205.txt -T log/upload205.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/upload205.txt">
|
||||||
|
diff --git a/tests/data/test2070 b/tests/data/test2070
|
||||||
|
index bc3898a..655cd8a 100644
|
||||||
|
--- a/tests/data/test2070
|
||||||
|
+++ b/tests/data/test2070
|
||||||
|
@@ -23,7 +23,7 @@ file
|
||||||
|
<name>
|
||||||
|
basic file:// file with no authority
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file:%PWD/log/test2070.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test2070.txt">
|
||||||
|
diff --git a/tests/data/test2071 b/tests/data/test2071
|
||||||
|
index 997dfff..eddfa4d 100644
|
||||||
|
--- a/tests/data/test2071
|
||||||
|
+++ b/tests/data/test2071
|
||||||
|
@@ -23,7 +23,7 @@ file
|
||||||
|
<name>
|
||||||
|
basic file:// file with "127.0.0.1" hostname
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file://127.0.0.1/%PWD/log/test2070.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test2070.txt">
|
||||||
|
diff --git a/tests/data/test2072 b/tests/data/test2072
|
||||||
|
index cd26f22..1bab158 100644
|
||||||
|
--- a/tests/data/test2072
|
||||||
|
+++ b/tests/data/test2072
|
||||||
|
@@ -23,7 +23,7 @@ file
|
||||||
|
<name>
|
||||||
|
file:// with unix path resolution behavior for the case of extra slashes
|
||||||
|
</name>
|
||||||
|
-<command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file:////%PWD/log/test2072.txt
|
||||||
|
</command>
|
||||||
|
<precheck>
|
||||||
|
diff --git a/tests/data/test210 b/tests/data/test210
|
||||||
|
index e904567..c6fb703 100644
|
||||||
|
--- a/tests/data/test210
|
||||||
|
+++ b/tests/data/test210
|
||||||
|
@@ -22,7 +22,7 @@ ftp
|
||||||
|
<name>
|
||||||
|
Get two FTP files from the same remote dir: no second CWD
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
ftp://%HOSTIP:%FTPPORT/a/path/210 ftp://%HOSTIP:%FTPPORT/a/path/210
|
||||||
|
</command>
|
||||||
|
<stdout>
|
||||||
|
diff --git a/tests/data/test231 b/tests/data/test231
|
||||||
|
index 6994957..3d4bc77 100644
|
||||||
|
--- a/tests/data/test231
|
||||||
|
+++ b/tests/data/test231
|
||||||
|
@@ -22,7 +22,7 @@ file
|
||||||
|
<name>
|
||||||
|
file:// with resume
|
||||||
|
</name>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file://localhost/%PWD/log/test231.txt -C 10
|
||||||
|
</command>
|
||||||
|
<file name="log/test231.txt">
|
||||||
|
diff --git a/tests/data/test288 b/tests/data/test288
|
||||||
|
index ff4db6a..9f8f6e1 100644
|
||||||
|
--- a/tests/data/test288
|
||||||
|
+++ b/tests/data/test288
|
||||||
|
@@ -30,7 +30,7 @@ file:// with (unsupported) proxy, authentication and range
|
||||||
|
<setenv>
|
||||||
|
all_proxy=http://fake:user@%HOSTIP:%HTTPPORT/
|
||||||
|
</setenv>
|
||||||
|
- <command>
|
||||||
|
+<command option="no-include">
|
||||||
|
file://localhost/%PWD/log/test288.txt
|
||||||
|
</command>
|
||||||
|
<file name="log/test288.txt">
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
@ -1,136 +0,0 @@
|
|||||||
From 1d66562c67fc0099d0fd882c693e51dd0b10c45c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jay Satiro <raysatiro@yahoo.com>
|
|
||||||
Date: Sat, 30 Sep 2023 03:40:02 -0400
|
|
||||||
Subject: [PATCH] socks: return error if hostname too long for remote resolve
|
|
||||||
|
|
||||||
Prior to this change the state machine attempted to change the remote
|
|
||||||
resolve to a local resolve if the hostname was longer than 255
|
|
||||||
characters. Unfortunately that did not work as intended and caused a
|
|
||||||
security issue.
|
|
||||||
|
|
||||||
Name resolvers cannot resolve hostnames longer than 255 characters.
|
|
||||||
|
|
||||||
Bug: https://curl.se/docs/CVE-2023-38545.html
|
|
||||||
---
|
|
||||||
lib/socks.c | 8 +++---
|
|
||||||
tests/data/Makefile.inc | 2 +-
|
|
||||||
tests/data/test728 | 64 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
3 files changed, 69 insertions(+), 5 deletions(-)
|
|
||||||
create mode 100644 tests/data/test728
|
|
||||||
|
|
||||||
diff --git a/lib/socks.c b/lib/socks.c
|
|
||||||
index c492d663c..a7b5ab07e 100644
|
|
||||||
--- a/lib/socks.c
|
|
||||||
+++ b/lib/socks.c
|
|
||||||
@@ -531,13 +531,13 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
|
|
||||||
infof(data, "SOCKS5: connecting to HTTP proxy %s port %d\n",
|
|
||||||
hostname, remote_port);
|
|
||||||
|
|
||||||
/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
|
|
||||||
if(!socks5_resolve_local && hostname_len > 255) {
|
|
||||||
- infof(data, "SOCKS5: server resolving disabled for hostnames of "
|
|
||||||
- "length > 255 [actual len=%zu]\n", hostname_len);
|
|
||||||
- socks5_resolve_local = TRUE;
|
|
||||||
+ failf(data, "SOCKS5: the destination hostname is too long to be "
|
|
||||||
+ "resolved remotely by the proxy.");
|
|
||||||
+ return CURLPX_LONG_HOSTNAME;
|
|
||||||
}
|
|
||||||
|
|
||||||
if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
|
|
||||||
infof(data,
|
|
||||||
"warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu\n",
|
|
||||||
@@ -855,7 +855,7 @@ CONNECT_RESOLVE_REMOTE:
|
|
||||||
|
|
||||||
if(!socks5_resolve_local) {
|
|
||||||
socksreq[len++] = 3; /* ATYP: domain name = 3 */
|
|
||||||
- socksreq[len++] = (char) hostname_len; /* one byte address length */
|
|
||||||
+ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
|
|
||||||
memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */
|
|
||||||
len += hostname_len;
|
|
||||||
infof(data, "SOCKS5 connect to %s:%d (remotely resolved)\n",
|
|
||||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
||||||
index 081e344d4..62ee53578 100644
|
|
||||||
--- a/tests/data/Makefile.inc
|
|
||||||
+++ b/tests/data/Makefile.inc
|
|
||||||
@@ -99,7 +99,7 @@ test672 test673 test674 test675 test676 test677 test678 test679 test680 \
|
|
||||||
\
|
|
||||||
test700 test701 test702 test703 test704 test705 test706 test707 test708 \
|
|
||||||
test709 test710 test711 test712 test713 test714 test715 test716 test717 \
|
|
||||||
-test718 \
|
|
||||||
+test718 test728 \
|
|
||||||
\
|
|
||||||
test800 test801 test802 test803 test804 test805 test806 test807 test808 \
|
|
||||||
test809 test810 test811 test812 test813 test814 test815 test816 test817 \
|
|
||||||
diff --git a/tests/data/test728 b/tests/data/test728
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..05bcf2883
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/data/test728
|
|
||||||
@@ -0,0 +1,64 @@
|
|
||||||
+<testcase>
|
|
||||||
+<info>
|
|
||||||
+<keywords>
|
|
||||||
+HTTP
|
|
||||||
+HTTP GET
|
|
||||||
+SOCKS5
|
|
||||||
+SOCKS5h
|
|
||||||
+followlocation
|
|
||||||
+</keywords>
|
|
||||||
+</info>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Server-side
|
|
||||||
+<reply>
|
|
||||||
+# The hostname in this redirect is 256 characters and too long (> 255) for
|
|
||||||
+# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
|
|
||||||
+<data>
|
|
||||||
+HTTP/1.1 301 Moved Permanently
|
|
||||||
+Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
|
|
||||||
+Content-Length: 0
|
|
||||||
+Connection: close
|
|
||||||
+
|
|
||||||
+</data>
|
|
||||||
+</reply>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Client-side
|
|
||||||
+<client>
|
|
||||||
+<features>
|
|
||||||
+proxy
|
|
||||||
+</features>
|
|
||||||
+<server>
|
|
||||||
+http
|
|
||||||
+socks5
|
|
||||||
+</server>
|
|
||||||
+ <name>
|
|
||||||
+SOCKS5h with HTTP redirect to hostname too long
|
|
||||||
+ </name>
|
|
||||||
+ <command>
|
|
||||||
+--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER
|
|
||||||
+</command>
|
|
||||||
+</client>
|
|
||||||
+
|
|
||||||
+#
|
|
||||||
+# Verify data after the test has been "shot"
|
|
||||||
+<verify>
|
|
||||||
+<protocol crlf="yes">
|
|
||||||
+GET /%TESTNUMBER HTTP/1.1
|
|
||||||
+Host: %HOSTIP:%HTTPPORT
|
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
|
||||||
+
|
|
||||||
+</protocol>
|
|
||||||
+<errorcode>
|
|
||||||
+97
|
|
||||||
+</errorcode>
|
|
||||||
+# the error message is verified because error code CURLE_PROXY (97) may be
|
|
||||||
+# returned for any number of reasons and we need to make sure it is
|
|
||||||
+# specifically for the reason below so that we know the check is working.
|
|
||||||
+<stderr mode="text">
|
|
||||||
+curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy.
|
|
||||||
+</stderr>
|
|
||||||
+</verify>
|
|
||||||
+</testcase>
|
|
||||||
--
|
|
||||||
2.42.0
|
|
||||||
|
|
662
SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch
Normal file
662
SOURCES/0031-curl-7.61.1-CVE-2021-22924.patch
Normal file
@ -0,0 +1,662 @@
|
|||||||
|
From 74ba80e293eb2521d28916b24c3be59b3baf688a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 18 Feb 2021 10:13:56 +0100
|
||||||
|
Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names
|
||||||
|
|
||||||
|
It doesn't provide any useful info but only makes the names longer.
|
||||||
|
|
||||||
|
Closes #6624
|
||||||
|
|
||||||
|
Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/setopt.c | 32 ++++++++++++++++----------------
|
||||||
|
lib/url.c | 32 ++++++++++++++++----------------
|
||||||
|
lib/urldata.h | 28 ++++++++++++++--------------
|
||||||
|
lib/vtls/cyassl.c | 2 +-
|
||||||
|
lib/vtls/darwinssl.c | 4 ++--
|
||||||
|
lib/vtls/gskit.c | 2 +-
|
||||||
|
lib/vtls/gtls.c | 2 +-
|
||||||
|
lib/vtls/mbedtls.c | 2 +-
|
||||||
|
lib/vtls/nss.c | 2 +-
|
||||||
|
lib/vtls/openssl.c | 2 +-
|
||||||
|
lib/vtls/polarssl.c | 2 +-
|
||||||
|
lib/vtls/schannel.c | 2 +-
|
||||||
|
12 files changed, 56 insertions(+), 56 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||||
|
index 4f04962..b07ccfe 100644
|
||||||
|
--- a/lib/setopt.c
|
||||||
|
+++ b/lib/setopt.c
|
||||||
|
@@ -133,7 +133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
break;
|
||||||
|
case CURLOPT_SSL_CIPHER_LIST:
|
||||||
|
/* set a list of cipher we want to use in the SSL connection */
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_SSL_CIPHER_LIST:
|
||||||
|
@@ -145,7 +145,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
case CURLOPT_TLS13_CIPHERS:
|
||||||
|
if(Curl_ssl_tls13_ciphersuites()) {
|
||||||
|
/* set preferred list of TLS 1.3 cipher suites */
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST],
|
||||||
|
va_arg(param, char *));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
@@ -1532,7 +1532,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
/*
|
||||||
|
* String that holds file name of the SSL certificate to use
|
||||||
|
*/
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_CERT],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_SSLCERT:
|
||||||
|
@@ -1546,7 +1546,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
/*
|
||||||
|
* String that holds file type of the SSL certificate to use
|
||||||
|
*/
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_SSLCERTTYPE:
|
||||||
|
@@ -1560,7 +1560,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
/*
|
||||||
|
* String that holds file name of the SSL key to use
|
||||||
|
*/
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_KEY],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_SSLKEY:
|
||||||
|
@@ -1574,7 +1574,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
/*
|
||||||
|
* String that holds file type of the SSL key to use
|
||||||
|
*/
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_SSLKEYTYPE:
|
||||||
|
@@ -1588,7 +1588,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
/*
|
||||||
|
* String that holds the SSL or SSH private key password.
|
||||||
|
*/
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_KEYPASSWD:
|
||||||
|
@@ -1815,7 +1815,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
*/
|
||||||
|
#ifdef USE_SSL
|
||||||
|
if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY)
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],
|
||||||
|
va_arg(param, char *));
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
@@ -1838,7 +1838,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
/*
|
||||||
|
* Set CA info for SSL connection. Specify file name of the CA certificate
|
||||||
|
*/
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_CAINFO:
|
||||||
|
@@ -1857,7 +1857,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
#ifdef USE_SSL
|
||||||
|
if(Curl_ssl->supports & SSLSUPP_CA_PATH)
|
||||||
|
/* This does not work on windows. */
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH],
|
||||||
|
va_arg(param, char *));
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
@@ -1882,7 +1882,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
* Set CRL file info for SSL connection. Specify file name of the CRL
|
||||||
|
* to check certificates revocation
|
||||||
|
*/
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_CRLFILE:
|
||||||
|
@@ -1898,7 +1898,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
* Set Issuer certificate file
|
||||||
|
* to check certificates issuer
|
||||||
|
*/
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
case CURLOPT_TELNETOPTIONS:
|
||||||
|
@@ -2449,9 +2449,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
break;
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
case CURLOPT_TLSAUTH_USERNAME:
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
|
||||||
|
va_arg(param, char *));
|
||||||
|
- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
|
||||||
|
+ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_USERNAME:
|
||||||
|
@@ -2462,9 +2462,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
break;
|
||||||
|
case CURLOPT_TLSAUTH_PASSWORD:
|
||||||
|
- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
|
||||||
|
+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
||||||
|
va_arg(param, char *));
|
||||||
|
- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
|
||||||
|
+ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
break;
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index bb9d107..a6bc012 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -496,7 +496,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||||
|
*/
|
||||||
|
if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
|
||||||
|
#if defined(CURL_CA_BUNDLE)
|
||||||
|
- result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);
|
||||||
|
+ result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE);
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
|
||||||
|
@@ -506,7 +506,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||||
|
return result;
|
||||||
|
#endif
|
||||||
|
#if defined(CURL_CA_PATH)
|
||||||
|
- result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH);
|
||||||
|
+ result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH);
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
|
||||||
|
@@ -4333,9 +4333,9 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
that will be freed as part of the Curl_easy struct, but all cloned
|
||||||
|
copies will be separately allocated.
|
||||||
|
*/
|
||||||
|
- data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG];
|
||||||
|
+ data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
|
||||||
|
data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
|
||||||
|
- data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
|
||||||
|
+ data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
|
||||||
|
data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
|
||||||
|
data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
|
||||||
|
data->set.proxy_ssl.primary.random_file =
|
||||||
|
@@ -4343,34 +4343,34 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
|
||||||
|
data->set.proxy_ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
|
||||||
|
data->set.ssl.primary.cipher_list =
|
||||||
|
- data->set.str[STRING_SSL_CIPHER_LIST_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_CIPHER_LIST];
|
||||||
|
data->set.proxy_ssl.primary.cipher_list =
|
||||||
|
data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
|
||||||
|
data->set.ssl.primary.cipher_list13 =
|
||||||
|
- data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_CIPHER13_LIST];
|
||||||
|
data->set.proxy_ssl.primary.cipher_list13 =
|
||||||
|
data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
|
||||||
|
|
||||||
|
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
|
||||||
|
+ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||||
|
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||||
|
- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
|
||||||
|
+ data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
||||||
|
data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||||||
|
- data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
|
||||||
|
+ data->set.ssl.cert = data->set.str[STRING_CERT];
|
||||||
|
data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
|
||||||
|
- data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
|
||||||
|
+ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
||||||
|
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
|
||||||
|
- data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
|
||||||
|
+ data->set.ssl.key = data->set.str[STRING_KEY];
|
||||||
|
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
|
||||||
|
- data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];
|
||||||
|
+ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
|
||||||
|
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
|
||||||
|
- data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG];
|
||||||
|
+ data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
|
||||||
|
data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];
|
||||||
|
- data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
|
||||||
|
+ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
|
||||||
|
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
|
||||||
|
+ data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||||||
|
data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||||||
|
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
|
||||||
|
+ data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||||||
|
data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index c70290a..1f8f364 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -1366,9 +1366,9 @@ struct DynamicStatic {
|
||||||
|
struct Curl_multi; /* declared and used only in multi.c */
|
||||||
|
|
||||||
|
enum dupstring {
|
||||||
|
- STRING_CERT_ORIG, /* client certificate file name */
|
||||||
|
+ STRING_CERT, /* client certificate file name */
|
||||||
|
STRING_CERT_PROXY, /* client certificate file name */
|
||||||
|
- STRING_CERT_TYPE_ORIG, /* format for certificate (default: PEM)*/
|
||||||
|
+ STRING_CERT_TYPE, /* format for certificate (default: PEM)*/
|
||||||
|
STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/
|
||||||
|
STRING_COOKIE, /* HTTP cookie string to send */
|
||||||
|
STRING_COOKIEJAR, /* dump all cookies to this file */
|
||||||
|
@@ -1379,11 +1379,11 @@ enum dupstring {
|
||||||
|
STRING_FTP_ACCOUNT, /* ftp account data */
|
||||||
|
STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */
|
||||||
|
STRING_FTPPORT, /* port to send with the FTP PORT command */
|
||||||
|
- STRING_KEY_ORIG, /* private key file name */
|
||||||
|
+ STRING_KEY, /* private key file name */
|
||||||
|
STRING_KEY_PROXY, /* private key file name */
|
||||||
|
- STRING_KEY_PASSWD_ORIG, /* plain text private key password */
|
||||||
|
+ STRING_KEY_PASSWD, /* plain text private key password */
|
||||||
|
STRING_KEY_PASSWD_PROXY, /* plain text private key password */
|
||||||
|
- STRING_KEY_TYPE_ORIG, /* format for private key (default: PEM) */
|
||||||
|
+ STRING_KEY_TYPE, /* format for private key (default: PEM) */
|
||||||
|
STRING_KEY_TYPE_PROXY, /* format for private key (default: PEM) */
|
||||||
|
STRING_KRB_LEVEL, /* krb security level */
|
||||||
|
STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find
|
||||||
|
@@ -1393,22 +1393,22 @@ enum dupstring {
|
||||||
|
STRING_SET_RANGE, /* range, if used */
|
||||||
|
STRING_SET_REFERER, /* custom string for the HTTP referer field */
|
||||||
|
STRING_SET_URL, /* what original URL to work on */
|
||||||
|
- STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */
|
||||||
|
+ STRING_SSL_CAPATH, /* CA directory name (doesn't work on windows) */
|
||||||
|
STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */
|
||||||
|
- STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */
|
||||||
|
+ STRING_SSL_CAFILE, /* certificate file to verify peer against */
|
||||||
|
STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */
|
||||||
|
- STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */
|
||||||
|
+ STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */
|
||||||
|
STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
|
||||||
|
- STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
|
||||||
|
+ STRING_SSL_CIPHER_LIST, /* list of ciphers to use */
|
||||||
|
STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
|
||||||
|
- STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
|
||||||
|
+ STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */
|
||||||
|
STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
|
||||||
|
STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */
|
||||||
|
STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
|
||||||
|
STRING_USERAGENT, /* User-Agent string */
|
||||||
|
- STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */
|
||||||
|
+ STRING_SSL_CRLFILE, /* crl file to check certificate */
|
||||||
|
STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */
|
||||||
|
- STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */
|
||||||
|
+ STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */
|
||||||
|
STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */
|
||||||
|
STRING_SSL_ENGINE, /* name of ssl engine */
|
||||||
|
STRING_USERNAME, /* <username>, if used */
|
||||||
|
@@ -1433,9 +1433,9 @@ enum dupstring {
|
||||||
|
STRING_MAIL_AUTH,
|
||||||
|
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
- STRING_TLSAUTH_USERNAME_ORIG, /* TLS auth <username> */
|
||||||
|
+ STRING_TLSAUTH_USERNAME, /* TLS auth <username> */
|
||||||
|
STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth <username> */
|
||||||
|
- STRING_TLSAUTH_PASSWORD_ORIG, /* TLS auth <password> */
|
||||||
|
+ STRING_TLSAUTH_PASSWORD, /* TLS auth <password> */
|
||||||
|
STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth <password> */
|
||||||
|
#endif
|
||||||
|
STRING_BEARER, /* <bearer>, if used */
|
||||||
|
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
|
||||||
|
index e10398a..ffd116d 100644
|
||||||
|
--- a/lib/vtls/cyassl.c
|
||||||
|
+++ b/lib/vtls/cyassl.c
|
||||||
|
@@ -474,7 +474,7 @@ cyassl_connect_step2(struct connectdata *conn,
|
||||||
|
conn->http_proxy.host.dispname : conn->host.dispname;
|
||||||
|
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
||||||
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||||
|
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||||
|
|
||||||
|
conn->recv[sockindex] = cyassl_recv;
|
||||||
|
conn->send[sockindex] = cyassl_send;
|
||||||
|
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
|
||||||
|
index 1aea0dc..572e8bf 100644
|
||||||
|
--- a/lib/vtls/darwinssl.c
|
||||||
|
+++ b/lib/vtls/darwinssl.c
|
||||||
|
@@ -2449,9 +2449,9 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
|
||||||
|
connssl->connecting_state = ssl_connect_3;
|
||||||
|
|
||||||
|
#ifdef DARWIN_SSL_PINNEDPUBKEY
|
||||||
|
- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) {
|
||||||
|
+ if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
|
||||||
|
CURLcode result = pkp_pin_peer_pubkey(data, BACKEND->ssl_ctx,
|
||||||
|
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]);
|
||||||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
|
||||||
|
if(result) {
|
||||||
|
failf(data, "SSL: public key does not match pinned public key!");
|
||||||
|
return result;
|
||||||
|
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
|
||||||
|
index a0b4960..b4c7b8a 100644
|
||||||
|
--- a/lib/vtls/gskit.c
|
||||||
|
+++ b/lib/vtls/gskit.c
|
||||||
|
@@ -1136,7 +1136,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
|
||||||
|
|
||||||
|
/* Check pinned public key. */
|
||||||
|
ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||||
|
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||||
|
if(!result && ptr) {
|
||||||
|
curl_X509certificate x509;
|
||||||
|
curl_asn1Element *p;
|
||||||
|
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||||
|
index 207b0fd..c5eb948 100644
|
||||||
|
--- a/lib/vtls/gtls.c
|
||||||
|
+++ b/lib/vtls/gtls.c
|
||||||
|
@@ -1329,7 +1329,7 @@ gtls_connect_step3(struct connectdata *conn,
|
||||||
|
}
|
||||||
|
|
||||||
|
ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||||
|
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||||
|
if(ptr) {
|
||||||
|
result = pkp_pin_peer_pubkey(data, x509_cert, ptr);
|
||||||
|
if(result != CURLE_OK) {
|
||||||
|
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
|
||||||
|
index d7759dc..48010ae 100644
|
||||||
|
--- a/lib/vtls/mbedtls.c
|
||||||
|
+++ b/lib/vtls/mbedtls.c
|
||||||
|
@@ -540,7 +540,7 @@ mbed_connect_step2(struct connectdata *conn,
|
||||||
|
const mbedtls_x509_crt *peercert;
|
||||||
|
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
||||||
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||||
|
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||||
|
|
||||||
|
#ifdef HAS_ALPN
|
||||||
|
const char *next_protocol;
|
||||||
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||||
|
index 89f8183..366bf9e 100644
|
||||||
|
--- a/lib/vtls/nss.c
|
||||||
|
+++ b/lib/vtls/nss.c
|
||||||
|
@@ -2067,7 +2067,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
||||||
|
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||||||
|
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
||||||
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||||
|
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||||
|
|
||||||
|
|
||||||
|
/* check timeout situation */
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 35cd652..8c97c1d 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -3388,7 +3388,7 @@ static CURLcode servercert(struct connectdata *conn,
|
||||||
|
result = CURLE_OK;
|
||||||
|
|
||||||
|
ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||||
|
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||||
|
if(!result && ptr) {
|
||||||
|
result = pkp_pin_peer_pubkey(data, BACKEND->server_cert, ptr);
|
||||||
|
if(result)
|
||||||
|
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
|
||||||
|
index 604cb4c..f284ad1 100644
|
||||||
|
--- a/lib/vtls/polarssl.c
|
||||||
|
+++ b/lib/vtls/polarssl.c
|
||||||
|
@@ -459,7 +459,7 @@ polarssl_connect_step2(struct connectdata *conn,
|
||||||
|
char buffer[1024];
|
||||||
|
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
||||||
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||||
|
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||||
|
|
||||||
|
|
||||||
|
char errorbuf[128];
|
||||||
|
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
|
||||||
|
index 8f6c301..95c060b 100644
|
||||||
|
--- a/lib/vtls/schannel.c
|
||||||
|
+++ b/lib/vtls/schannel.c
|
||||||
|
@@ -1060,7 +1060,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
|
||||||
|
|
||||||
|
pubkey_ptr = SSL_IS_PROXY() ?
|
||||||
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||||
|
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY];
|
||||||
|
if(pubkey_ptr) {
|
||||||
|
result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr);
|
||||||
|
if(result) {
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
||||||
|
|
||||||
|
From 040fa4f60f9b809972d51184dfa4980ba44d8b6b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Sat, 19 Jun 2021 00:42:28 +0200
|
||||||
|
Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and
|
||||||
|
case sensitivity
|
||||||
|
|
||||||
|
CVE-2021-22924
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2021-22924.html
|
||||||
|
|
||||||
|
Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/url.c | 5 +++--
|
||||||
|
lib/urldata.h | 2 +-
|
||||||
|
lib/vtls/gtls.c | 10 +++++-----
|
||||||
|
lib/vtls/nss.c | 4 ++--
|
||||||
|
lib/vtls/openssl.c | 12 ++++++------
|
||||||
|
lib/vtls/vtls.c | 21 ++++++++++++++++-----
|
||||||
|
6 files changed, 33 insertions(+), 21 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index a6bc012..4803653 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -4337,6 +4337,9 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
|
||||||
|
data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
|
||||||
|
data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
|
||||||
|
+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
||||||
|
+ data->set.proxy_ssl.primary.issuercert =
|
||||||
|
+ data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||||||
|
data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
|
||||||
|
data->set.proxy_ssl.primary.random_file =
|
||||||
|
data->set.str[STRING_SSL_RANDOM_FILE];
|
||||||
|
@@ -4353,8 +4356,6 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
|
||||||
|
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||||
|
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||||
|
- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
|
||||||
|
- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||||||
|
data->set.ssl.cert = data->set.str[STRING_CERT];
|
||||||
|
data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
|
||||||
|
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 1f8f364..72a36fb 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -223,6 +223,7 @@ struct ssl_primary_config {
|
||||||
|
bool sessionid; /* cache session IDs or not */
|
||||||
|
char *CApath; /* certificate dir (doesn't work on windows) */
|
||||||
|
char *CAfile; /* certificate to verify peer against */
|
||||||
|
+ char *issuercert; /* optional issuer certificate filename */
|
||||||
|
char *clientcert;
|
||||||
|
char *random_file; /* path to file containing "random" data */
|
||||||
|
char *egdsocket; /* path to file containing the EGD daemon socket */
|
||||||
|
@@ -238,7 +239,6 @@ struct ssl_config_data {
|
||||||
|
bool no_partialchain; /* don't accept partial certificate chains */
|
||||||
|
long certverifyresult; /* result from the certificate verification */
|
||||||
|
char *CRLfile; /* CRL to check certificate revocation */
|
||||||
|
- char *issuercert;/* optional issuer certificate filename */
|
||||||
|
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
||||||
|
void *fsslctxp; /* parameter for call back */
|
||||||
|
bool certinfo; /* gather lots of certificate info */
|
||||||
|
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
|
||||||
|
index c5eb948..0cb59c8 100644
|
||||||
|
--- a/lib/vtls/gtls.c
|
||||||
|
+++ b/lib/vtls/gtls.c
|
||||||
|
@@ -1002,7 +1002,7 @@ gtls_connect_step3(struct connectdata *conn,
|
||||||
|
if(!chainp) {
|
||||||
|
if(SSL_CONN_CONFIG(verifypeer) ||
|
||||||
|
SSL_CONN_CONFIG(verifyhost) ||
|
||||||
|
- SSL_SET_OPTION(issuercert)) {
|
||||||
|
+ SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||||
|
&& SSL_SET_OPTION(username) != NULL
|
||||||
|
@@ -1184,21 +1184,21 @@ gtls_connect_step3(struct connectdata *conn,
|
||||||
|
gnutls_x509_crt_t format */
|
||||||
|
gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
|
||||||
|
|
||||||
|
- if(SSL_SET_OPTION(issuercert)) {
|
||||||
|
+ if(SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
gnutls_x509_crt_init(&x509_issuer);
|
||||||
|
- issuerp = load_file(SSL_SET_OPTION(issuercert));
|
||||||
|
+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
|
||||||
|
gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
|
||||||
|
rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
|
||||||
|
gnutls_x509_crt_deinit(x509_issuer);
|
||||||
|
unload_file(issuerp);
|
||||||
|
if(rc <= 0) {
|
||||||
|
failf(data, "server certificate issuer check failed (IssuerCert: %s)",
|
||||||
|
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
||||||
|
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
||||||
|
gnutls_x509_crt_deinit(x509_cert);
|
||||||
|
return CURLE_SSL_ISSUER_ERROR;
|
||||||
|
}
|
||||||
|
infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
|
||||||
|
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
|
||||||
|
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
|
||||||
|
}
|
||||||
|
|
||||||
|
size = sizeof(certbuf);
|
||||||
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||||||
|
index 366bf9e..2d9581d 100644
|
||||||
|
--- a/lib/vtls/nss.c
|
||||||
|
+++ b/lib/vtls/nss.c
|
||||||
|
@@ -2095,9 +2095,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
||||||
|
if(result)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
- if(SSL_SET_OPTION(issuercert)) {
|
||||||
|
+ if(SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
SECStatus ret = SECFailure;
|
||||||
|
- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
|
||||||
|
+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
|
||||||
|
if(nickname) {
|
||||||
|
/* we support only nicknames in case of issuercert for now */
|
||||||
|
ret = check_issuer_cert(BACKEND->handle, nickname);
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 8c97c1d..28eaa6d 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -3311,11 +3311,11 @@ static CURLcode servercert(struct connectdata *conn,
|
||||||
|
deallocating the certificate. */
|
||||||
|
|
||||||
|
/* e.g. match issuer name with provided issuer certificate */
|
||||||
|
- if(SSL_SET_OPTION(issuercert)) {
|
||||||
|
- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
|
||||||
|
+ if(SSL_CONN_CONFIG(issuercert)) {
|
||||||
|
+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
|
||||||
|
if(strict)
|
||||||
|
failf(data, "SSL: Unable to open issuer cert (%s)",
|
||||||
|
- SSL_SET_OPTION(issuercert));
|
||||||
|
+ SSL_CONN_CONFIG(issuercert));
|
||||||
|
BIO_free(fp);
|
||||||
|
X509_free(BACKEND->server_cert);
|
||||||
|
BACKEND->server_cert = NULL;
|
||||||
|
@@ -3326,7 +3326,7 @@ static CURLcode servercert(struct connectdata *conn,
|
||||||
|
if(!issuer) {
|
||||||
|
if(strict)
|
||||||
|
failf(data, "SSL: Unable to read issuer cert (%s)",
|
||||||
|
- SSL_SET_OPTION(issuercert));
|
||||||
|
+ SSL_CONN_CONFIG(issuercert));
|
||||||
|
BIO_free(fp);
|
||||||
|
X509_free(issuer);
|
||||||
|
X509_free(BACKEND->server_cert);
|
||||||
|
@@ -3337,7 +3337,7 @@ static CURLcode servercert(struct connectdata *conn,
|
||||||
|
if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
|
||||||
|
if(strict)
|
||||||
|
failf(data, "SSL: Certificate issuer check failed (%s)",
|
||||||
|
- SSL_SET_OPTION(issuercert));
|
||||||
|
+ SSL_CONN_CONFIG(issuercert));
|
||||||
|
BIO_free(fp);
|
||||||
|
X509_free(issuer);
|
||||||
|
X509_free(BACKEND->server_cert);
|
||||||
|
@@ -3346,7 +3346,7 @@ static CURLcode servercert(struct connectdata *conn,
|
||||||
|
}
|
||||||
|
|
||||||
|
infof(data, " SSL certificate issuer check ok (%s)\n",
|
||||||
|
- SSL_SET_OPTION(issuercert));
|
||||||
|
+ SSL_CONN_CONFIG(issuercert));
|
||||||
|
X509_free(issuer);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||||
|
index b61c640..18672a5 100644
|
||||||
|
--- a/lib/vtls/vtls.c
|
||||||
|
+++ b/lib/vtls/vtls.c
|
||||||
|
@@ -82,6 +82,15 @@
|
||||||
|
else \
|
||||||
|
dest->var = NULL;
|
||||||
|
|
||||||
|
+static bool safecmp(char *a, char *b)
|
||||||
|
+{
|
||||||
|
+ if(a && b)
|
||||||
|
+ return !strcmp(a, b);
|
||||||
|
+ else if(!a && !b)
|
||||||
|
+ return TRUE; /* match */
|
||||||
|
+ return FALSE; /* no match */
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
bool
|
||||||
|
Curl_ssl_config_matches(struct ssl_primary_config* data,
|
||||||
|
struct ssl_primary_config* needle)
|
||||||
|
@@ -91,11 +100,11 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
|
||||||
|
(data->verifypeer == needle->verifypeer) &&
|
||||||
|
(data->verifyhost == needle->verifyhost) &&
|
||||||
|
(data->verifystatus == needle->verifystatus) &&
|
||||||
|
- Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
|
||||||
|
- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
|
||||||
|
- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
|
||||||
|
- Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
|
||||||
|
- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
|
||||||
|
+ safecmp(data->CApath, needle->CApath) &&
|
||||||
|
+ safecmp(data->CAfile, needle->CAfile) &&
|
||||||
|
+ safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
+ safecmp(data->random_file, needle->random_file) &&
|
||||||
|
+ safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
|
||||||
|
return TRUE;
|
||||||
|
@@ -116,6 +125,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||||||
|
|
||||||
|
CLONE_STRING(CApath);
|
||||||
|
CLONE_STRING(CAfile);
|
||||||
|
+ CLONE_STRING(issuercert);
|
||||||
|
CLONE_STRING(clientcert);
|
||||||
|
CLONE_STRING(random_file);
|
||||||
|
CLONE_STRING(egdsocket);
|
||||||
|
@@ -129,6 +139,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
|
||||||
|
{
|
||||||
|
Curl_safefree(sslc->CApath);
|
||||||
|
Curl_safefree(sslc->CAfile);
|
||||||
|
+ Curl_safefree(sslc->issuercert);
|
||||||
|
Curl_safefree(sslc->clientcert);
|
||||||
|
Curl_safefree(sslc->random_file);
|
||||||
|
Curl_safefree(sslc->egdsocket);
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 886f7458bbf005299f3f8224103d1903cd6fa7a4 Mon Sep 17 00:00:00 2001
|
From ae2dc830fb37e9243dbdaf8b92e41df91f43b3f2 Mon Sep 17 00:00:00 2001
|
||||||
From: Harry Sintonen <sintonen@iki.fi>
|
From: Harry Sintonen <sintonen@iki.fi>
|
||||||
Date: Fri, 7 May 2021 13:09:57 +0200
|
Date: Fri, 7 May 2021 13:09:57 +0200
|
||||||
Subject: [PATCH] telnet: check sscanf() for correct number of matches
|
Subject: [PATCH] telnet: check sscanf() for correct number of matches
|
||||||
@ -14,16 +14,16 @@ Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/lib/telnet.c b/lib/telnet.c
|
diff --git a/lib/telnet.c b/lib/telnet.c
|
||||||
index f96a4cb..4551435 100644
|
index 1fc5af1..ea6bc71 100644
|
||||||
--- a/lib/telnet.c
|
--- a/lib/telnet.c
|
||||||
+++ b/lib/telnet.c
|
+++ b/lib/telnet.c
|
||||||
@@ -921,7 +921,7 @@ static void suboption(struct Curl_easy *data)
|
@@ -967,7 +967,7 @@ static void suboption(struct connectdata *conn)
|
||||||
size_t tmplen = (strlen(v->data) + 1);
|
size_t tmplen = (strlen(v->data) + 1);
|
||||||
/* Add the variable only if it fits */
|
/* Add the variable only if it fits */
|
||||||
if(len + tmplen < (int)sizeof(temp)-6) {
|
if(len + tmplen < (int)sizeof(temp)-6) {
|
||||||
- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
|
- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
|
||||||
+ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
|
+ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
|
||||||
msnprintf((char *)&temp[len], sizeof(temp) - len,
|
snprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
"%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
"%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
||||||
CURL_NEW_ENV_VALUE, varval);
|
CURL_NEW_ENV_VALUE, varval);
|
||||||
--
|
--
|
@ -1,4 +1,4 @@
|
|||||||
From 3dbac7fb8b39a4f9aa871401d9d2790f0583ba01 Mon Sep 17 00:00:00 2001
|
From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Sat, 12 Jun 2021 18:25:15 +0200
|
Date: Sat, 12 Jun 2021 18:25:15 +0200
|
||||||
Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
|
Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
|
||||||
@ -15,15 +15,15 @@ Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|||||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
diff --git a/lib/telnet.c b/lib/telnet.c
|
diff --git a/lib/telnet.c b/lib/telnet.c
|
||||||
index fdd137f..567c22c 100644
|
index ea6bc71..f8428b8 100644
|
||||||
--- a/lib/telnet.c
|
--- a/lib/telnet.c
|
||||||
+++ b/lib/telnet.c
|
+++ b/lib/telnet.c
|
||||||
@@ -922,12 +922,17 @@ static void suboption(struct Curl_easy *data)
|
@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
|
||||||
size_t tmplen = (strlen(v->data) + 1);
|
size_t tmplen = (strlen(v->data) + 1);
|
||||||
/* Add the variable only if it fits */
|
/* Add the variable only if it fits */
|
||||||
if(len + tmplen < (int)sizeof(temp)-6) {
|
if(len + tmplen < (int)sizeof(temp)-6) {
|
||||||
- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
|
- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
|
||||||
- msnprintf((char *)&temp[len], sizeof(temp) - len,
|
- snprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
- "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
||||||
- CURL_NEW_ENV_VALUE, varval);
|
- CURL_NEW_ENV_VALUE, varval);
|
||||||
- len += tmplen;
|
- len += tmplen;
|
||||||
@ -33,15 +33,15 @@ index fdd137f..567c22c 100644
|
|||||||
+ varval[0] = 0;
|
+ varval[0] = 0;
|
||||||
+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
|
+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
|
||||||
+ if(rv == 1)
|
+ if(rv == 1)
|
||||||
+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
|
+ len += snprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
+ "%c%s", CURL_NEW_ENV_VAR, varname);
|
+ "%c%s", CURL_NEW_ENV_VAR, varname);
|
||||||
+ else if(rv >= 2)
|
+ else if(rv >= 2)
|
||||||
+ len += msnprintf((char *)&temp[len], sizeof(temp) - len,
|
+ len += snprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
|
||||||
+ CURL_NEW_ENV_VALUE, varval);
|
+ CURL_NEW_ENV_VALUE, varval);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
msnprintf((char *)&temp[len], sizeof(temp) - len,
|
snprintf((char *)&temp[len], sizeof(temp) - len,
|
||||||
--
|
--
|
||||||
2.31.1
|
2.31.1
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 64f8bdbf7da9e6b65716ce0d020c6c01d0aba77d Mon Sep 17 00:00:00 2001
|
From 03ca8c6faca7de6628f9cbec3001ec6466c88d07 Mon Sep 17 00:00:00 2001
|
||||||
From: Patrick Monnerat <patrick@monnerat.net>
|
From: Patrick Monnerat <patrick@monnerat.net>
|
||||||
Date: Wed, 8 Sep 2021 11:56:22 +0200
|
Date: Wed, 8 Sep 2021 11:56:22 +0200
|
||||||
Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
|
Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
|
||||||
@ -29,30 +29,30 @@ Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|||||||
create mode 100644 tests/data/test986
|
create mode 100644 tests/data/test986
|
||||||
|
|
||||||
diff --git a/lib/ftp.c b/lib/ftp.c
|
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||||
index 5ef1e2e..71f998e 100644
|
index 71c9642..30ebeaa 100644
|
||||||
--- a/lib/ftp.c
|
--- a/lib/ftp.c
|
||||||
+++ b/lib/ftp.c
|
+++ b/lib/ftp.c
|
||||||
@@ -2678,9 +2678,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
|
@@ -2621,9 +2621,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
|
||||||
/* we have now received a full FTP server response */
|
/* we have now received a full FTP server response */
|
||||||
switch(ftpc->state) {
|
switch(ftpc->state) {
|
||||||
case FTP_WAIT220:
|
case FTP_WAIT220:
|
||||||
- if(ftpcode == 230)
|
- if(ftpcode == 230)
|
||||||
- /* 230 User logged in - already! */
|
- /* 230 User logged in - already! */
|
||||||
- return ftp_state_user_resp(data, ftpcode, ftpc->state);
|
- return ftp_state_user_resp(conn, ftpcode, ftpc->state);
|
||||||
+ if(ftpcode == 230) {
|
+ if(ftpcode == 230) {
|
||||||
+ /* 230 User logged in - already! Take as 220 if TLS required. */
|
+ /* 230 User logged in - already! Take as 220 if TLS required. */
|
||||||
+ if(data->set.use_ssl <= CURLUSESSL_TRY ||
|
+ if(data->set.use_ssl <= CURLUSESSL_TRY ||
|
||||||
+ conn->bits.ftp_use_control_ssl)
|
+ conn->ssl[FIRSTSOCKET].use)
|
||||||
+ return ftp_state_user_resp(data, ftpcode, ftpc->state);
|
+ return ftp_state_user_resp(conn, ftpcode, ftpc->state);
|
||||||
+ }
|
+ }
|
||||||
else if(ftpcode != 220) {
|
else if(ftpcode != 220) {
|
||||||
failf(data, "Got a %03d ftp-server response when 220 was expected",
|
failf(data, "Got a %03d ftp-server response when 220 was expected",
|
||||||
ftpcode);
|
ftpcode);
|
||||||
diff --git a/lib/imap.c b/lib/imap.c
|
diff --git a/lib/imap.c b/lib/imap.c
|
||||||
index e50d7fd..feb7445 100644
|
index bda23a5..7e159d4 100644
|
||||||
--- a/lib/imap.c
|
--- a/lib/imap.c
|
||||||
+++ b/lib/imap.c
|
+++ b/lib/imap.c
|
||||||
@@ -935,22 +935,18 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data,
|
@@ -910,22 +910,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
|
||||||
line += wordlen;
|
line += wordlen;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -61,10 +61,10 @@ index e50d7fd..feb7445 100644
|
|||||||
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
|
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
|
||||||
- if(imapc->tls_supported)
|
- if(imapc->tls_supported)
|
||||||
- /* Switch to TLS connection now */
|
- /* Switch to TLS connection now */
|
||||||
- result = imap_perform_starttls(data, conn);
|
- result = imap_perform_starttls(conn);
|
||||||
- else if(data->set.use_ssl == CURLUSESSL_TRY)
|
- else if(data->set.use_ssl == CURLUSESSL_TRY)
|
||||||
- /* Fallback and carry on with authentication */
|
- /* Fallback and carry on with authentication */
|
||||||
- result = imap_perform_authentication(data, conn);
|
- result = imap_perform_authentication(conn);
|
||||||
- else {
|
- else {
|
||||||
- failf(data, "STARTTLS not supported.");
|
- failf(data, "STARTTLS not supported.");
|
||||||
- result = CURLE_USE_SSL_FAILED;
|
- result = CURLE_USE_SSL_FAILED;
|
||||||
@ -73,23 +73,23 @@ index e50d7fd..feb7445 100644
|
|||||||
+ /* PREAUTH is not compatible with STARTTLS. */
|
+ /* PREAUTH is not compatible with STARTTLS. */
|
||||||
+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
|
+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
|
||||||
+ /* Switch to TLS connection now */
|
+ /* Switch to TLS connection now */
|
||||||
+ result = imap_perform_starttls(data, conn);
|
+ result = imap_perform_starttls(conn);
|
||||||
}
|
}
|
||||||
- else
|
- else
|
||||||
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
|
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
|
||||||
result = imap_perform_authentication(data, conn);
|
result = imap_perform_authentication(conn);
|
||||||
+ else {
|
+ else {
|
||||||
+ failf(data, "STARTTLS not available.");
|
+ failf(data, "STARTTLS not available.");
|
||||||
+ result = CURLE_USE_SSL_FAILED;
|
+ result = CURLE_USE_SSL_FAILED;
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
result = imap_perform_authentication(data, conn);
|
result = imap_perform_authentication(conn);
|
||||||
diff --git a/lib/pop3.c b/lib/pop3.c
|
diff --git a/lib/pop3.c b/lib/pop3.c
|
||||||
index 6168b12..7698d1c 100644
|
index 04cc887..3e916ce 100644
|
||||||
--- a/lib/pop3.c
|
--- a/lib/pop3.c
|
||||||
+++ b/lib/pop3.c
|
+++ b/lib/pop3.c
|
||||||
@@ -740,28 +740,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code,
|
@@ -718,28 +718,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -98,17 +98,17 @@ index 6168b12..7698d1c 100644
|
|||||||
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
|
- /* We don't have a SSL/TLS connection yet, but SSL is requested */
|
||||||
- if(pop3c->tls_supported)
|
- if(pop3c->tls_supported)
|
||||||
- /* Switch to TLS connection now */
|
- /* Switch to TLS connection now */
|
||||||
- result = pop3_perform_starttls(data, conn);
|
- result = pop3_perform_starttls(conn);
|
||||||
- else if(data->set.use_ssl == CURLUSESSL_TRY)
|
- else if(data->set.use_ssl == CURLUSESSL_TRY)
|
||||||
- /* Fallback and carry on with authentication */
|
- /* Fallback and carry on with authentication */
|
||||||
- result = pop3_perform_authentication(data, conn);
|
- result = pop3_perform_authentication(conn);
|
||||||
- else {
|
- else {
|
||||||
- failf(data, "STLS not supported.");
|
- failf(data, "STLS not supported.");
|
||||||
- result = CURLE_USE_SSL_FAILED;
|
- result = CURLE_USE_SSL_FAILED;
|
||||||
- }
|
- }
|
||||||
- }
|
- }
|
||||||
- else
|
- else
|
||||||
- result = pop3_perform_authentication(data, conn);
|
- result = pop3_perform_authentication(conn);
|
||||||
- }
|
- }
|
||||||
else {
|
else {
|
||||||
/* Clear text is supported when CAPA isn't recognised */
|
/* Clear text is supported when CAPA isn't recognised */
|
||||||
@ -116,15 +116,15 @@ index 6168b12..7698d1c 100644
|
|||||||
+ if(pop3code != '+')
|
+ if(pop3code != '+')
|
||||||
+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
|
+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
|
||||||
|
|
||||||
- result = pop3_perform_authentication(data, conn);
|
- result = pop3_perform_authentication(conn);
|
||||||
+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
|
+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
|
||||||
+ result = pop3_perform_authentication(data, conn);
|
+ result = pop3_perform_authentication(conn);
|
||||||
+ else if(pop3code == '+' && pop3c->tls_supported)
|
+ else if(pop3code == '+' && pop3c->tls_supported)
|
||||||
+ /* Switch to TLS connection now */
|
+ /* Switch to TLS connection now */
|
||||||
+ result = pop3_perform_starttls(data, conn);
|
+ result = pop3_perform_starttls(conn);
|
||||||
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
|
+ else if(data->set.use_ssl <= CURLUSESSL_TRY)
|
||||||
+ /* Fallback and carry on with authentication */
|
+ /* Fallback and carry on with authentication */
|
||||||
+ result = pop3_perform_authentication(data, conn);
|
+ result = pop3_perform_authentication(conn);
|
||||||
+ else {
|
+ else {
|
||||||
+ failf(data, "STLS not supported.");
|
+ failf(data, "STLS not supported.");
|
||||||
+ result = CURLE_USE_SSL_FAILED;
|
+ result = CURLE_USE_SSL_FAILED;
|
||||||
@ -133,12 +133,12 @@ index 6168b12..7698d1c 100644
|
|||||||
|
|
||||||
return result;
|
return result;
|
||||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
index d083baf..163ce59 100644
|
index ef9252b..1ba482b 100644
|
||||||
--- a/tests/data/Makefile.inc
|
--- a/tests/data/Makefile.inc
|
||||||
+++ b/tests/data/Makefile.inc
|
+++ b/tests/data/Makefile.inc
|
||||||
@@ -117,6 +117,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
@@ -108,6 +108,8 @@ test927 test928 test929 test930 test931 test932 test933 test934 test935 \
|
||||||
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
test936 test937 test938 test939 test940 test941 test942 test943 test944 \
|
||||||
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
test945 test946 test947 test948 test949 test950 test951 test952 \
|
||||||
\
|
\
|
||||||
+test984 test985 test986 \
|
+test984 test985 test986 \
|
||||||
+\
|
+\
|
@ -37,7 +37,7 @@ diff --git a/lib/ftp.c b/lib/ftp.c
|
|||||||
index 71f998e..e920138 100644
|
index 71f998e..e920138 100644
|
||||||
--- a/lib/ftp.c
|
--- a/lib/ftp.c
|
||||||
+++ b/lib/ftp.c
|
+++ b/lib/ftp.c
|
||||||
@@ -2740,6 +2740,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
|
@@ -2688,6 +2688,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
|
||||||
case FTP_AUTH:
|
case FTP_AUTH:
|
||||||
/* we have gotten the response to a previous AUTH command */
|
/* we have gotten the response to a previous AUTH command */
|
||||||
|
|
||||||
@ -51,12 +51,12 @@ diff --git a/lib/imap.c b/lib/imap.c
|
|||||||
index feb7445..09bc5d6 100644
|
index feb7445..09bc5d6 100644
|
||||||
--- a/lib/imap.c
|
--- a/lib/imap.c
|
||||||
+++ b/lib/imap.c
|
+++ b/lib/imap.c
|
||||||
@@ -964,6 +964,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data,
|
@@ -939,6 +939,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
|
||||||
|
|
||||||
(void)instate; /* no use for this yet */
|
(void)instate; /* no use for this yet */
|
||||||
|
|
||||||
+ /* Pipelining in response is forbidden. */
|
+ /* Pipelining in response is forbidden. */
|
||||||
+ if(data->conn->proto.imapc.pp.cache_size)
|
+ if(conn->proto.imapc.pp.cache_size)
|
||||||
+ return CURLE_WEIRD_SERVER_REPLY;
|
+ return CURLE_WEIRD_SERVER_REPLY;
|
||||||
+
|
+
|
||||||
if(imapcode != IMAP_RESP_OK) {
|
if(imapcode != IMAP_RESP_OK) {
|
||||||
@ -66,12 +66,12 @@ diff --git a/lib/pop3.c b/lib/pop3.c
|
|||||||
index 7698d1c..dccfced 100644
|
index 7698d1c..dccfced 100644
|
||||||
--- a/lib/pop3.c
|
--- a/lib/pop3.c
|
||||||
+++ b/lib/pop3.c
|
+++ b/lib/pop3.c
|
||||||
@@ -771,6 +771,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data,
|
@@ -750,6 +750,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
|
||||||
CURLcode result = CURLE_OK;
|
|
||||||
(void)instate; /* no use for this yet */
|
(void)instate; /* no use for this yet */
|
||||||
|
|
||||||
+ /* Pipelining in response is forbidden. */
|
+ /* Pipelining in response is forbidden. */
|
||||||
+ if(data->conn->proto.pop3c.pp.cache_size)
|
+ if(conn->proto.pop3c.pp.cache_size)
|
||||||
+ return CURLE_WEIRD_SERVER_REPLY;
|
+ return CURLE_WEIRD_SERVER_REPLY;
|
||||||
+
|
+
|
||||||
if(pop3code != '+') {
|
if(pop3code != '+') {
|
||||||
@ -81,12 +81,12 @@ diff --git a/lib/smtp.c b/lib/smtp.c
|
|||||||
index 1defb25..1f89777 100644
|
index 1defb25..1f89777 100644
|
||||||
--- a/lib/smtp.c
|
--- a/lib/smtp.c
|
||||||
+++ b/lib/smtp.c
|
+++ b/lib/smtp.c
|
||||||
@@ -834,6 +834,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data,
|
@@ -685,6 +685,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
|
||||||
CURLcode result = CURLE_OK;
|
|
||||||
(void)instate; /* no use for this yet */
|
(void)instate; /* no use for this yet */
|
||||||
|
|
||||||
+ /* Pipelining in response is forbidden. */
|
+ /* Pipelining in response is forbidden. */
|
||||||
+ if(data->conn->proto.smtpc.pp.cache_size)
|
+ if(conn->proto.smtpc.pp.cache_size)
|
||||||
+ return CURLE_WEIRD_SERVER_REPLY;
|
+ return CURLE_WEIRD_SERVER_REPLY;
|
||||||
+
|
+
|
||||||
if(smtpcode != 220) {
|
if(smtpcode != 220) {
|
||||||
@ -96,9 +96,9 @@ diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|||||||
index 163ce59..42b0569 100644
|
index 163ce59..42b0569 100644
|
||||||
--- a/tests/data/Makefile.inc
|
--- a/tests/data/Makefile.inc
|
||||||
+++ b/tests/data/Makefile.inc
|
+++ b/tests/data/Makefile.inc
|
||||||
@@ -117,7 +117,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
@@ -108,7 +108,7 @@ test927 test928 test929 test930 test931 test932 test933 test934 test935 \
|
||||||
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
test936 test937 test938 test939 test940 test941 test942 test943 test944 \
|
||||||
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
test945 test946 test947 test948 test949 test950 test951 test952 \
|
||||||
\
|
\
|
||||||
-test984 test985 test986 \
|
-test984 test985 test986 \
|
||||||
+test980 test981 test982 test983 test984 test985 test986 \
|
+test980 test981 test982 test983 test984 test985 test986 \
|
338
SOURCES/0036-curl-7.61.1-CVE-2022-22576.patch
Normal file
338
SOURCES/0036-curl-7.61.1-CVE-2022-22576.patch
Normal file
@ -0,0 +1,338 @@
|
|||||||
|
From 295124c256ed25f097192cfa9a67e460f7bb587f Mon Sep 17 00:00:00 2001
|
||||||
|
From: nao <naost3rn@gmail.com>
|
||||||
|
Date: Tue, 21 Jan 2020 10:30:37 +0100
|
||||||
|
Subject: [PATCH 1/2] http: move "oauth_bearer" from connectdata to Curl_easy
|
||||||
|
|
||||||
|
Fixes the bug where oauth_bearer gets deallocated when we re-use a
|
||||||
|
connection.
|
||||||
|
|
||||||
|
Closes #4824
|
||||||
|
|
||||||
|
Upstream-commit: dea17b519dc1d83265ca6aa9a484a2cf242db3b9
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/curl_sasl.c | 14 ++++++++------
|
||||||
|
lib/http.c | 12 +++++-------
|
||||||
|
lib/url.c | 9 ---------
|
||||||
|
lib/urldata.h | 2 --
|
||||||
|
4 files changed, 13 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
|
||||||
|
index 354bc54..c767bef 100644
|
||||||
|
--- a/lib/curl_sasl.c
|
||||||
|
+++ b/lib/curl_sasl.c
|
||||||
|
@@ -269,6 +269,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
||||||
|
data->set.str[STRING_SERVICE_NAME] :
|
||||||
|
sasl->params->service;
|
||||||
|
#endif
|
||||||
|
+ const char *oauth_bearer = data->set.str[STRING_BEARER];
|
||||||
|
|
||||||
|
sasl->force_ir = force_ir; /* Latch for future use */
|
||||||
|
sasl->authused = 0; /* No mechanism used yet */
|
||||||
|
@@ -339,7 +340,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
||||||
|
}
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
- if((enabledmechs & SASL_MECH_OAUTHBEARER) && conn->oauth_bearer) {
|
||||||
|
+ if((enabledmechs & SASL_MECH_OAUTHBEARER) && oauth_bearer) {
|
||||||
|
mech = SASL_MECH_STRING_OAUTHBEARER;
|
||||||
|
state1 = SASL_OAUTH2;
|
||||||
|
state2 = SASL_OAUTH2_RESP;
|
||||||
|
@@ -349,10 +350,10 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
||||||
|
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
||||||
|
hostname,
|
||||||
|
port,
|
||||||
|
- conn->oauth_bearer,
|
||||||
|
+ oauth_bearer,
|
||||||
|
&resp, &len);
|
||||||
|
}
|
||||||
|
- else if((enabledmechs & SASL_MECH_XOAUTH2) && conn->oauth_bearer) {
|
||||||
|
+ else if((enabledmechs & SASL_MECH_XOAUTH2) && oauth_bearer) {
|
||||||
|
mech = SASL_MECH_STRING_XOAUTH2;
|
||||||
|
state1 = SASL_OAUTH2;
|
||||||
|
sasl->authused = SASL_MECH_XOAUTH2;
|
||||||
|
@@ -360,7 +361,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
||||||
|
if(force_ir || data->set.sasl_ir)
|
||||||
|
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
||||||
|
NULL, 0,
|
||||||
|
- conn->oauth_bearer,
|
||||||
|
+ oauth_bearer,
|
||||||
|
&resp, &len);
|
||||||
|
}
|
||||||
|
else if(enabledmechs & SASL_MECH_PLAIN) {
|
||||||
|
@@ -429,6 +430,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
|
||||||
|
char *serverdata;
|
||||||
|
#endif
|
||||||
|
size_t len = 0;
|
||||||
|
+ const char *oauth_bearer = data->set.str[STRING_BEARER];
|
||||||
|
|
||||||
|
*progress = SASL_INPROGRESS;
|
||||||
|
|
||||||
|
@@ -556,7 +558,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
|
||||||
|
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
||||||
|
hostname,
|
||||||
|
port,
|
||||||
|
- conn->oauth_bearer,
|
||||||
|
+ oauth_bearer,
|
||||||
|
&resp, &len);
|
||||||
|
|
||||||
|
/* Failures maybe sent by the server as continuations for OAUTHBEARER */
|
||||||
|
@@ -565,7 +567,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
|
||||||
|
else
|
||||||
|
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
|
||||||
|
NULL, 0,
|
||||||
|
- conn->oauth_bearer,
|
||||||
|
+ oauth_bearer,
|
||||||
|
&resp, &len);
|
||||||
|
break;
|
||||||
|
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index 26eb52d..bf19077 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -326,7 +326,7 @@ static CURLcode http_output_bearer(struct connectdata *conn)
|
||||||
|
userp = &conn->allocptr.userpwd;
|
||||||
|
free(*userp);
|
||||||
|
*userp = aprintf("Authorization: Bearer %s\r\n",
|
||||||
|
- conn->oauth_bearer);
|
||||||
|
+ conn->data->set.str[STRING_BEARER]);
|
||||||
|
|
||||||
|
if(!*userp) {
|
||||||
|
result = CURLE_OUT_OF_MEMORY;
|
||||||
|
@@ -510,7 +510,7 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
|
||||||
|
CURLcode result = CURLE_OK;
|
||||||
|
unsigned long authmask = ~0ul;
|
||||||
|
|
||||||
|
- if(!conn->oauth_bearer)
|
||||||
|
+ if(!data->set.str[STRING_BEARER])
|
||||||
|
authmask &= (unsigned long)~CURLAUTH_BEARER;
|
||||||
|
|
||||||
|
if(100 <= data->req.httpcode && 199 >= data->req.httpcode)
|
||||||
|
@@ -520,7 +520,7 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
|
||||||
|
if(data->state.authproblem)
|
||||||
|
return data->set.http_fail_on_error?CURLE_HTTP_RETURNED_ERROR:CURLE_OK;
|
||||||
|
|
||||||
|
- if((conn->bits.user_passwd || conn->oauth_bearer) &&
|
||||||
|
+ if((conn->bits.user_passwd || data->set.str[STRING_BEARER]) &&
|
||||||
|
((data->req.httpcode == 401) ||
|
||||||
|
(conn->bits.authneg && data->req.httpcode < 300))) {
|
||||||
|
pickhost = pickoneauth(&data->state.authhost, authmask);
|
||||||
|
@@ -590,9 +590,7 @@ output_auth_headers(struct connectdata *conn,
|
||||||
|
{
|
||||||
|
const char *auth = NULL;
|
||||||
|
CURLcode result = CURLE_OK;
|
||||||
|
-#if !defined(CURL_DISABLE_VERBOSE_STRINGS) || defined(USE_SPNEGO)
|
||||||
|
struct Curl_easy *data = conn->data;
|
||||||
|
-#endif
|
||||||
|
#ifdef USE_SPNEGO
|
||||||
|
struct negotiatedata *negdata = proxy ?
|
||||||
|
&data->state.proxyneg : &data->state.negotiate;
|
||||||
|
@@ -664,7 +662,7 @@ output_auth_headers(struct connectdata *conn,
|
||||||
|
}
|
||||||
|
if(authstatus->picked == CURLAUTH_BEARER) {
|
||||||
|
/* Bearer */
|
||||||
|
- if((!proxy && conn->oauth_bearer &&
|
||||||
|
+ if((!proxy && data->set.str[STRING_BEARER] &&
|
||||||
|
!Curl_checkheaders(conn, "Authorization:"))) {
|
||||||
|
auth = "Bearer";
|
||||||
|
result = http_output_bearer(conn);
|
||||||
|
@@ -722,7 +720,7 @@ Curl_http_output_auth(struct connectdata *conn,
|
||||||
|
authproxy = &data->state.authproxy;
|
||||||
|
|
||||||
|
if((conn->bits.httpproxy && conn->bits.proxy_user_passwd) ||
|
||||||
|
- conn->bits.user_passwd || conn->oauth_bearer)
|
||||||
|
+ conn->bits.user_passwd || data->set.str[STRING_BEARER])
|
||||||
|
/* continue please */;
|
||||||
|
else {
|
||||||
|
authhost->done = TRUE;
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index 4803653..fca0855 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -686,7 +686,6 @@ static void conn_free(struct connectdata *conn)
|
||||||
|
|
||||||
|
Curl_safefree(conn->user);
|
||||||
|
Curl_safefree(conn->passwd);
|
||||||
|
- Curl_safefree(conn->oauth_bearer);
|
||||||
|
Curl_safefree(conn->options);
|
||||||
|
Curl_safefree(conn->http_proxy.user);
|
||||||
|
Curl_safefree(conn->socks_proxy.user);
|
||||||
|
@@ -4161,14 +4160,6 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if(data->set.str[STRING_BEARER]) {
|
||||||
|
- conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
|
||||||
|
- if(!conn->oauth_bearer) {
|
||||||
|
- result = CURLE_OUT_OF_MEMORY;
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
#ifdef USE_UNIX_SOCKETS
|
||||||
|
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
|
||||||
|
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 72a36fb..73a185c 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -850,8 +850,6 @@ struct connectdata {
|
||||||
|
char *passwd; /* password string, allocated */
|
||||||
|
char *options; /* options string, allocated */
|
||||||
|
|
||||||
|
- char *oauth_bearer; /* bearer token for OAuth 2.0, allocated */
|
||||||
|
-
|
||||||
|
int httpversion; /* the HTTP version*10 reported by the server */
|
||||||
|
int rtspversion; /* the RTSP version*10 reported by the server */
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Monnerat <patrick@monnerat.net>
|
||||||
|
Date: Mon, 25 Apr 2022 11:44:05 +0200
|
||||||
|
Subject: [PATCH 2/2] url: check sasl additional parameters for connection
|
||||||
|
reuse.
|
||||||
|
|
||||||
|
Also move static function safecmp() as non-static Curl_safecmp() since
|
||||||
|
its purpose is needed at several places.
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-22576.html
|
||||||
|
|
||||||
|
CVE-2022-22576
|
||||||
|
|
||||||
|
Closes #8746
|
||||||
|
|
||||||
|
Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/strcase.c | 10 ++++++++++
|
||||||
|
lib/strcase.h | 2 ++
|
||||||
|
lib/url.c | 12 +++++++++++-
|
||||||
|
lib/urldata.h | 2 ++
|
||||||
|
lib/vtls/vtls.c | 19 +++++--------------
|
||||||
|
5 files changed, 30 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/strcase.c b/lib/strcase.c
|
||||||
|
index dd46ca1..692a3f1 100644
|
||||||
|
--- a/lib/strcase.c
|
||||||
|
+++ b/lib/strcase.c
|
||||||
|
@@ -165,6 +165,16 @@ void Curl_strntoupper(char *dest, const char *src, size_t n)
|
||||||
|
} while(*src++ && --n);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Compare case-sensitive NUL-terminated strings, taking care of possible
|
||||||
|
+ * null pointers. Return true if arguments match.
|
||||||
|
+ */
|
||||||
|
+bool Curl_safecmp(char *a, char *b)
|
||||||
|
+{
|
||||||
|
+ if(a && b)
|
||||||
|
+ return !strcmp(a, b);
|
||||||
|
+ return !a && !b;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* --- public functions --- */
|
||||||
|
|
||||||
|
int curl_strequal(const char *first, const char *second)
|
||||||
|
diff --git a/lib/strcase.h b/lib/strcase.h
|
||||||
|
index b628656..382b80a 100644
|
||||||
|
--- a/lib/strcase.h
|
||||||
|
+++ b/lib/strcase.h
|
||||||
|
@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in);
|
||||||
|
|
||||||
|
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
||||||
|
|
||||||
|
+bool Curl_safecmp(char *a, char *b);
|
||||||
|
+
|
||||||
|
#endif /* HEADER_CURL_STRCASE_H */
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index adef2cd..94e3406 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -701,6 +701,7 @@ static void conn_free(struct connectdata *conn)
|
||||||
|
Curl_safefree(conn->allocptr.host);
|
||||||
|
Curl_safefree(conn->allocptr.cookiehost);
|
||||||
|
Curl_safefree(conn->allocptr.rtsp_transport);
|
||||||
|
+ Curl_safefree(conn->oauth_bearer);
|
||||||
|
Curl_safefree(conn->trailer);
|
||||||
|
Curl_safefree(conn->host.rawalloc); /* host name buffer */
|
||||||
|
Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
|
||||||
|
@@ -1291,7 +1292,8 @@ ConnectionExists(struct Curl_easy *data,
|
||||||
|
/* This protocol requires credentials per connection,
|
||||||
|
so verify that we're using the same name and password as well */
|
||||||
|
if(strcmp(needle->user, check->user) ||
|
||||||
|
- strcmp(needle->passwd, check->passwd)) {
|
||||||
|
+ strcmp(needle->passwd, check->passwd) ||
|
||||||
|
+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
|
||||||
|
/* one of them was different */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -4160,6 +4162,14 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if(data->set.str[STRING_BEARER]) {
|
||||||
|
+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
|
||||||
|
+ if(!conn->oauth_bearer) {
|
||||||
|
+ result = CURLE_OUT_OF_MEMORY;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#ifdef USE_UNIX_SOCKETS
|
||||||
|
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
|
||||||
|
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index cc8a600..03da59a 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -850,6 +850,8 @@ struct connectdata {
|
||||||
|
char *passwd; /* password string, allocated */
|
||||||
|
char *options; /* options string, allocated */
|
||||||
|
|
||||||
|
+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
|
||||||
|
+
|
||||||
|
int httpversion; /* the HTTP version*10 reported by the server */
|
||||||
|
int rtspversion; /* the RTSP version*10 reported by the server */
|
||||||
|
|
||||||
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||||
|
index 03b85ba..a40ac06 100644
|
||||||
|
--- a/lib/vtls/vtls.c
|
||||||
|
+++ b/lib/vtls/vtls.c
|
||||||
|
@@ -82,15 +82,6 @@
|
||||||
|
else \
|
||||||
|
dest->var = NULL;
|
||||||
|
|
||||||
|
-static bool safecmp(char *a, char *b)
|
||||||
|
-{
|
||||||
|
- if(a && b)
|
||||||
|
- return !strcmp(a, b);
|
||||||
|
- else if(!a && !b)
|
||||||
|
- return TRUE; /* match */
|
||||||
|
- return FALSE; /* no match */
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
bool
|
||||||
|
Curl_ssl_config_matches(struct ssl_primary_config* data,
|
||||||
|
struct ssl_primary_config* needle)
|
||||||
|
@@ -100,11 +91,11 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
|
||||||
|
(data->verifypeer == needle->verifypeer) &&
|
||||||
|
(data->verifyhost == needle->verifyhost) &&
|
||||||
|
(data->verifystatus == needle->verifystatus) &&
|
||||||
|
- safecmp(data->CApath, needle->CApath) &&
|
||||||
|
- safecmp(data->CAfile, needle->CAfile) &&
|
||||||
|
- safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
- safecmp(data->random_file, needle->random_file) &&
|
||||||
|
- safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
+ Curl_safecmp(data->CApath, needle->CApath) &&
|
||||||
|
+ Curl_safecmp(data->CAfile, needle->CAfile) &&
|
||||||
|
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
+ Curl_safecmp(data->random_file, needle->random_file) &&
|
||||||
|
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
|
||||||
|
return TRUE;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
710
SOURCES/0037-curl-7.61.1-CVE-2022-27776.patch
Normal file
710
SOURCES/0037-curl-7.61.1-CVE-2022-27776.patch
Normal file
@ -0,0 +1,710 @@
|
|||||||
|
From 24ff6b126726201cf778038c332b3b921c7f5b2f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Katsuhiko YOSHIDA <claddvd@gmail.com>
|
||||||
|
Date: Sun, 30 Dec 2018 09:44:30 +0900
|
||||||
|
Subject: [PATCH 1/6] cookies: skip custom cookies when redirecting cross-site
|
||||||
|
|
||||||
|
Closes #3417
|
||||||
|
|
||||||
|
Upstream-commit: 1f30dc886d1a4a6e81599a9f5f5e9f60d97801d4
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 4 ++
|
||||||
|
lib/http.c | 3 +-
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test330 | 90 ++++++++++++++++++++++++++
|
||||||
|
4 files changed, 97 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 tests/data/test330
|
||||||
|
|
||||||
|
diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
|
||||||
|
index f5826e1..4af69f4 100644
|
||||||
|
--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
|
||||||
|
+++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
|
||||||
|
@@ -88,6 +88,10 @@ those servers will get all the contents of your custom headers too.
|
||||||
|
Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
|
||||||
|
from being sent to other hosts than the first used one, unless specifically
|
||||||
|
permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option.
|
||||||
|
+
|
||||||
|
+Starting in 7.64.0, libcurl will specifically prevent "Cookie:" headers
|
||||||
|
+from being sent to other hosts than the first used one, unless specifically
|
||||||
|
+permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option.
|
||||||
|
.SH DEFAULT
|
||||||
|
NULL
|
||||||
|
.SH PROTOCOLS
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index bf19077..0b5e476 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -1774,7 +1774,8 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
|
||||||
|
checkprefix("Transfer-Encoding:", headers->data))
|
||||||
|
/* HTTP/2 doesn't support chunked requests */
|
||||||
|
;
|
||||||
|
- else if(checkprefix("Authorization:", headers->data) &&
|
||||||
|
+ else if((checkprefix("Authorization:", headers->data) ||
|
||||||
|
+ checkprefix("Cookie:", headers->data)) &&
|
||||||
|
/* be careful of sending this potentially sensitive header to
|
||||||
|
other hosts */
|
||||||
|
(data->state.this_is_a_follow &&
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index e0f1ef4..77e85fd 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -56,7 +56,7 @@ test289 test290 test291 test292 test293 test294 test295 test296 test297 \
|
||||||
|
test298 test299 test300 test301 test302 test303 test304 test305 test306 \
|
||||||
|
test307 test308 test309 test310 test311 test312 test313 test314 test315 \
|
||||||
|
test316 test317 test318 test319 test320 test321 test322 test323 test324 \
|
||||||
|
-test325 test326 \
|
||||||
|
+test325 test326 test330 \
|
||||||
|
\
|
||||||
|
test340 \
|
||||||
|
\
|
||||||
|
diff --git a/tests/data/test330 b/tests/data/test330
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..74607d5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test330
|
||||||
|
@@ -0,0 +1,90 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+followlocation
|
||||||
|
+cookies
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 302 OK
|
||||||
|
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake swsclose
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Funny-head: yesyes
|
||||||
|
+Location: http://goto.second.host.now/3170002
|
||||||
|
+Content-Length: 8
|
||||||
|
+Connection: close
|
||||||
|
+
|
||||||
|
+contents
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake swsclose
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Funny-head: yesyes
|
||||||
|
+Content-Length: 9
|
||||||
|
+
|
||||||
|
+contents
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 302 OK
|
||||||
|
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake swsclose
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Funny-head: yesyes
|
||||||
|
+Location: http://goto.second.host.now/3170002
|
||||||
|
+Content-Length: 8
|
||||||
|
+Connection: close
|
||||||
|
+
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake swsclose
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Funny-head: yesyes
|
||||||
|
+Content-Length: 9
|
||||||
|
+
|
||||||
|
+contents
|
||||||
|
+</datacheck>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with custom Cookie: and redirect to new host
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Cookie: test=yes" --location
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<strip>
|
||||||
|
+^User-Agent:.*
|
||||||
|
+</strip>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1
|
||||||
|
+Host: first.host.it.is
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+Cookie: test=yes
|
||||||
|
+
|
||||||
|
+GET http://goto.second.host.now/3170002 HTTP/1.1
|
||||||
|
+Host: goto.second.host.now
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From a3f3855c8bf3a39ef0d86ef04087c200bca765f1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 19 Dec 2019 16:45:53 +0100
|
||||||
|
Subject: [PATCH 2/6] sws: search for "Testno:" header uncondtionally if no
|
||||||
|
testno
|
||||||
|
|
||||||
|
Even if the initial request line wasn't found. With the fix to 1455, the
|
||||||
|
test number is now detected correctly.
|
||||||
|
|
||||||
|
(Problem found when running tests in random order.)
|
||||||
|
|
||||||
|
Closes #4744
|
||||||
|
|
||||||
|
Upstream-commit: 25b69c482f45c7acd817920bd8fdf68887be51a2
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/test1455 | 3 ++-
|
||||||
|
tests/server/sws.c | 40 +++++++++++++++++++++++-----------------
|
||||||
|
2 files changed, 25 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/data/test1455 b/tests/data/test1455
|
||||||
|
index 0b77dc4..25f742e 100644
|
||||||
|
--- a/tests/data/test1455
|
||||||
|
+++ b/tests/data/test1455
|
||||||
|
@@ -35,7 +35,7 @@ http
|
||||||
|
HTTP GET when PROXY Protocol enabled
|
||||||
|
</name>
|
||||||
|
<command>
|
||||||
|
-http://%HOSTIP:%HTTPPORT/1455 --haproxy-protocol
|
||||||
|
+http://%HOSTIP:%HTTPPORT/1455 --haproxy-protocol -H "Testno: 1455"
|
||||||
|
</command>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
@@ -53,6 +53,7 @@ proxy-line
|
||||||
|
GET /1455 HTTP/1.1
|
||||||
|
Host: %HOSTIP:%HTTPPORT
|
||||||
|
Accept: */*
|
||||||
|
+Testno: 1455
|
||||||
|
|
||||||
|
</protocol>
|
||||||
|
</verify>
|
||||||
|
diff --git a/tests/server/sws.c b/tests/server/sws.c
|
||||||
|
index fbe7761..4ece830 100644
|
||||||
|
--- a/tests/server/sws.c
|
||||||
|
+++ b/tests/server/sws.c
|
||||||
|
@@ -367,6 +367,8 @@ static int parse_servercmd(struct httprequest *req)
|
||||||
|
|
||||||
|
filename = test2file(req->testno);
|
||||||
|
req->close = FALSE;
|
||||||
|
+ req->connmon = FALSE;
|
||||||
|
+
|
||||||
|
stream = fopen(filename, "rb");
|
||||||
|
if(!stream) {
|
||||||
|
error = errno;
|
||||||
|
@@ -391,8 +393,6 @@ static int parse_servercmd(struct httprequest *req)
|
||||||
|
return 1; /* done */
|
||||||
|
}
|
||||||
|
|
||||||
|
- req->connmon = FALSE;
|
||||||
|
-
|
||||||
|
cmd = orgcmd;
|
||||||
|
while(cmd && cmdsize) {
|
||||||
|
char *check;
|
||||||
|
@@ -548,12 +548,11 @@ static int ProcessRequest(struct httprequest *req)
|
||||||
|
snprintf(logbuf, sizeof(logbuf), "Requested test number %ld part %ld",
|
||||||
|
req->testno, req->partno);
|
||||||
|
logmsg("%s", logbuf);
|
||||||
|
-
|
||||||
|
- /* find and parse <servercmd> for this test */
|
||||||
|
- parse_servercmd(req);
|
||||||
|
}
|
||||||
|
- else
|
||||||
|
+ else {
|
||||||
|
+ logmsg("No test number");
|
||||||
|
req->testno = DOCNUMBER_NOTHING;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -613,14 +612,6 @@ static int ProcessRequest(struct httprequest *req)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if(req->testno == DOCNUMBER_NOTHING) {
|
||||||
|
- /* check for a Testno: header with the test case number */
|
||||||
|
- char *testno = strstr(line, "\nTestno: ");
|
||||||
|
- if(testno) {
|
||||||
|
- req->testno = strtol(&testno[9], NULL, 10);
|
||||||
|
- logmsg("Found test number %d in Testno: header!", req->testno);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
if(req->testno == DOCNUMBER_NOTHING) {
|
||||||
|
/* Still no test case number. Try to get the the number off the last dot
|
||||||
|
instead, IE we consider the TLD to be the test number. Test 123 can
|
||||||
|
@@ -661,8 +652,8 @@ static int ProcessRequest(struct httprequest *req)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if((req->offset >= 3) && (req->testno == DOCNUMBER_NOTHING)) {
|
||||||
|
- logmsg("** Unusual request. Starts with %02x %02x %02x",
|
||||||
|
- line[0], line[1], line[2]);
|
||||||
|
+ logmsg("** Unusual request. Starts with %02x %02x %02x (%c%c%c)",
|
||||||
|
+ line[0], line[1], line[2], line[0], line[1], line[2]);
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!end) {
|
||||||
|
@@ -670,7 +661,22 @@ static int ProcessRequest(struct httprequest *req)
|
||||||
|
logmsg("request not complete yet");
|
||||||
|
return 0; /* not complete yet */
|
||||||
|
}
|
||||||
|
- logmsg("- request found to be complete");
|
||||||
|
+ logmsg("- request found to be complete (%d)", req->testno);
|
||||||
|
+
|
||||||
|
+ if(req->testno == DOCNUMBER_NOTHING) {
|
||||||
|
+ /* check for a Testno: header with the test case number */
|
||||||
|
+ char *testno = strstr(line, "\nTestno: ");
|
||||||
|
+ if(testno) {
|
||||||
|
+ req->testno = strtol(&testno[9], NULL, 10);
|
||||||
|
+ logmsg("Found test number %d in Testno: header!", req->testno);
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ logmsg("No Testno: header");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* find and parse <servercmd> for this test */
|
||||||
|
+ parse_servercmd(req);
|
||||||
|
|
||||||
|
if(use_gopher) {
|
||||||
|
/* when using gopher we cannot check the request until the entire
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 3772ea764c05a1cf37b96c091ae266138e8a2867 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 16 Apr 2020 14:16:22 +0200
|
||||||
|
Subject: [PATCH 3/6] runtests: always put test number in servercmd file
|
||||||
|
|
||||||
|
Upstream-commit: d1a2816b4128faa8ebc50ce93285c7364652856e
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/runtests.pl | 10 +++-------
|
||||||
|
1 file changed, 3 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
||||||
|
index a0fd991..8d8ed81 100755
|
||||||
|
--- a/tests/runtests.pl
|
||||||
|
+++ b/tests/runtests.pl
|
||||||
|
@@ -3878,10 +3878,9 @@ sub singletest {
|
||||||
|
unlink($SERVER2IN);
|
||||||
|
unlink($PROXYIN);
|
||||||
|
|
||||||
|
- if(@ftpservercmd) {
|
||||||
|
- # write the instructions to file
|
||||||
|
- writearray($FTPDCMD, \@ftpservercmd);
|
||||||
|
- }
|
||||||
|
+ push @ftpservercmd, "Testnum $testnum\n";
|
||||||
|
+ # write the instructions to file
|
||||||
|
+ writearray($FTPDCMD, \@ftpservercmd);
|
||||||
|
|
||||||
|
# get the command line options to use
|
||||||
|
my @blaha;
|
||||||
|
@@ -4222,9 +4221,6 @@ sub singletest {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- # remove the test server commands file after each test
|
||||||
|
- unlink($FTPDCMD) if(-f $FTPDCMD);
|
||||||
|
-
|
||||||
|
# run the postcheck command
|
||||||
|
my @postcheck= getpart("client", "postcheck");
|
||||||
|
if(@postcheck) {
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From ac04f6feaa19c636aa09a1b50643d70a77be4465 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 14 May 2020 17:45:40 +0200
|
||||||
|
Subject: [PATCH 4/6] sws: as last resort, get test number from server cmd file
|
||||||
|
|
||||||
|
If it can't be found in the request. Also support --cmdfile to set it to
|
||||||
|
a custom file name.
|
||||||
|
|
||||||
|
runtests.pl always writes this file with the test number in it since a
|
||||||
|
while back.
|
||||||
|
|
||||||
|
Upstream-commit: a3b0699d5c110270f09ac51b5b465ca8753b35a9
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/server/sws.c | 68 ++++++++++++++++++++++++++++++++++------------
|
||||||
|
1 file changed, 51 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/server/sws.c b/tests/server/sws.c
|
||||||
|
index 4ece830..2696872 100644
|
||||||
|
--- a/tests/server/sws.c
|
||||||
|
+++ b/tests/server/sws.c
|
||||||
|
@@ -155,6 +155,10 @@ const char *serverlogfile = DEFAULT_LOGFILE;
|
||||||
|
#define REQUEST_PROXY_DUMP "log/proxy.input"
|
||||||
|
#define RESPONSE_PROXY_DUMP "log/proxy.response"
|
||||||
|
|
||||||
|
+/* file in which additional instructions may be found */
|
||||||
|
+#define DEFAULT_CMDFILE "log/ftpserver.cmd"
|
||||||
|
+const char *cmdfile = DEFAULT_CMDFILE;
|
||||||
|
+
|
||||||
|
/* very-big-path support */
|
||||||
|
#define MAXDOCNAMELEN 140000
|
||||||
|
#define MAXDOCNAMELEN_TXT "139999"
|
||||||
|
@@ -358,6 +362,24 @@ static bool socket_domain_is_ip(void)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* parse the file on disk that might have a test number for us */
|
||||||
|
+static int parse_cmdfile(struct httprequest *req)
|
||||||
|
+{
|
||||||
|
+ int testnum = DOCNUMBER_NOTHING;
|
||||||
|
+ char buf[256];
|
||||||
|
+ FILE *f = fopen(cmdfile, FOPEN_READTEXT);
|
||||||
|
+ if(f) {
|
||||||
|
+ while(fgets(buf, sizeof(buf), f)) {
|
||||||
|
+ if(1 == sscanf(buf, "Testnum %d", &testnum)) {
|
||||||
|
+ logmsg("[%s] cmdfile says testnum %d", cmdfile, testnum);
|
||||||
|
+ req->testno = testnum;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ fclose(f);
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* based on the testno, parse the correct server commands */
|
||||||
|
static int parse_servercmd(struct httprequest *req)
|
||||||
|
{
|
||||||
|
@@ -622,34 +644,41 @@ static int ProcessRequest(struct httprequest *req)
|
||||||
|
|
||||||
|
/* get the number after it */
|
||||||
|
if(ptr) {
|
||||||
|
+ long num;
|
||||||
|
ptr++; /* skip the dot */
|
||||||
|
|
||||||
|
- req->testno = strtol(ptr, &ptr, 10);
|
||||||
|
+ num = strtol(ptr, &ptr, 10);
|
||||||
|
|
||||||
|
- if(req->testno > 10000) {
|
||||||
|
- req->partno = req->testno % 10000;
|
||||||
|
- req->testno /= 10000;
|
||||||
|
+ if(num) {
|
||||||
|
+ req->testno = num;
|
||||||
|
+ if(req->testno > 10000) {
|
||||||
|
+ req->partno = req->testno % 10000;
|
||||||
|
+ req->testno /= 10000;
|
||||||
|
|
||||||
|
- logmsg("found test %d in requested host name", req->testno);
|
||||||
|
+ logmsg("found test %d in requested host name", req->testno);
|
||||||
|
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ req->partno = 0;
|
||||||
|
}
|
||||||
|
- else
|
||||||
|
- req->partno = 0;
|
||||||
|
|
||||||
|
- snprintf(logbuf, sizeof(logbuf),
|
||||||
|
- "Requested test number %ld part %ld (from host name)",
|
||||||
|
+ if(req->testno != DOCNUMBER_NOTHING) {
|
||||||
|
+ logmsg("Requested test number %ld part %ld (from host name)",
|
||||||
|
req->testno, req->partno);
|
||||||
|
- logmsg("%s", logbuf);
|
||||||
|
-
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if(!req->testno) {
|
||||||
|
- logmsg("Did not find test number in PATH");
|
||||||
|
- req->testno = DOCNUMBER_404;
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- parse_servercmd(req);
|
||||||
|
+ if(req->testno == DOCNUMBER_NOTHING)
|
||||||
|
+ /* might get the test number */
|
||||||
|
+ parse_cmdfile(req);
|
||||||
|
+
|
||||||
|
+ if(req->testno == DOCNUMBER_NOTHING) {
|
||||||
|
+ logmsg("Did not find test number in PATH");
|
||||||
|
+ req->testno = DOCNUMBER_404;
|
||||||
|
}
|
||||||
|
+ else
|
||||||
|
+ parse_servercmd(req);
|
||||||
|
}
|
||||||
|
else if((req->offset >= 3) && (req->testno == DOCNUMBER_NOTHING)) {
|
||||||
|
logmsg("** Unusual request. Starts with %02x %02x %02x (%c%c%c)",
|
||||||
|
@@ -2038,6 +2067,11 @@ int main(int argc, char *argv[])
|
||||||
|
if(argc>arg)
|
||||||
|
serverlogfile = argv[arg++];
|
||||||
|
}
|
||||||
|
+ else if(!strcmp("--cmdfile", argv[arg])) {
|
||||||
|
+ arg++;
|
||||||
|
+ if(argc>arg)
|
||||||
|
+ cmdfile = argv[arg++];
|
||||||
|
+ }
|
||||||
|
else if(!strcmp("--gopher", argv[arg])) {
|
||||||
|
arg++;
|
||||||
|
use_gopher = TRUE;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 9fa56a1e3ae7feff14668d8abd892fa028a9f32e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 13:05:40 +0200
|
||||||
|
Subject: [PATCH 5/6] http: avoid auth/cookie on redirects same host diff port
|
||||||
|
|
||||||
|
CVE-2022-27776
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27776.html
|
||||||
|
Closes #8749
|
||||||
|
|
||||||
|
Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http.c | 33 +++++++++++++++++++++------------
|
||||||
|
lib/urldata.h | 16 +++++++++-------
|
||||||
|
2 files changed, 30 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index 0b5e476..39fc7aa 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -688,6 +688,21 @@ output_auth_headers(struct connectdata *conn,
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
|
||||||
|
+ * data" can (still) be sent to this host.
|
||||||
|
+ */
|
||||||
|
+static bool allow_auth_to_host(struct connectdata *conn)
|
||||||
|
+{
|
||||||
|
+ struct Curl_easy *data = conn->data;
|
||||||
|
+ return (!data->state.this_is_a_follow ||
|
||||||
|
+ data->set.allow_auth_to_other_hosts ||
|
||||||
|
+ (data->state.first_host &&
|
||||||
|
+ strcasecompare(data->state.first_host, conn->host.name) &&
|
||||||
|
+ (data->state.first_remote_port == conn->remote_port) &&
|
||||||
|
+ (data->state.first_remote_protocol == conn->handler->protocol)));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* Curl_http_output_auth() setups the authentication headers for the
|
||||||
|
* host/proxy and the correct authentication
|
||||||
|
@@ -756,15 +771,11 @@ Curl_http_output_auth(struct connectdata *conn,
|
||||||
|
with it */
|
||||||
|
authproxy->done = TRUE;
|
||||||
|
|
||||||
|
- /* To prevent the user+password to get sent to other than the original
|
||||||
|
- host due to a location-follow, we do some weirdo checks here */
|
||||||
|
- if(!data->state.this_is_a_follow ||
|
||||||
|
- conn->bits.netrc ||
|
||||||
|
- !data->state.first_host ||
|
||||||
|
- data->set.allow_auth_to_other_hosts ||
|
||||||
|
- strcasecompare(data->state.first_host, conn->host.name)) {
|
||||||
|
+ /* To prevent the user+password to get sent to other than the original host
|
||||||
|
+ due to a location-follow */
|
||||||
|
+ if(allow_auth_to_host(conn)
|
||||||
|
+ || conn->bits.netrc)
|
||||||
|
result = output_auth_headers(conn, authhost, request, path, FALSE);
|
||||||
|
- }
|
||||||
|
else
|
||||||
|
authhost->done = TRUE;
|
||||||
|
|
||||||
|
@@ -1778,10 +1789,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
|
||||||
|
checkprefix("Cookie:", headers->data)) &&
|
||||||
|
/* be careful of sending this potentially sensitive header to
|
||||||
|
other hosts */
|
||||||
|
- (data->state.this_is_a_follow &&
|
||||||
|
- data->state.first_host &&
|
||||||
|
- !data->set.allow_auth_to_other_hosts &&
|
||||||
|
- !strcasecompare(data->state.first_host, conn->host.name)))
|
||||||
|
+ !allow_auth_to_host(conn))
|
||||||
|
;
|
||||||
|
else {
|
||||||
|
result = Curl_add_bufferf(req_buffer, "%s\r\n", headers->data);
|
||||||
|
@@ -1937,6 +1945,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
data->state.first_remote_port = conn->remote_port;
|
||||||
|
+ data->state.first_remote_protocol = conn->handler->protocol;
|
||||||
|
}
|
||||||
|
http->writebytecount = http->readbytecount = 0;
|
||||||
|
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index d3b971c..4bb0a84 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -1231,13 +1231,15 @@ struct UrlState {
|
||||||
|
bytes / second */
|
||||||
|
bool this_is_a_follow; /* this is a followed Location: request */
|
||||||
|
bool refused_stream; /* this was refused, try again */
|
||||||
|
- char *first_host; /* host name of the first (not followed) request.
|
||||||
|
- if set, this should be the host name that we will
|
||||||
|
- sent authorization to, no else. Used to make Location:
|
||||||
|
- following not keep sending user+password... This is
|
||||||
|
- strdup() data.
|
||||||
|
- */
|
||||||
|
- int first_remote_port; /* remote port of the first (not followed) request */
|
||||||
|
+
|
||||||
|
+ /* host name, port number and protocol of the first (not followed) request.
|
||||||
|
+ if set, this should be the host name that we will sent authorization to,
|
||||||
|
+ no else. Used to make Location: following not keep sending user+password.
|
||||||
|
+ This is strdup()ed data. */
|
||||||
|
+ char *first_host;
|
||||||
|
+ int first_remote_port;
|
||||||
|
+ unsigned int first_remote_protocol;
|
||||||
|
+
|
||||||
|
struct curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
|
||||||
|
long sessionage; /* number of the most recent session */
|
||||||
|
unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From a8bb1e37e22788abaca37c59cf447d690fdcdfa4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 13:05:47 +0200
|
||||||
|
Subject: [PATCH 6/6] test898: verify the fix for CVE-2022-27776
|
||||||
|
|
||||||
|
Do not pass on Authorization headers on redirects to another port
|
||||||
|
|
||||||
|
Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test898 | 91 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 92 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/data/test898
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 77e85fd..58c9e31 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -99,7 +99,7 @@ test850 test851 test852 test853 test854 test855 test856 test857 test858 \
|
||||||
|
test859 test860 test861 test862 test863 test864 test865 test866 test867 \
|
||||||
|
test868 test869 test870 test871 test872 test873 test874 test875 test876 \
|
||||||
|
test877 test878 test879 test880 test881 test882 test883 test884 test885 \
|
||||||
|
-test886 test887 test888 test889 test890 test891 \
|
||||||
|
+test886 test887 test888 test889 test890 test891 test898 \
|
||||||
|
\
|
||||||
|
test900 test901 test902 test903 test904 test905 test906 test907 test908 \
|
||||||
|
test909 test910 test911 test912 test913 test914 test915 test916 test917 \
|
||||||
|
diff --git a/tests/data/test898 b/tests/data/test898
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..e295c26
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test898
|
||||||
|
@@ -0,0 +1,91 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+--location
|
||||||
|
+Authorization
|
||||||
|
+Cookie
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/8980002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/8980002
|
||||||
|
+
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with custom auth and cookies redirected to HTTP on a diff port
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<strip>
|
||||||
|
+^User-Agent:.*
|
||||||
|
+</strip>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://firsthost.com/ HTTP/1.1
|
||||||
|
+Host: firsthost.com
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+Cookie: userpwd=am9lOnNlY3JldA==
|
||||||
|
+
|
||||||
|
+GET http://firsthost.com:9999/a/path/8980002 HTTP/1.1
|
||||||
|
+Host: firsthost.com:9999
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
|
From 48f126157d36962e458bf12f90b50cfcef26eee9 Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||||||
Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
|
Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
|
||||||
@ -13,39 +13,39 @@ Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|||||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/lib/connect.c b/lib/connect.c
|
diff --git a/lib/connect.c b/lib/connect.c
|
||||||
index 64f9511..7518807 100644
|
index f724646..12a8aae 100644
|
||||||
--- a/lib/connect.c
|
--- a/lib/connect.c
|
||||||
+++ b/lib/connect.c
|
+++ b/lib/connect.c
|
||||||
@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
|
@@ -614,6 +614,7 @@ void Curl_persistconninfo(struct connectdata *conn)
|
||||||
data->info.conn_scheme = conn->handler->scheme;
|
conn->data->info.conn_scheme = conn->handler->scheme;
|
||||||
data->info.conn_protocol = conn->handler->protocol;
|
conn->data->info.conn_protocol = conn->handler->protocol;
|
||||||
data->info.conn_primary_port = conn->port;
|
conn->data->info.conn_primary_port = conn->primary_port;
|
||||||
+ data->info.conn_remote_port = conn->remote_port;
|
+ conn->data->info.conn_remote_port = conn->remote_port;
|
||||||
data->info.conn_local_port = local_port;
|
conn->data->info.conn_local_port = conn->local_port;
|
||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
index f92052a..5218f76 100644
|
index 4bb0a84..cadf0e5 100644
|
||||||
--- a/lib/urldata.h
|
--- a/lib/urldata.h
|
||||||
+++ b/lib/urldata.h
|
+++ b/lib/urldata.h
|
||||||
@@ -1167,7 +1167,11 @@ struct PureInfo {
|
@@ -1050,7 +1050,11 @@ struct PureInfo {
|
||||||
reused, in the connection cache. */
|
reused, in the connection cache. */
|
||||||
|
|
||||||
char conn_primary_ip[MAX_IPADR_LEN];
|
char conn_primary_ip[MAX_IPADR_LEN];
|
||||||
- int conn_primary_port;
|
- long conn_primary_port;
|
||||||
+ int conn_primary_port; /* this is the destination port to the connection,
|
+ long conn_primary_port;/* this is the destination port to the connection,
|
||||||
+ which might have been a proxy */
|
+ which might have been a proxy */
|
||||||
+ int conn_remote_port; /* this is the "remote port", which is the port
|
+ int conn_remote_port; /* this is the "remote port", which is the port
|
||||||
+ number of the used URL, independent of proxy or
|
+ number of the used URL, independent of proxy or
|
||||||
+ not */
|
+ not */
|
||||||
|
|
||||||
char conn_local_ip[MAX_IPADR_LEN];
|
char conn_local_ip[MAX_IPADR_LEN];
|
||||||
int conn_local_port;
|
long conn_local_port;
|
||||||
const char *conn_scheme;
|
|
||||||
--
|
--
|
||||||
2.34.1
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
|
From 6307fa6f9784402ba58697f46ba04354225391b7 Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||||||
Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
|
Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
|
||||||
@ -60,77 +60,149 @@ Closes #8748
|
|||||||
Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
|
Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
---
|
---
|
||||||
lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
|
lib/transfer.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
1 file changed, 48 insertions(+), 1 deletion(-)
|
lib/url.c | 27 ++++++++++++++--------
|
||||||
|
lib/urldata.h | 1 +
|
||||||
|
3 files changed, 81 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
diff --git a/lib/transfer.c b/lib/transfer.c
|
diff --git a/lib/transfer.c b/lib/transfer.c
|
||||||
index 1f8019b..752fe14 100644
|
index ad5a7ba..2022cba 100644
|
||||||
--- a/lib/transfer.c
|
--- a/lib/transfer.c
|
||||||
+++ b/lib/transfer.c
|
+++ b/lib/transfer.c
|
||||||
@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
@@ -1370,6 +1370,7 @@ CURLcode Curl_pretransfer(struct Curl_easy *data)
|
||||||
return CURLE_OUT_OF_MEMORY;
|
data->state.wildcardmatch = data->set.wildcard_enabled;
|
||||||
|
data->set.followlocation = 0; /* reset the location-follow counter */
|
||||||
|
data->state.this_is_a_follow = FALSE; /* reset this */
|
||||||
|
+ data->state.this_is_a_follow_without_auth = FALSE;
|
||||||
|
data->state.errorbuf = FALSE; /* no error has occurred */
|
||||||
|
data->state.httpversion = 0; /* don't assume any particular server version */
|
||||||
|
|
||||||
|
@@ -1554,6 +1555,68 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||||
|
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
-
|
|
||||||
uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
|
|
||||||
if(uc)
|
|
||||||
return Curl_uc_to_curlcode(uc);
|
|
||||||
+
|
|
||||||
+ /* Clear auth if this redirects to a different port number or protocol,
|
+ /* Clear auth if this redirects to a different port number or protocol,
|
||||||
+ unless permitted */
|
+ unless permitted */
|
||||||
+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
|
+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
|
||||||
+ char *portnum;
|
|
||||||
+ int port;
|
+ int port;
|
||||||
+ bool clear = FALSE;
|
+ bool clear = FALSE;
|
||||||
+
|
+
|
||||||
|
+ CURLU *u = curl_url();
|
||||||
|
+ if(!u)
|
||||||
|
+ return CURLE_OUT_OF_MEMORY;
|
||||||
|
+
|
||||||
|
+ uc = curl_url_set(u, CURLUPART_URL, newurl,
|
||||||
|
+ ((type == FOLLOW_REDIR) ? CURLU_URLENCODE : 0));
|
||||||
|
+ if(uc) {
|
||||||
|
+ infof(data, "Clear auth, curl_url_set() failed\n");
|
||||||
|
+ clear = TRUE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if(!clear) {
|
||||||
+ if(data->set.use_port && data->state.allow_port)
|
+ if(data->set.use_port && data->state.allow_port)
|
||||||
+ /* a custom port is used */
|
+ /* a custom port is used */
|
||||||
+ port = (int)data->set.use_port;
|
+ port = (int)data->set.use_port;
|
||||||
+ else {
|
+ else {
|
||||||
+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
|
+ char *portnum;
|
||||||
+ CURLU_DEFAULT_PORT);
|
+ uc = curl_url_get(u, CURLUPART_PORT, &portnum, CURLU_DEFAULT_PORT);
|
||||||
+ if(uc) {
|
+ if(uc) {
|
||||||
+ free(newurl);
|
+ infof(data, "Clear auth, failed to parse port number\n");
|
||||||
+ return Curl_uc_to_curlcode(uc);
|
|
||||||
+ }
|
|
||||||
+ port = atoi(portnum);
|
|
||||||
+ free(portnum);
|
|
||||||
+ }
|
|
||||||
+ if(port != data->info.conn_remote_port) {
|
|
||||||
+ infof(data, "Clear auth, redirects to port from %u to %u",
|
|
||||||
+ data->info.conn_remote_port, port);
|
|
||||||
+ clear = TRUE;
|
+ clear = TRUE;
|
||||||
+ }
|
+ }
|
||||||
+ else {
|
+ else {
|
||||||
|
+ port = atoi(portnum);
|
||||||
|
+ free(portnum);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if(!clear && port != data->info.conn_remote_port) {
|
||||||
|
+ infof(data, "Clear auth, redirects to port from %u to %u\n",
|
||||||
|
+ data->info.conn_remote_port, port);
|
||||||
|
+ clear = TRUE;
|
||||||
|
+ }
|
||||||
|
+ if(!clear) {
|
||||||
+ char *scheme;
|
+ char *scheme;
|
||||||
+ const struct Curl_handler *p;
|
+ const struct Curl_handler *p;
|
||||||
+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
|
+ uc = curl_url_get(u, CURLUPART_SCHEME, &scheme, 0);
|
||||||
+ if(uc) {
|
+ if(uc) {
|
||||||
+ free(newurl);
|
+ infof(data, "Clear auth, failed to parse scheme\n");
|
||||||
+ return Curl_uc_to_curlcode(uc);
|
+ clear = TRUE;
|
||||||
+ }
|
+ }
|
||||||
+
|
+ else {
|
||||||
+ p = Curl_builtin_scheme(scheme);
|
+ p = Curl_builtin_scheme(scheme);
|
||||||
+ if(p && (p->protocol != data->info.conn_protocol)) {
|
+ if(p && (p->protocol != data->info.conn_protocol)) {
|
||||||
+ infof(data, "Clear auth, redirects scheme from %s to %s",
|
+ infof(data, "Clear auth, redirects scheme from %s to %s\n",
|
||||||
+ data->info.conn_scheme, scheme);
|
+ data->info.conn_scheme, scheme);
|
||||||
+ clear = TRUE;
|
+ clear = TRUE;
|
||||||
+ }
|
+ }
|
||||||
+ free(scheme);
|
+ free(scheme);
|
||||||
+ }
|
+ }
|
||||||
+ if(clear) {
|
|
||||||
+ Curl_safefree(data->state.aptr.user);
|
|
||||||
+ Curl_safefree(data->state.aptr.passwd);
|
|
||||||
+ }
|
+ }
|
||||||
|
+ if(clear)
|
||||||
|
+ data->state.this_is_a_follow_without_auth = TRUE;
|
||||||
|
+ curl_url_cleanup(u);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if(type == FOLLOW_FAKE) {
|
||||||
|
/* we're only figuring out the new url if we would've followed locations
|
||||||
|
but now we're done so we can get out! */
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index ed3c933..7dd5267 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -3483,18 +3483,25 @@ static CURLcode override_login(struct Curl_easy *data,
|
||||||
|
struct connectdata *conn,
|
||||||
|
char **userp, char **passwdp, char **optionsp)
|
||||||
|
{
|
||||||
|
- if(data->set.str[STRING_USERNAME]) {
|
||||||
|
- free(*userp);
|
||||||
|
- *userp = strdup(data->set.str[STRING_USERNAME]);
|
||||||
|
- if(!*userp)
|
||||||
|
- return CURLE_OUT_OF_MEMORY;
|
||||||
|
+ if(data->state.this_is_a_follow
|
||||||
|
+ && data->state.this_is_a_follow_without_auth)
|
||||||
|
+ {
|
||||||
|
+ conn->bits.user_passwd = FALSE;
|
||||||
|
}
|
||||||
|
+ else {
|
||||||
|
+ if(data->set.str[STRING_USERNAME]) {
|
||||||
|
+ free(*userp);
|
||||||
|
+ *userp = strdup(data->set.str[STRING_USERNAME]);
|
||||||
|
+ if(!*userp)
|
||||||
|
+ return CURLE_OUT_OF_MEMORY;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if(data->set.str[STRING_PASSWORD]) {
|
||||||
|
- free(*passwdp);
|
||||||
|
- *passwdp = strdup(data->set.str[STRING_PASSWORD]);
|
||||||
|
- if(!*passwdp)
|
||||||
|
- return CURLE_OUT_OF_MEMORY;
|
||||||
|
+ if(data->set.str[STRING_PASSWORD]) {
|
||||||
|
+ free(*passwdp);
|
||||||
|
+ *passwdp = strdup(data->set.str[STRING_PASSWORD]);
|
||||||
|
+ if(!*passwdp)
|
||||||
|
+ return CURLE_OUT_OF_MEMORY;
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
|
|
||||||
if(type == FOLLOW_FAKE) {
|
if(data->set.str[STRING_OPTIONS]) {
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index cadf0e5..026684b 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -1234,6 +1234,7 @@ struct UrlState {
|
||||||
|
curl_off_t current_speed; /* the ProgressShow() function sets this,
|
||||||
|
bytes / second */
|
||||||
|
bool this_is_a_follow; /* this is a followed Location: request */
|
||||||
|
+ bool this_is_a_follow_without_auth;
|
||||||
|
bool refused_stream; /* this was refused, try again */
|
||||||
|
|
||||||
|
/* host name, port number and protocol of the first (not followed) request.
|
||||||
--
|
--
|
||||||
2.34.1
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
|
From b142f97840dfb033a1776d5a2986385da7753224 Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||||||
Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
|
Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
|
||||||
@ -145,34 +217,34 @@ Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
|
|||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
---
|
---
|
||||||
tests/data/Makefile.inc | 1 +
|
tests/data/Makefile.inc | 1 +
|
||||||
tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++
|
tests/data/test973 | 90 +++++++++++++++++++++++++++++++++++++++++
|
||||||
tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++
|
tests/data/test974 | 88 ++++++++++++++++++++++++++++++++++++++++
|
||||||
tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++
|
tests/data/test975 | 90 +++++++++++++++++++++++++++++++++++++++++
|
||||||
tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++
|
tests/data/test976 | 89 ++++++++++++++++++++++++++++++++++++++++
|
||||||
5 files changed, 352 insertions(+)
|
5 files changed, 358 insertions(+)
|
||||||
create mode 100644 tests/data/test973
|
create mode 100644 tests/data/test973
|
||||||
create mode 100644 tests/data/test974
|
create mode 100644 tests/data/test974
|
||||||
create mode 100644 tests/data/test975
|
create mode 100644 tests/data/test975
|
||||||
create mode 100644 tests/data/test976
|
create mode 100644 tests/data/test976
|
||||||
|
|
||||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
index 7ae2cf8..175fc43 100644
|
index 58c9e31..6c920ff 100644
|
||||||
--- a/tests/data/Makefile.inc
|
--- a/tests/data/Makefile.inc
|
||||||
+++ b/tests/data/Makefile.inc
|
+++ b/tests/data/Makefile.inc
|
||||||
@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
|
@@ -108,6 +108,7 @@ test927 test928 test929 test930 test931 test932 test933 test934 test935 \
|
||||||
test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
test936 test937 test938 test939 test940 test941 test942 test943 test944 \
|
||||||
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
test945 test946 test947 test948 test949 test950 test951 test952 \
|
||||||
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
|
||||||
+test973 test974 test975 test976 \
|
|
||||||
\
|
\
|
||||||
|
+test973 test974 test975 test976 \
|
||||||
test980 test981 test982 test983 test984 test985 test986 \
|
test980 test981 test982 test983 test984 test985 test986 \
|
||||||
\
|
\
|
||||||
|
test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
|
||||||
diff --git a/tests/data/test973 b/tests/data/test973
|
diff --git a/tests/data/test973 b/tests/data/test973
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..6ced107
|
index 0000000..6fe6ce0
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/tests/data/test973
|
+++ b/tests/data/test973
|
||||||
@@ -0,0 +1,88 @@
|
@@ -0,0 +1,90 @@
|
||||||
+<testcase>
|
+<testcase>
|
||||||
+<info>
|
+<info>
|
||||||
+<keywords>
|
+<keywords>
|
||||||
@ -192,7 +264,7 @@ index 0000000..6ced107
|
|||||||
+Content-Length: 0
|
+Content-Length: 0
|
||||||
+Connection: close
|
+Connection: close
|
||||||
+Content-Type: text/html
|
+Content-Type: text/html
|
||||||
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
+Location: ftp://127.0.0.1:8992/a/path/9730002
|
||||||
+
|
+
|
||||||
+</data>
|
+</data>
|
||||||
+<data2>
|
+<data2>
|
||||||
@ -211,7 +283,7 @@ index 0000000..6ced107
|
|||||||
+Content-Length: 0
|
+Content-Length: 0
|
||||||
+Connection: close
|
+Connection: close
|
||||||
+Content-Type: text/html
|
+Content-Type: text/html
|
||||||
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
+Location: ftp://127.0.0.1:8992/a/path/9730002
|
||||||
+
|
+
|
||||||
+data
|
+data
|
||||||
+ to
|
+ to
|
||||||
@ -234,18 +306,20 @@ index 0000000..6ced107
|
|||||||
+HTTP with auth redirected to FTP w/o auth
|
+HTTP with auth redirected to FTP w/o auth
|
||||||
+ </name>
|
+ </name>
|
||||||
+ <command>
|
+ <command>
|
||||||
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
|
+http://%HOSTIP:%HTTPPORT/973 -L -u joe:secret
|
||||||
+</command>
|
+</command>
|
||||||
+</client>
|
+</client>
|
||||||
+
|
+
|
||||||
+#
|
+#
|
||||||
+# Verify data after the test has been "shot"
|
+# Verify data after the test has been "shot"
|
||||||
+<verify>
|
+<verify>
|
||||||
|
+<strip>
|
||||||
|
+^User-Agent:.*
|
||||||
|
+</strip>
|
||||||
+<protocol>
|
+<protocol>
|
||||||
+GET /%TESTNUMBER HTTP/1.1
|
+GET /973 HTTP/1.1
|
||||||
+Host: %HOSTIP:%HTTPPORT
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
+Authorization: Basic am9lOnNlY3JldA==
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
+Accept: */*
|
||||||
+
|
+
|
||||||
+USER anonymous
|
+USER anonymous
|
||||||
@ -255,18 +329,18 @@ index 0000000..6ced107
|
|||||||
+CWD path
|
+CWD path
|
||||||
+EPSV
|
+EPSV
|
||||||
+TYPE I
|
+TYPE I
|
||||||
+SIZE %TESTNUMBER0002
|
+SIZE 9730002
|
||||||
+RETR %TESTNUMBER0002
|
+RETR 9730002
|
||||||
+QUIT
|
+QUIT
|
||||||
+</protocol>
|
+</protocol>
|
||||||
+</verify>
|
+</verify>
|
||||||
+</testcase>
|
+</testcase>
|
||||||
diff --git a/tests/data/test974 b/tests/data/test974
|
diff --git a/tests/data/test974 b/tests/data/test974
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..ac4e641
|
index 0000000..de02d89
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/tests/data/test974
|
+++ b/tests/data/test974
|
||||||
@@ -0,0 +1,87 @@
|
@@ -0,0 +1,88 @@
|
||||||
+<testcase>
|
+<testcase>
|
||||||
+<info>
|
+<info>
|
||||||
+<keywords>
|
+<keywords>
|
||||||
@ -285,7 +359,7 @@ index 0000000..ac4e641
|
|||||||
+Content-Length: 0
|
+Content-Length: 0
|
||||||
+Connection: close
|
+Connection: close
|
||||||
+Content-Type: text/html
|
+Content-Type: text/html
|
||||||
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
+Location: http://firsthost.com:9999/a/path/9740002
|
||||||
+
|
+
|
||||||
+</data>
|
+</data>
|
||||||
+<data2>
|
+<data2>
|
||||||
@ -306,7 +380,7 @@ index 0000000..ac4e641
|
|||||||
+Content-Length: 0
|
+Content-Length: 0
|
||||||
+Connection: close
|
+Connection: close
|
||||||
+Content-Type: text/html
|
+Content-Type: text/html
|
||||||
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
+Location: http://firsthost.com:9999/a/path/9740002
|
||||||
+
|
+
|
||||||
+HTTP/1.1 200 OK
|
+HTTP/1.1 200 OK
|
||||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
@ -337,17 +411,18 @@ index 0000000..ac4e641
|
|||||||
+#
|
+#
|
||||||
+# Verify data after the test has been "shot"
|
+# Verify data after the test has been "shot"
|
||||||
+<verify>
|
+<verify>
|
||||||
|
+<strip>
|
||||||
|
+^User-Agent:.*
|
||||||
|
+</strip>
|
||||||
+<protocol>
|
+<protocol>
|
||||||
+GET http://firsthost.com/ HTTP/1.1
|
+GET http://firsthost.com/ HTTP/1.1
|
||||||
+Host: firsthost.com
|
+Host: firsthost.com
|
||||||
+Authorization: Basic am9lOnNlY3JldA==
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
+Accept: */*
|
||||||
+Proxy-Connection: Keep-Alive
|
+Proxy-Connection: Keep-Alive
|
||||||
+
|
+
|
||||||
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
+GET http://firsthost.com:9999/a/path/9740002 HTTP/1.1
|
||||||
+Host: firsthost.com:9999
|
+Host: firsthost.com:9999
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
+Accept: */*
|
||||||
+Proxy-Connection: Keep-Alive
|
+Proxy-Connection: Keep-Alive
|
||||||
+
|
+
|
||||||
@ -356,10 +431,10 @@ index 0000000..ac4e641
|
|||||||
+</testcase>
|
+</testcase>
|
||||||
diff --git a/tests/data/test975 b/tests/data/test975
|
diff --git a/tests/data/test975 b/tests/data/test975
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..85e03e4
|
index 0000000..3a4eccf
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/tests/data/test975
|
+++ b/tests/data/test975
|
||||||
@@ -0,0 +1,88 @@
|
@@ -0,0 +1,90 @@
|
||||||
+<testcase>
|
+<testcase>
|
||||||
+<info>
|
+<info>
|
||||||
+<keywords>
|
+<keywords>
|
||||||
@ -379,7 +454,7 @@ index 0000000..85e03e4
|
|||||||
+Content-Length: 0
|
+Content-Length: 0
|
||||||
+Connection: close
|
+Connection: close
|
||||||
+Content-Type: text/html
|
+Content-Type: text/html
|
||||||
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
+Location: ftp://127.0.0.1:8992/a/path/9750002
|
||||||
+
|
+
|
||||||
+</data>
|
+</data>
|
||||||
+<data2>
|
+<data2>
|
||||||
@ -398,7 +473,7 @@ index 0000000..85e03e4
|
|||||||
+Content-Length: 0
|
+Content-Length: 0
|
||||||
+Connection: close
|
+Connection: close
|
||||||
+Content-Type: text/html
|
+Content-Type: text/html
|
||||||
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
+Location: ftp://127.0.0.1:8992/a/path/9750002
|
||||||
+
|
+
|
||||||
+data
|
+data
|
||||||
+ to
|
+ to
|
||||||
@ -421,18 +496,20 @@ index 0000000..85e03e4
|
|||||||
+HTTP with auth redirected to FTP allowing auth to continue
|
+HTTP with auth redirected to FTP allowing auth to continue
|
||||||
+ </name>
|
+ </name>
|
||||||
+ <command>
|
+ <command>
|
||||||
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
|
+http://%HOSTIP:%HTTPPORT/975 --location-trusted -u joe:secret
|
||||||
+</command>
|
+</command>
|
||||||
+</client>
|
+</client>
|
||||||
+
|
+
|
||||||
+#
|
+#
|
||||||
+# Verify data after the test has been "shot"
|
+# Verify data after the test has been "shot"
|
||||||
+<verify>
|
+<verify>
|
||||||
|
+<strip>
|
||||||
|
+^User-Agent:.*
|
||||||
|
+</strip>
|
||||||
+<protocol>
|
+<protocol>
|
||||||
+GET /%TESTNUMBER HTTP/1.1
|
+GET /975 HTTP/1.1
|
||||||
+Host: %HOSTIP:%HTTPPORT
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
+Authorization: Basic am9lOnNlY3JldA==
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
+Accept: */*
|
||||||
+
|
+
|
||||||
+USER joe
|
+USER joe
|
||||||
@ -442,18 +519,18 @@ index 0000000..85e03e4
|
|||||||
+CWD path
|
+CWD path
|
||||||
+EPSV
|
+EPSV
|
||||||
+TYPE I
|
+TYPE I
|
||||||
+SIZE %TESTNUMBER0002
|
+SIZE 9750002
|
||||||
+RETR %TESTNUMBER0002
|
+RETR 9750002
|
||||||
+QUIT
|
+QUIT
|
||||||
+</protocol>
|
+</protocol>
|
||||||
+</verify>
|
+</verify>
|
||||||
+</testcase>
|
+</testcase>
|
||||||
diff --git a/tests/data/test976 b/tests/data/test976
|
diff --git a/tests/data/test976 b/tests/data/test976
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..c4dd61e
|
index 0000000..3b6fac7
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/tests/data/test976
|
+++ b/tests/data/test976
|
||||||
@@ -0,0 +1,88 @@
|
@@ -0,0 +1,89 @@
|
||||||
+<testcase>
|
+<testcase>
|
||||||
+<info>
|
+<info>
|
||||||
+<keywords>
|
+<keywords>
|
||||||
@ -472,7 +549,7 @@ index 0000000..c4dd61e
|
|||||||
+Content-Length: 0
|
+Content-Length: 0
|
||||||
+Connection: close
|
+Connection: close
|
||||||
+Content-Type: text/html
|
+Content-Type: text/html
|
||||||
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
+Location: http://firsthost.com:9999/a/path/9760002
|
||||||
+
|
+
|
||||||
+</data>
|
+</data>
|
||||||
+<data2>
|
+<data2>
|
||||||
@ -493,7 +570,7 @@ index 0000000..c4dd61e
|
|||||||
+Content-Length: 0
|
+Content-Length: 0
|
||||||
+Connection: close
|
+Connection: close
|
||||||
+Content-Type: text/html
|
+Content-Type: text/html
|
||||||
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
+Location: http://firsthost.com:9999/a/path/9760002
|
||||||
+
|
+
|
||||||
+HTTP/1.1 200 OK
|
+HTTP/1.1 200 OK
|
||||||
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
@ -524,18 +601,19 @@ index 0000000..c4dd61e
|
|||||||
+#
|
+#
|
||||||
+# Verify data after the test has been "shot"
|
+# Verify data after the test has been "shot"
|
||||||
+<verify>
|
+<verify>
|
||||||
|
+<strip>
|
||||||
|
+^User-Agent:.*
|
||||||
|
+</strip>
|
||||||
+<protocol>
|
+<protocol>
|
||||||
+GET http://firsthost.com/ HTTP/1.1
|
+GET http://firsthost.com/ HTTP/1.1
|
||||||
+Host: firsthost.com
|
+Host: firsthost.com
|
||||||
+Authorization: Basic am9lOnNlY3JldA==
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
+Accept: */*
|
||||||
+Proxy-Connection: Keep-Alive
|
+Proxy-Connection: Keep-Alive
|
||||||
+
|
+
|
||||||
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
+GET http://firsthost.com:9999/a/path/9760002 HTTP/1.1
|
||||||
+Host: firsthost.com:9999
|
+Host: firsthost.com:9999
|
||||||
+Authorization: Basic am9lOnNlY3JldA==
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
+User-Agent: curl/%VERSION
|
|
||||||
+Accept: */*
|
+Accept: */*
|
||||||
+Proxy-Connection: Keep-Alive
|
+Proxy-Connection: Keep-Alive
|
||||||
+
|
+
|
||||||
@ -546,7 +624,7 @@ index 0000000..c4dd61e
|
|||||||
2.34.1
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
|
From cf98bd64b9949c50d4726eb26745c2f7fdf3a075 Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 25 Apr 2022 17:59:15 +0200
|
Date: Mon, 25 Apr 2022 17:59:15 +0200
|
||||||
Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
|
Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
|
||||||
@ -566,10 +644,10 @@ Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|||||||
3 files changed, 13 insertions(+), 6 deletions(-)
|
3 files changed, 13 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
diff --git a/lib/http.c b/lib/http.c
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
index 0791dcf..4433824 100644
|
index 39fc7aa..d413738 100644
|
||||||
--- a/lib/http.c
|
--- a/lib/http.c
|
||||||
+++ b/lib/http.c
|
+++ b/lib/http.c
|
||||||
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
|
@@ -689,10 +689,10 @@ output_auth_headers(struct connectdata *conn,
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -578,34 +656,34 @@ index 0791dcf..4433824 100644
|
|||||||
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
||||||
+ * "sensitive data" can (still) be sent to this host.
|
+ * "sensitive data" can (still) be sent to this host.
|
||||||
*/
|
*/
|
||||||
-static bool allow_auth_to_host(struct Curl_easy *data)
|
-static bool allow_auth_to_host(struct connectdata *conn)
|
||||||
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
|
+bool Curl_allow_auth_to_host(struct connectdata *conn)
|
||||||
{
|
{
|
||||||
struct connectdata *conn = data->conn;
|
struct Curl_easy *data = conn->data;
|
||||||
return (!data->state.this_is_a_follow ||
|
return (!data->state.this_is_a_follow ||
|
||||||
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
|
@@ -773,7 +773,7 @@ Curl_http_output_auth(struct connectdata *conn,
|
||||||
|
|
||||||
/* To prevent the user+password to get sent to other than the original host
|
/* To prevent the user+password to get sent to other than the original host
|
||||||
due to a location-follow */
|
due to a location-follow */
|
||||||
- if(allow_auth_to_host(data)
|
- if(allow_auth_to_host(conn)
|
||||||
+ if(Curl_allow_auth_to_host(data)
|
+ if(Curl_allow_auth_to_host(conn)
|
||||||
|| conn->bits.netrc)
|
|| conn->bits.netrc)
|
||||||
result = output_auth_headers(data, conn, authhost, request, path, FALSE);
|
result = output_auth_headers(conn, authhost, request, path, FALSE);
|
||||||
else
|
else
|
||||||
@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
|
@@ -1789,7 +1789,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
|
||||||
checkprefix("Cookie:", compare)) &&
|
checkprefix("Cookie:", headers->data)) &&
|
||||||
/* be careful of sending this potentially sensitive header to
|
/* be careful of sending this potentially sensitive header to
|
||||||
other hosts */
|
other hosts */
|
||||||
- !allow_auth_to_host(data))
|
- !allow_auth_to_host(conn))
|
||||||
+ !Curl_allow_auth_to_host(data))
|
+ !Curl_allow_auth_to_host(conn))
|
||||||
;
|
;
|
||||||
else {
|
else {
|
||||||
#ifdef USE_HYPER
|
result = Curl_add_bufferf(req_buffer, "%s\r\n", headers->data);
|
||||||
diff --git a/lib/http.h b/lib/http.h
|
diff --git a/lib/http.h b/lib/http.h
|
||||||
index 07e963d..9000bae 100644
|
index 1d373e8..56a6061 100644
|
||||||
--- a/lib/http.h
|
--- a/lib/http.h
|
||||||
+++ b/lib/http.h
|
+++ b/lib/http.h
|
||||||
@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data,
|
@@ -252,5 +252,11 @@ Curl_http_output_auth(struct connectdata *conn,
|
||||||
bool proxytunnel); /* TRUE if this is the request setting
|
bool proxytunnel); /* TRUE if this is the request setting
|
||||||
up the proxy tunnel */
|
up the proxy tunnel */
|
||||||
|
|
||||||
@ -613,20 +691,21 @@ index 07e963d..9000bae 100644
|
|||||||
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
||||||
+ * "sensitive data" can (still) be sent to this host.
|
+ * "sensitive data" can (still) be sent to this host.
|
||||||
+ */
|
+ */
|
||||||
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
|
+bool Curl_allow_auth_to_host(struct connectdata *conn);
|
||||||
+
|
+
|
||||||
#endif /* HEADER_CURL_HTTP_H */
|
#endif /* HEADER_CURL_HTTP_H */
|
||||||
|
|
||||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
index 1bafe96..97c5666 100644
|
index 28eaa6d..6c8faa2 100644
|
||||||
--- a/lib/vtls/openssl.c
|
--- a/lib/vtls/openssl.c
|
||||||
+++ b/lib/vtls/openssl.c
|
+++ b/lib/vtls/openssl.c
|
||||||
@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
@@ -2499,7 +2499,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef USE_OPENSSL_SRP
|
#ifdef USE_TLS_SRP
|
||||||
- if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
- if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
||||||
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
||||||
+ Curl_allow_auth_to_host(data)) {
|
+ Curl_allow_auth_to_host(conn)) {
|
||||||
char * const ssl_username = SSL_SET_OPTION(username);
|
char * const ssl_username = SSL_SET_OPTION(username);
|
||||||
|
|
||||||
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
|
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
|
@ -1,72 +1,7 @@
|
|||||||
From 50481ac42b4beae6ea85345e37b051124ac00f11 Mon Sep 17 00:00:00 2001
|
From d4247fa7baf0859729fff2fe5cf0bfab8322d1a5 Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
|
||||||
Date: Fri, 28 Jan 2022 16:48:38 +0100
|
|
||||||
Subject: [PATCH 1/3] setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds
|
|
||||||
|
|
||||||
Closes #8350
|
|
||||||
|
|
||||||
Upstream-commit: 96629ba2c212cda2bd1b7b04e2a9fc01ef70b75d
|
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
---
|
|
||||||
lib/setopt.c | 10 +++++-----
|
|
||||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
|
||||||
index 08827d1..9eaa187 100644
|
|
||||||
--- a/lib/setopt.c
|
|
||||||
+++ b/lib/setopt.c
|
|
||||||
@@ -5,7 +5,7 @@
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
@@ -2699,30 +2699,30 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
|
||||||
if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
|
||||||
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
|
||||||
break;
|
|
||||||
+#ifndef CURL_DISABLE_PROXY
|
|
||||||
case CURLOPT_PROXY_TLSAUTH_USERNAME:
|
|
||||||
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
|
|
||||||
va_arg(param, char *));
|
|
||||||
-#ifndef CURL_DISABLE_PROXY
|
|
||||||
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
|
||||||
!data->set.proxy_ssl.authtype)
|
|
||||||
data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
|
||||||
-#endif
|
|
||||||
break;
|
|
||||||
+#endif
|
|
||||||
case CURLOPT_TLSAUTH_PASSWORD:
|
|
||||||
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
|
||||||
va_arg(param, char *));
|
|
||||||
if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
|
||||||
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
|
||||||
break;
|
|
||||||
+#ifndef CURL_DISABLE_PROXY
|
|
||||||
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
|
|
||||||
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
|
|
||||||
va_arg(param, char *));
|
|
||||||
-#ifndef CURL_DISABLE_PROXY
|
|
||||||
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
|
||||||
!data->set.proxy_ssl.authtype)
|
|
||||||
data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
|
||||||
-#endif
|
|
||||||
break;
|
|
||||||
+#endif
|
|
||||||
case CURLOPT_TLSAUTH_TYPE:
|
|
||||||
argptr = va_arg(param, char *);
|
|
||||||
if(!argptr ||
|
|
||||||
--
|
|
||||||
2.34.1
|
|
||||||
|
|
||||||
|
|
||||||
From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 9 May 2022 23:13:53 +0200
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||||||
Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
|
Subject: [PATCH 1/2] tls: check more TLS details for connection reuse
|
||||||
|
|
||||||
CVE-2022-27782
|
CVE-2022-27782
|
||||||
|
|
||||||
@ -78,33 +13,33 @@ Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
|
|||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
---
|
---
|
||||||
lib/setopt.c | 29 +++++++++++++++++------------
|
lib/setopt.c | 29 +++++++++++++++++------------
|
||||||
lib/url.c | 23 ++++++++++++++++-------
|
lib/url.c | 19 ++++++++++++-------
|
||||||
lib/urldata.h | 13 +++++++------
|
lib/urldata.h | 14 +++++++-------
|
||||||
lib/vtls/openssl.c | 10 +++++-----
|
lib/vtls/openssl.c | 10 +++++-----
|
||||||
lib/vtls/vtls.c | 21 +++++++++++++++++++++
|
lib/vtls/vtls.c | 21 +++++++++++++++++++++
|
||||||
5 files changed, 66 insertions(+), 30 deletions(-)
|
5 files changed, 62 insertions(+), 31 deletions(-)
|
||||||
|
|
||||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||||
index 8e1bf12..7aa6fdb 100644
|
index b07ccfe..319a010 100644
|
||||||
--- a/lib/setopt.c
|
--- a/lib/setopt.c
|
||||||
+++ b/lib/setopt.c
|
+++ b/lib/setopt.c
|
||||||
@@ -2268,6 +2268,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
@@ -2044,6 +2044,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
|
||||||
case CURLOPT_SSL_OPTIONS:
|
case CURLOPT_SSL_OPTIONS:
|
||||||
arg = va_arg(param, long);
|
arg = va_arg(param, long);
|
||||||
+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
||||||
data->set.ssl.enable_beast =
|
data->set.ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
|
||||||
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
|
|
||||||
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||||
@@ -2281,6 +2282,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN);
|
||||||
#ifndef CURL_DISABLE_PROXY
|
@@ -2051,6 +2052,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
|
||||||
case CURLOPT_PROXY_SSL_OPTIONS:
|
case CURLOPT_PROXY_SSL_OPTIONS:
|
||||||
arg = va_arg(param, long);
|
arg = va_arg(param, long);
|
||||||
+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
||||||
data->set.proxy_ssl.enable_beast =
|
data->set.proxy_ssl.enable_beast = arg&CURLSSLOPT_ALLOW_BEAST?TRUE:FALSE;
|
||||||
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
|
|
||||||
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||||
@@ -2696,49 +2698,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
break;
|
||||||
|
@@ -2451,44 +2453,47 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
case CURLOPT_TLSAUTH_USERNAME:
|
case CURLOPT_TLSAUTH_USERNAME:
|
||||||
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
|
||||||
va_arg(param, char *));
|
va_arg(param, char *));
|
||||||
@ -114,7 +49,6 @@ index 8e1bf12..7aa6fdb 100644
|
|||||||
+ !data->set.ssl.primary.authtype)
|
+ !data->set.ssl.primary.authtype)
|
||||||
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
break;
|
break;
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
case CURLOPT_PROXY_TLSAUTH_USERNAME:
|
case CURLOPT_PROXY_TLSAUTH_USERNAME:
|
||||||
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
|
||||||
va_arg(param, char *));
|
va_arg(param, char *));
|
||||||
@ -125,7 +59,6 @@ index 8e1bf12..7aa6fdb 100644
|
|||||||
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
|
||||||
+ SRP */
|
+ SRP */
|
||||||
break;
|
break;
|
||||||
#endif
|
|
||||||
case CURLOPT_TLSAUTH_PASSWORD:
|
case CURLOPT_TLSAUTH_PASSWORD:
|
||||||
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
||||||
va_arg(param, char *));
|
va_arg(param, char *));
|
||||||
@ -135,7 +68,6 @@ index 8e1bf12..7aa6fdb 100644
|
|||||||
+ !data->set.ssl.primary.authtype)
|
+ !data->set.ssl.primary.authtype)
|
||||||
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
||||||
break;
|
break;
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
|
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
|
||||||
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
|
||||||
va_arg(param, char *));
|
va_arg(param, char *));
|
||||||
@ -145,7 +77,6 @@ index 8e1bf12..7aa6fdb 100644
|
|||||||
+ !data->set.proxy_ssl.primary.authtype)
|
+ !data->set.proxy_ssl.primary.authtype)
|
||||||
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
||||||
break;
|
break;
|
||||||
#endif
|
|
||||||
case CURLOPT_TLSAUTH_TYPE:
|
case CURLOPT_TLSAUTH_TYPE:
|
||||||
argptr = va_arg(param, char *);
|
argptr = va_arg(param, char *);
|
||||||
if(!argptr ||
|
if(!argptr ||
|
||||||
@ -156,7 +87,6 @@ index 8e1bf12..7aa6fdb 100644
|
|||||||
- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
|
- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
|
||||||
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||||||
break;
|
break;
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
case CURLOPT_PROXY_TLSAUTH_TYPE:
|
case CURLOPT_PROXY_TLSAUTH_TYPE:
|
||||||
argptr = va_arg(param, char *);
|
argptr = va_arg(param, char *);
|
||||||
if(!argptr ||
|
if(!argptr ||
|
||||||
@ -168,12 +98,12 @@ index 8e1bf12..7aa6fdb 100644
|
|||||||
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
#endif
|
case CURLOPT_DNS_SERVERS:
|
||||||
diff --git a/lib/url.c b/lib/url.c
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
index 94e3406..5ebf5e2 100644
|
index 7dd5267..30fc5ad 100644
|
||||||
--- a/lib/url.c
|
--- a/lib/url.c
|
||||||
+++ b/lib/url.c
|
+++ b/lib/url.c
|
||||||
@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
@@ -461,7 +461,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||||
set->ssl.primary.verifypeer = TRUE;
|
set->ssl.primary.verifypeer = TRUE;
|
||||||
set->ssl.primary.verifyhost = TRUE;
|
set->ssl.primary.verifyhost = TRUE;
|
||||||
#ifdef USE_TLS_SRP
|
#ifdef USE_TLS_SRP
|
||||||
@ -182,147 +112,132 @@ index 94e3406..5ebf5e2 100644
|
|||||||
#endif
|
#endif
|
||||||
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
|
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
|
||||||
type */
|
type */
|
||||||
@@ -1719,11 +1719,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
|
@@ -1881,10 +1881,12 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
|
||||||
conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
|
conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
|
||||||
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
|
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
|
||||||
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
|
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
|
||||||
+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
|
+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
|
||||||
+#ifdef USE_TLS_SRP
|
|
||||||
+#endif
|
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
conn->proxy_ssl_config.verifystatus =
|
conn->proxy_ssl_config.verifystatus =
|
||||||
data->set.proxy_ssl.primary.verifystatus;
|
data->set.proxy_ssl.primary.verifystatus;
|
||||||
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
|
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
|
||||||
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
|
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
|
||||||
+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
|
+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
|
||||||
+#ifdef USE_TLS_SRP
|
|
||||||
+#endif
|
|
||||||
#endif
|
|
||||||
conn->ip_version = data->set.ipver;
|
conn->ip_version = data->set.ipver;
|
||||||
conn->bits.connect_only = data->set.connect_only;
|
|
||||||
@@ -3764,7 +3770,8 @@ static CURLcode create_conn(struct Curl_easy *data,
|
@@ -4362,8 +4364,9 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
data->set.proxy_ssl.primary.cipher_list13 =
|
||||||
data->set.proxy_ssl.primary.issuercert_blob =
|
data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
|
||||||
data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
|
|
||||||
|
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||||
- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||||
|
+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||||
+ data->set.proxy_ssl.primary.CRLfile =
|
+ data->set.proxy_ssl.primary.CRLfile =
|
||||||
+ data->set.str[STRING_SSL_CRLFILE_PROXY];
|
+ data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||||
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
|
data->set.ssl.cert = data->set.str[STRING_CERT];
|
||||||
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
|
data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
|
||||||
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
|
|
||||||
@@ -3772,18 +3779,20 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
||||||
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
|
|
||||||
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
|
|
||||||
#endif
|
|
||||||
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
|
||||||
+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
|
||||||
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
||||||
data->set.ssl.key = data->set.str[STRING_KEY];
|
@@ -4377,10 +4380,12 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
|
|
||||||
data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
|
|
||||||
data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
|
data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
|
||||||
|
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
|
||||||
#ifdef USE_TLS_SRP
|
#ifdef USE_TLS_SRP
|
||||||
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||||||
|
- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||||||
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||||||
|
- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||||||
+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||||||
+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
|
||||||
- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
|
||||||
+ data->set.proxy_ssl.primary.username =
|
+ data->set.proxy_ssl.primary.username =
|
||||||
+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||||||
+ data->set.proxy_ssl.primary.password =
|
+ data->set.proxy_ssl.primary.password =
|
||||||
+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||||||
#endif
|
#endif
|
||||||
#endif
|
|
||||||
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
|
if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
|
||||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
index 5218f76..e006495 100644
|
index 026684b..0e48841 100644
|
||||||
--- a/lib/urldata.h
|
--- a/lib/urldata.h
|
||||||
+++ b/lib/urldata.h
|
+++ b/lib/urldata.h
|
||||||
@@ -253,9 +253,16 @@ struct ssl_primary_config {
|
@@ -229,6 +229,13 @@ struct ssl_primary_config {
|
||||||
|
char *egdsocket; /* path to file containing the EGD daemon socket */
|
||||||
char *cipher_list; /* list of ciphers to use */
|
char *cipher_list; /* list of ciphers to use */
|
||||||
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
||||||
char *pinned_key;
|
|
||||||
+ char *CRLfile; /* CRL to check certificate revocation */
|
+ char *CRLfile; /* CRL to check certificate revocation */
|
||||||
struct curl_blob *cert_blob;
|
|
||||||
struct curl_blob *issuercert_blob;
|
|
||||||
+#ifdef USE_TLS_SRP
|
+#ifdef USE_TLS_SRP
|
||||||
+ char *username; /* TLS username (for, e.g., SRP) */
|
+ char *username; /* TLS username (for, e.g., SRP) */
|
||||||
+ char *password; /* TLS password (for, e.g., SRP) */
|
+ char *password; /* TLS password (for, e.g., SRP) */
|
||||||
+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
||||||
+#endif
|
+#endif
|
||||||
char *curves; /* list of curves to use */
|
|
||||||
+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
|
+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
|
||||||
BIT(verifypeer); /* set TRUE if this is desired */
|
};
|
||||||
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
|
|
||||||
BIT(verifystatus); /* set TRUE if certificate status must be checked */
|
|
||||||
@@ -265,7 +272,6 @@ struct ssl_primary_config {
|
|
||||||
struct ssl_config_data {
|
struct ssl_config_data {
|
||||||
struct ssl_primary_config primary;
|
@@ -238,7 +245,6 @@ struct ssl_config_data {
|
||||||
|
bool no_revoke; /* disable SSL certificate revocation checks */
|
||||||
|
bool no_partialchain; /* don't accept partial certificate chains */
|
||||||
long certverifyresult; /* result from the certificate verification */
|
long certverifyresult; /* result from the certificate verification */
|
||||||
- char *CRLfile; /* CRL to check certificate revocation */
|
- char *CRLfile; /* CRL to check certificate revocation */
|
||||||
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
||||||
void *fsslctxp; /* parameter for call back */
|
void *fsslctxp; /* parameter for call back */
|
||||||
char *cert_type; /* format for certificate (default: PEM)*/
|
bool certinfo; /* gather lots of certificate info */
|
||||||
@@ -273,11 +279,6 @@ struct ssl_config_data {
|
@@ -249,12 +255,6 @@ struct ssl_config_data {
|
||||||
struct curl_blob *key_blob;
|
char *key; /* private key file name */
|
||||||
char *key_type; /* format for private key (default: PEM) */
|
char *key_type; /* format for private key (default: PEM) */
|
||||||
char *key_passwd; /* plain text private key password */
|
char *key_passwd; /* plain text private key password */
|
||||||
|
-
|
||||||
-#ifdef USE_TLS_SRP
|
-#ifdef USE_TLS_SRP
|
||||||
- char *username; /* TLS username (for, e.g., SRP) */
|
- char *username; /* TLS username (for, e.g., SRP) */
|
||||||
- char *password; /* TLS password (for, e.g., SRP) */
|
- char *password; /* TLS password (for, e.g., SRP) */
|
||||||
- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
||||||
-#endif
|
-#endif
|
||||||
BIT(certinfo); /* gather lots of certificate info */
|
};
|
||||||
BIT(falsestart);
|
|
||||||
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
|
struct ssl_general_config {
|
||||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
index 97c5666..a4ef9d1 100644
|
index 6c8faa2..75ff8d8 100644
|
||||||
--- a/lib/vtls/openssl.c
|
--- a/lib/vtls/openssl.c
|
||||||
+++ b/lib/vtls/openssl.c
|
+++ b/lib/vtls/openssl.c
|
||||||
@@ -2546,7 +2546,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
@@ -2232,14 +2232,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||||
#endif
|
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||||||
const long int ssl_version = SSL_CONN_CONFIG(version);
|
const long int ssl_version = SSL_CONN_CONFIG(version);
|
||||||
#ifdef USE_OPENSSL_SRP
|
#ifdef USE_TLS_SRP
|
||||||
- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
|
- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
|
||||||
+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
|
+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
|
||||||
#endif
|
#endif
|
||||||
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
|
char * const ssl_cert = SSL_SET_OPTION(cert);
|
||||||
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
|
const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
|
||||||
@@ -2554,7 +2554,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
|
||||||
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
|
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
|
||||||
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
|
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
|
||||||
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
|
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
|
||||||
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
|
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
|
||||||
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
|
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
|
||||||
char error_buffer[256];
|
char error_buffer[256];
|
||||||
struct ssl_backend_data *backend = connssl->backend;
|
|
||||||
bool imported_native_ca = false;
|
DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
|
||||||
@@ -2859,15 +2859,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
@@ -2501,15 +2501,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||||
#ifdef USE_OPENSSL_SRP
|
#ifdef USE_TLS_SRP
|
||||||
if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
||||||
Curl_allow_auth_to_host(data)) {
|
Curl_allow_auth_to_host(conn)) {
|
||||||
- char * const ssl_username = SSL_SET_OPTION(username);
|
- char * const ssl_username = SSL_SET_OPTION(username);
|
||||||
-
|
-
|
||||||
+ char * const ssl_username = SSL_SET_OPTION(primary.username);
|
+ char * const ssl_username = SSL_SET_OPTION(primary.username);
|
||||||
+ char * const ssl_password = SSL_SET_OPTION(primary.password);
|
+ char * const ssl_password = SSL_SET_OPTION(primary.password);
|
||||||
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
|
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
|
||||||
|
|
||||||
if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
|
if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) {
|
||||||
failf(data, "Unable to set SRP user name");
|
failf(data, "Unable to set SRP user name");
|
||||||
return CURLE_BAD_FUNCTION_ARGUMENT;
|
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||||
}
|
}
|
||||||
- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
|
- if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) {
|
||||||
+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
|
+ if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) {
|
||||||
failf(data, "failed setting SRP password");
|
failf(data, "failed setting SRP password");
|
||||||
return CURLE_BAD_FUNCTION_ARGUMENT;
|
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||||
}
|
}
|
||||||
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||||
index a40ac06..e2d3438 100644
|
index bdff93f..2b14fa6 100644
|
||||||
--- a/lib/vtls/vtls.c
|
--- a/lib/vtls/vtls.c
|
||||||
+++ b/lib/vtls/vtls.c
|
+++ b/lib/vtls/vtls.c
|
||||||
@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
@@ -88,6 +88,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
|
||||||
{
|
{
|
||||||
if((data->version == needle->version) &&
|
if((data->version == needle->version) &&
|
||||||
(data->version_max == needle->version_max) &&
|
(data->version_max == needle->version_max) &&
|
||||||
@ -330,7 +245,7 @@ index a40ac06..e2d3438 100644
|
|||||||
(data->verifypeer == needle->verifypeer) &&
|
(data->verifypeer == needle->verifypeer) &&
|
||||||
(data->verifyhost == needle->verifyhost) &&
|
(data->verifyhost == needle->verifyhost) &&
|
||||||
(data->verifystatus == needle->verifystatus) &&
|
(data->verifystatus == needle->verifystatus) &&
|
||||||
@@ -143,9 +144,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
@@ -96,6 +97,12 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
|
||||||
Curl_safecmp(data->clientcert, needle->clientcert) &&
|
Curl_safecmp(data->clientcert, needle->clientcert) &&
|
||||||
Curl_safecmp(data->random_file, needle->random_file) &&
|
Curl_safecmp(data->random_file, needle->random_file) &&
|
||||||
Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
@ -339,14 +254,11 @@ index a40ac06..e2d3438 100644
|
|||||||
+ Curl_safecmp(data->password, needle->password) &&
|
+ Curl_safecmp(data->password, needle->password) &&
|
||||||
+ (data->authtype == needle->authtype) &&
|
+ (data->authtype == needle->authtype) &&
|
||||||
+#endif
|
+#endif
|
||||||
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
|
||||||
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
|
||||||
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
|
||||||
+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
|
+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
|
||||||
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
|
||||||
return TRUE;
|
return TRUE;
|
||||||
|
@@ -113,6 +120,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||||||
@@ -162,6 +169,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
|
||||||
dest->verifyhost = source->verifyhost;
|
dest->verifyhost = source->verifyhost;
|
||||||
dest->verifystatus = source->verifystatus;
|
dest->verifystatus = source->verifystatus;
|
||||||
dest->sessionid = source->sessionid;
|
dest->sessionid = source->sessionid;
|
||||||
@ -355,12 +267,12 @@ index a40ac06..e2d3438 100644
|
|||||||
+ dest->authtype = source->authtype;
|
+ dest->authtype = source->authtype;
|
||||||
+#endif
|
+#endif
|
||||||
|
|
||||||
CLONE_BLOB(cert_blob);
|
CLONE_STRING(CApath);
|
||||||
CLONE_BLOB(issuercert_blob);
|
CLONE_STRING(CAfile);
|
||||||
@@ -175,6 +186,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
@@ -122,6 +133,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||||||
|
CLONE_STRING(egdsocket);
|
||||||
|
CLONE_STRING(cipher_list);
|
||||||
CLONE_STRING(cipher_list13);
|
CLONE_STRING(cipher_list13);
|
||||||
CLONE_STRING(pinned_key);
|
|
||||||
CLONE_STRING(curves);
|
|
||||||
+ CLONE_STRING(CRLfile);
|
+ CLONE_STRING(CRLfile);
|
||||||
+#ifdef USE_TLS_SRP
|
+#ifdef USE_TLS_SRP
|
||||||
+ CLONE_STRING(username);
|
+ CLONE_STRING(username);
|
||||||
@ -369,10 +281,10 @@ index a40ac06..e2d3438 100644
|
|||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
@@ -193,6 +209,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
@@ -136,6 +152,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
|
||||||
Curl_safefree(sslc->cert_blob);
|
Curl_safefree(sslc->egdsocket);
|
||||||
Curl_safefree(sslc->issuercert_blob);
|
Curl_safefree(sslc->cipher_list);
|
||||||
Curl_safefree(sslc->curves);
|
Curl_safefree(sslc->cipher_list13);
|
||||||
+ Curl_safefree(sslc->CRLfile);
|
+ Curl_safefree(sslc->CRLfile);
|
||||||
+#ifdef USE_TLS_SRP
|
+#ifdef USE_TLS_SRP
|
||||||
+ Curl_safefree(sslc->username);
|
+ Curl_safefree(sslc->username);
|
||||||
@ -385,10 +297,10 @@ index a40ac06..e2d3438 100644
|
|||||||
2.34.1
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
|
From a9cf46e6c6c9a4261f3ea8500dfef87c1436908b Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 9 May 2022 23:13:53 +0200
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||||||
Subject: [PATCH 3/3] url: check SSH config match on connection reuse
|
Subject: [PATCH 2/2] url: check SSH config match on connection reuse
|
||||||
|
|
||||||
CVE-2022-27782
|
CVE-2022-27782
|
||||||
|
|
||||||
@ -399,18 +311,33 @@ Closes #8825
|
|||||||
Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
|
Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
---
|
---
|
||||||
|
lib/ssh.h | 4 ++--
|
||||||
lib/url.c | 11 +++++++++++
|
lib/url.c | 11 +++++++++++
|
||||||
lib/vssh/ssh.h | 6 +++---
|
2 files changed, 13 insertions(+), 2 deletions(-)
|
||||||
2 files changed, 14 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
|
diff --git a/lib/ssh.h b/lib/ssh.h
|
||||||
|
index 0620aac..1114f8a 100644
|
||||||
|
--- a/lib/ssh.h
|
||||||
|
+++ b/lib/ssh.h
|
||||||
|
@@ -117,8 +117,8 @@ struct ssh_conn {
|
||||||
|
|
||||||
|
/* common */
|
||||||
|
const char *passphrase; /* pass-phrase to use */
|
||||||
|
- char *rsa_pub; /* path name */
|
||||||
|
- char *rsa; /* path name */
|
||||||
|
+ char *rsa_pub; /* strdup'ed public key file */
|
||||||
|
+ char *rsa; /* strdup'ed private key file */
|
||||||
|
bool authed; /* the connection has been authenticated fine */
|
||||||
|
sshstate state; /* always use ssh.c:state() to change state! */
|
||||||
|
sshstate nextstate; /* the state to goto after stopping */
|
||||||
diff --git a/lib/url.c b/lib/url.c
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
index 5ebf5e2..c713e54 100644
|
index 30fc5ad..8653ebb 100644
|
||||||
--- a/lib/url.c
|
--- a/lib/url.c
|
||||||
+++ b/lib/url.c
|
+++ b/lib/url.c
|
||||||
@@ -1073,6 +1073,12 @@ static void prune_dead_connections(struct Curl_easy *data)
|
@@ -1030,6 +1030,12 @@ static size_t max_pipeline_length(struct Curl_multi *multi)
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
+static bool ssh_config_matches(struct connectdata *one,
|
+static bool ssh_config_matches(struct connectdata *one,
|
||||||
+ struct connectdata *two)
|
+ struct connectdata *two)
|
||||||
+{
|
+{
|
||||||
@ -420,42 +347,18 @@ index 5ebf5e2..c713e54 100644
|
|||||||
/*
|
/*
|
||||||
* Given one filled in connection struct (named needle), this function should
|
* Given one filled in connection struct (named needle), this function should
|
||||||
* detect if there already is one that has all the significant details
|
* detect if there already is one that has all the significant details
|
||||||
@@ -1319,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
|
@@ -1299,6 +1305,11 @@ ConnectionExists(struct Curl_easy *data,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
|
+ if(needle->handler->protocol & (CURLPROTO_SCP|CURLPROTO_SFTP)) {
|
||||||
+ if(!ssh_config_matches(needle, check))
|
+ if(!ssh_config_matches(needle, check))
|
||||||
+ continue;
|
+ continue;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
if((needle->handler->flags&PROTOPT_SSL)
|
if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
|
||||||
#ifndef CURL_DISABLE_PROXY
|
needle->bits.tunnel_proxy) {
|
||||||
|| !needle->bits.httpproxy || needle->bits.tunnel_proxy
|
/* The requested connection does not use a HTTP proxy or it uses SSL or
|
||||||
diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
|
|
||||||
index 7972081..30d82e5 100644
|
|
||||||
--- a/lib/vssh/ssh.h
|
|
||||||
+++ b/lib/vssh/ssh.h
|
|
||||||
@@ -7,7 +7,7 @@
|
|
||||||
* | (__| |_| | _ <| |___
|
|
||||||
* \___|\___/|_| \_\_____|
|
|
||||||
*
|
|
||||||
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
||||||
*
|
|
||||||
* This software is licensed as described in the file COPYING, which
|
|
||||||
* you should have received as part of this distribution. The terms
|
|
||||||
@@ -131,8 +131,8 @@ struct ssh_conn {
|
|
||||||
|
|
||||||
/* common */
|
|
||||||
const char *passphrase; /* pass-phrase to use */
|
|
||||||
- char *rsa_pub; /* path name */
|
|
||||||
- char *rsa; /* path name */
|
|
||||||
+ char *rsa_pub; /* strdup'ed public key file */
|
|
||||||
+ char *rsa; /* strdup'ed private key file */
|
|
||||||
bool authed; /* the connection has been authenticated fine */
|
|
||||||
bool acceptfail; /* used by the SFTP_QUOTE (continue if
|
|
||||||
quote command fails) */
|
|
||||||
--
|
--
|
||||||
2.34.1
|
2.34.1
|
||||||
|
|
@ -11,14 +11,15 @@ Closes #9051
|
|||||||
Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
|
Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
---
|
---
|
||||||
lib/krb5.c | 18 +++++++++++-------
|
lib/krb5.c | 5 +----
|
||||||
1 file changed, 11 insertions(+), 7 deletions(-)
|
lib/security.c | 19 +++++++++++++++----
|
||||||
|
2 files changed, 16 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
diff --git a/lib/krb5.c b/lib/krb5.c
|
diff --git a/lib/krb5.c b/lib/krb5.c
|
||||||
index 787137c..6f9e1f7 100644
|
index 787137c..6f9e1f7 100644
|
||||||
--- a/lib/krb5.c
|
--- a/lib/krb5.c
|
||||||
+++ b/lib/krb5.c
|
+++ b/lib/krb5.c
|
||||||
@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, int len,
|
@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
|
||||||
enc.value = buf;
|
enc.value = buf;
|
||||||
enc.length = len;
|
enc.length = len;
|
||||||
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
|
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
|
||||||
@ -31,7 +32,22 @@ index 787137c..6f9e1f7 100644
|
|||||||
|
|
||||||
memcpy(buf, dec.value, dec.length);
|
memcpy(buf, dec.value, dec.length);
|
||||||
len = curlx_uztosi(dec.length);
|
len = curlx_uztosi(dec.length);
|
||||||
@@ -523,6 +520,7 @@ static CURLcode read_data(struct connectdata *conn,
|
diff --git a/lib/security.c b/lib/security.c
|
||||||
|
index 52cce97..c95f290 100644
|
||||||
|
--- a/lib/security.c
|
||||||
|
+++ b/lib/security.c
|
||||||
|
@@ -64,6 +64,10 @@
|
||||||
|
/* The last #include file should be: */
|
||||||
|
#include "memdebug.h"
|
||||||
|
|
||||||
|
+/* Max string input length is a precaution against abuse and to detect junk
|
||||||
|
+ input easier and better. */
|
||||||
|
+#define CURL_MAX_INPUT_LENGTH 8000000
|
||||||
|
+
|
||||||
|
static const struct {
|
||||||
|
enum protection_level level;
|
||||||
|
const char *name;
|
||||||
|
@@ -192,6 +196,7 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
{
|
{
|
||||||
int len;
|
int len;
|
||||||
CURLcode result;
|
CURLcode result;
|
||||||
@ -39,7 +55,7 @@ index 787137c..6f9e1f7 100644
|
|||||||
|
|
||||||
result = socket_read(fd, &len, sizeof(len));
|
result = socket_read(fd, &len, sizeof(len));
|
||||||
if(result)
|
if(result)
|
||||||
@@ -531,7 +529,10 @@ static CURLcode read_data(struct connectdata *conn,
|
@@ -200,7 +205,10 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
if(len) {
|
if(len) {
|
||||||
/* only realloc if there was a length */
|
/* only realloc if there was a length */
|
||||||
len = ntohl(len);
|
len = ntohl(len);
|
||||||
@ -51,7 +67,7 @@ index 787137c..6f9e1f7 100644
|
|||||||
}
|
}
|
||||||
if(!len || !buf->data)
|
if(!len || !buf->data)
|
||||||
return CURLE_OUT_OF_MEMORY;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
@@ -539,8 +540,11 @@ static CURLcode read_data(struct connectdata *conn,
|
@@ -208,8 +216,11 @@ static CURLcode read_data(struct connectdata *conn,
|
||||||
result = socket_read(fd, buf->data, len);
|
result = socket_read(fd, buf->data, len);
|
||||||
if(result)
|
if(result)
|
||||||
return result;
|
return result;
|
@ -21,7 +21,7 @@ diff --git a/lib/content_encoding.c b/lib/content_encoding.c
|
|||||||
index c03637a..6f994b3 100644
|
index c03637a..6f994b3 100644
|
||||||
--- a/lib/content_encoding.c
|
--- a/lib/content_encoding.c
|
||||||
+++ b/lib/content_encoding.c
|
+++ b/lib/content_encoding.c
|
||||||
@@ -1024,12 +1024,16 @@ static const struct content_encoding *find_encoding(const char *name,
|
@@ -934,6 +934,9 @@ static const content_encoding *find_encoding(const char *name, size_t len)
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -30,15 +30,16 @@ index c03637a..6f994b3 100644
|
|||||||
+
|
+
|
||||||
/* Set-up the unencoding stack from the Content-Encoding header value.
|
/* Set-up the unencoding stack from the Content-Encoding header value.
|
||||||
* See RFC 7231 section 3.1.2.2. */
|
* See RFC 7231 section 3.1.2.2. */
|
||||||
CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
|
||||||
const char *enclist, int maybechunked)
|
@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
|
||||||
{
|
{
|
||||||
|
struct Curl_easy *data = conn->data;
|
||||||
struct SingleRequest *k = &data->req;
|
struct SingleRequest *k = &data->req;
|
||||||
+ int counter = 0;
|
+ int counter = 0;
|
||||||
|
|
||||||
do {
|
do {
|
||||||
const char *name;
|
const char *name;
|
||||||
@@ -1064,6 +1068,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
@@ -975,6 +979,11 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
|
||||||
if(!encoding)
|
if(!encoding)
|
||||||
encoding = &error_encoding; /* Defer error at stack use. */
|
encoding = &error_encoding; /* Defer error at stack use. */
|
||||||
|
|
||||||
@ -48,7 +49,7 @@ index c03637a..6f994b3 100644
|
|||||||
+ return CURLE_BAD_CONTENT_ENCODING;
|
+ return CURLE_BAD_CONTENT_ENCODING;
|
||||||
+ }
|
+ }
|
||||||
/* Stack the unencoding stage. */
|
/* Stack the unencoding stage. */
|
||||||
writer = new_unencoding_writer(data, encoding, k->writer_stack);
|
writer = new_unencoding_writer(conn, encoding, k->writer_stack);
|
||||||
if(!writer)
|
if(!writer)
|
||||||
--
|
--
|
||||||
2.35.3
|
2.35.3
|
||||||
@ -71,12 +72,12 @@ diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|||||||
index 98d5516..9b5f4fb 100644
|
index 98d5516..9b5f4fb 100644
|
||||||
--- a/tests/data/Makefile.inc
|
--- a/tests/data/Makefile.inc
|
||||||
+++ b/tests/data/Makefile.inc
|
+++ b/tests/data/Makefile.inc
|
||||||
@@ -62,6 +62,7 @@ test343 test344 test345 test346 test347 test348 test349 test350 test351 \
|
@@ -61,6 +61,7 @@ test325 test326 test330 \
|
||||||
test352 test353 test354 test355 test356 test357 test358 test359 test360 \
|
test340 \
|
||||||
test361 test362 \
|
|
||||||
\
|
\
|
||||||
|
test350 test351 test352 test353 test354 \
|
||||||
+test387 \
|
+test387 \
|
||||||
test393 test394 test395 test396 test397 \
|
test393 test394 test395 \
|
||||||
\
|
\
|
||||||
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
|
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
|
||||||
diff --git a/tests/data/test387 b/tests/data/test387
|
diff --git a/tests/data/test387 b/tests/data/test387
|
||||||
@ -124,7 +125,7 @@ index 0000000..015ec25
|
|||||||
+<protocol>
|
+<protocol>
|
||||||
+GET /%TESTNUMBER HTTP/1.1
|
+GET /%TESTNUMBER HTTP/1.1
|
||||||
+Host: %HOSTIP:%HTTPPORT
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
+User-Agent: curl/%VERSION
|
+User-Agent: curl/7.61.1
|
||||||
+Accept: */*
|
+Accept: */*
|
||||||
+
|
+
|
||||||
+</protocol>
|
+</protocol>
|
43
SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch
Normal file
43
SOURCES/0042-curl-7.61.1-ssh-known-hosts.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
From 9ea407a0476d22cde575826c18b5aa56b57ac9b4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
|
||||||
|
Date: Wed, 23 Jan 2019 23:10:39 +0100
|
||||||
|
Subject: [PATCH] setopt: enable CURLOPT_SSH_KNOWNHOSTS and
|
||||||
|
CURLOPT_SSH_KEYFUNCTION for libssh
|
||||||
|
|
||||||
|
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
|
||||||
|
libssh as well. So accepting these options only when compiling with
|
||||||
|
libssh2 is wrong here.
|
||||||
|
|
||||||
|
Fixes #3493
|
||||||
|
Closes #3494
|
||||||
|
|
||||||
|
Upstream-commit: 3cbf731d9ec7146f9f1a6ac0fbd9af7fe358f5bb
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/setopt.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||||
|
index b07ccfe..88a05ff 100644
|
||||||
|
--- a/lib/setopt.c
|
||||||
|
+++ b/lib/setopt.c
|
||||||
|
@@ -2208,7 +2208,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5],
|
||||||
|
va_arg(param, char *));
|
||||||
|
break;
|
||||||
|
-#ifdef HAVE_LIBSSH2_KNOWNHOST_API
|
||||||
|
+
|
||||||
|
case CURLOPT_SSH_KNOWNHOSTS:
|
||||||
|
/*
|
||||||
|
* Store the file name to read known hosts from.
|
||||||
|
@@ -2229,7 +2229,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
|
*/
|
||||||
|
data->set.ssh_keyfunc_userp = va_arg(param, void *);
|
||||||
|
break;
|
||||||
|
-#endif /* HAVE_LIBSSH2_KNOWNHOST_API */
|
||||||
|
#endif /* USE_LIBSSH2 */
|
||||||
|
|
||||||
|
case CURLOPT_HTTP_TRANSFER_DECODING:
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,7 +1,42 @@
|
|||||||
|
From 005d3f387bc5c3b2ee94d0597b5e202644c825f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Wed, 31 Oct 2018 11:08:49 +0100
|
||||||
|
Subject: [PATCH 1/3] runtests: use the local curl for verifying
|
||||||
|
|
||||||
|
... revert the mistaken change brought in commit 8440616f53.
|
||||||
|
|
||||||
|
Reported-by: Alessandro Ghedini
|
||||||
|
Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html
|
||||||
|
|
||||||
|
Closes #3198
|
||||||
|
|
||||||
|
Upstream-commit: 8effa8c2b09906a2f00a3f08322dc5da35245b0a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/runtests.pl | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
||||||
|
index 8d8ed81..d62fa40 100755
|
||||||
|
--- a/tests/runtests.pl
|
||||||
|
+++ b/tests/runtests.pl
|
||||||
|
@@ -152,7 +152,7 @@ my $NEGTELNETPORT; # TELNET server port with negotiation
|
||||||
|
|
||||||
|
my $srcdir = $ENV{'srcdir'} || '.';
|
||||||
|
my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests
|
||||||
|
-my $VCURL="curl"; # what curl binary to use to verify the servers with
|
||||||
|
+my $VCURL=$CURL; # what curl binary to use to verify the servers with
|
||||||
|
# VCURL is handy to set to the system one when the one you
|
||||||
|
# just built hangs or crashes and thus prevent verification
|
||||||
|
my $DBGCURL=$CURL; #"../src/.libs/curl"; # alternative for debugging
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
||||||
|
|
||||||
From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
|
From fbc2ac6f06ec13cc872ce7adb870f4d7c7d5dded Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 29 Aug 2022 00:09:17 +0200
|
Date: Mon, 29 Aug 2022 00:09:17 +0200
|
||||||
Subject: [PATCH 1/2] cookie: reject cookies with "control bytes"
|
Subject: [PATCH 2/3] cookie: reject cookies with "control bytes"
|
||||||
|
|
||||||
Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
|
Rejects 0x01 - 0x1f (except 0x09) plus 0x7f
|
||||||
|
|
||||||
@ -23,7 +58,7 @@ diff --git a/lib/cookie.c b/lib/cookie.c
|
|||||||
index cb0c03b..e0470a1 100644
|
index cb0c03b..e0470a1 100644
|
||||||
--- a/lib/cookie.c
|
--- a/lib/cookie.c
|
||||||
+++ b/lib/cookie.c
|
+++ b/lib/cookie.c
|
||||||
@@ -383,6 +383,30 @@ static void strstore(char **str, const char *newstr)
|
@@ -371,6 +371,30 @@ static void strstore(char **str, const char *newstr)
|
||||||
*str = strdup(newstr);
|
*str = strdup(newstr);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -54,7 +89,7 @@ index cb0c03b..e0470a1 100644
|
|||||||
/*
|
/*
|
||||||
* remove_expired() removes expired cookies.
|
* remove_expired() removes expired cookies.
|
||||||
*/
|
*/
|
||||||
@@ -567,6 +591,11 @@ Curl_cookie_add(struct Curl_easy *data,
|
@@ -541,6 +565,11 @@ Curl_cookie_add(struct Curl_easy *data,
|
||||||
badcookie = TRUE;
|
badcookie = TRUE;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -73,7 +108,7 @@ index cb0c03b..e0470a1 100644
|
|||||||
From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
|
From 1a3e2bd48572761236934651091c899a4d460ef5 Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Stenberg <daniel@haxx.se>
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
Date: Mon, 29 Aug 2022 00:09:17 +0200
|
Date: Mon, 29 Aug 2022 00:09:17 +0200
|
||||||
Subject: [PATCH 2/2] test8: verify that "ctrl-byte cookies" are ignored
|
Subject: [PATCH 3/3] test8: verify that "ctrl-byte cookies" are ignored
|
||||||
|
|
||||||
Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
|
Upstream-commit: 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28
|
||||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
@ -89,42 +124,42 @@ index a8548e6..8587611 100644
|
|||||||
Set-Cookie: nocookie=yes; path=/WE;
|
Set-Cookie: nocookie=yes; path=/WE;
|
||||||
Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
|
Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
|
||||||
Set-Cookie: partialip=nono; domain=.0.0.1;
|
Set-Cookie: partialip=nono; domain=.0.0.1;
|
||||||
+Set-Cookie: cookie1=%hex[%01-junk]hex%
|
+Set-Cookie: cookie1=-junk
|
||||||
+Set-Cookie: cookie2=%hex[%02-junk]hex%
|
+Set-Cookie: cookie2=-junk
|
||||||
+Set-Cookie: cookie3=%hex[%03-junk]hex%
|
+Set-Cookie: cookie3=-junk
|
||||||
+Set-Cookie: cookie4=%hex[%04-junk]hex%
|
+Set-Cookie: cookie4=-junk
|
||||||
+Set-Cookie: cookie5=%hex[%05-junk]hex%
|
+Set-Cookie: cookie5=-junk
|
||||||
+Set-Cookie: cookie6=%hex[%06-junk]hex%
|
+Set-Cookie: cookie6=-junk
|
||||||
+Set-Cookie: cookie7=%hex[%07-junk]hex%
|
+Set-Cookie: cookie7=-junk
|
||||||
+Set-Cookie: cookie8=%hex[%08-junk]hex%
|
+Set-Cookie: cookie8=-junk
|
||||||
+Set-Cookie: cookie9=%hex[junk-%09-]hex%
|
+Set-Cookie: cookie9=junk- -
|
||||||
+Set-Cookie: cookie11=%hex[%0b-junk]hex%
|
+Set-Cookie: cookie11=-junk
|
||||||
+Set-Cookie: cookie12=%hex[%0c-junk]hex%
|
+Set-Cookie: cookie12=-junk
|
||||||
+Set-Cookie: cookie14=%hex[%0e-junk]hex%
|
+Set-Cookie: cookie14=-junk
|
||||||
+Set-Cookie: cookie15=%hex[%0f-junk]hex%
|
+Set-Cookie: cookie15=-junk
|
||||||
+Set-Cookie: cookie16=%hex[%10-junk]hex%
|
+Set-Cookie: cookie16=-junk
|
||||||
+Set-Cookie: cookie17=%hex[%11-junk]hex%
|
+Set-Cookie: cookie17=-junk
|
||||||
+Set-Cookie: cookie18=%hex[%12-junk]hex%
|
+Set-Cookie: cookie18=-junk
|
||||||
+Set-Cookie: cookie19=%hex[%13-junk]hex%
|
+Set-Cookie: cookie19=-junk
|
||||||
+Set-Cookie: cookie20=%hex[%14-junk]hex%
|
+Set-Cookie: cookie20=-junk
|
||||||
+Set-Cookie: cookie21=%hex[%15-junk]hex%
|
+Set-Cookie: cookie21=-junk
|
||||||
+Set-Cookie: cookie22=%hex[%16-junk]hex%
|
+Set-Cookie: cookie22=-junk
|
||||||
+Set-Cookie: cookie23=%hex[%17-junk]hex%
|
+Set-Cookie: cookie23=-junk
|
||||||
+Set-Cookie: cookie24=%hex[%18-junk]hex%
|
+Set-Cookie: cookie24=-junk
|
||||||
+Set-Cookie: cookie25=%hex[%19-junk]hex%
|
+Set-Cookie: cookie25=-junk
|
||||||
+Set-Cookie: cookie26=%hex[%1a-junk]hex%
|
+Set-Cookie: cookie26=-junk
|
||||||
+Set-Cookie: cookie27=%hex[%1b-junk]hex%
|
+Set-Cookie: cookie27=-junk
|
||||||
+Set-Cookie: cookie28=%hex[%1c-junk]hex%
|
+Set-Cookie: cookie28=-junk
|
||||||
+Set-Cookie: cookie29=%hex[%1d-junk]hex%
|
+Set-Cookie: cookie29=-junk
|
||||||
+Set-Cookie: cookie30=%hex[%1e-junk]hex%
|
+Set-Cookie: cookie30=-junk
|
||||||
+Set-Cookie: cookie31=%hex[%1f-junk]hex%
|
+Set-Cookie: cookie31=-junk
|
||||||
+Set-Cookie: cookie31=%hex[%7f-junk]hex%
|
+Set-Cookie: cookie31=-junk
|
||||||
|
|
||||||
</file>
|
</file>
|
||||||
<precheck>
|
<precheck>
|
||||||
@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1
|
@@ -62,7 +92,7 @@ perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs endi
|
||||||
|
GET /we/want/8 HTTP/1.1
|
||||||
Host: %HOSTIP:%HTTPPORT
|
Host: %HOSTIP:%HTTPPORT
|
||||||
User-Agent: curl/%VERSION
|
|
||||||
Accept: */*
|
Accept: */*
|
||||||
-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
|
-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
|
||||||
+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- -
|
+Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- -
|
112
SOURCES/0044-curl-7.61.1-retry-http11.patch
Normal file
112
SOURCES/0044-curl-7.61.1-retry-http11.patch
Normal file
@ -0,0 +1,112 @@
|
|||||||
|
From 78b62ef1206621e8f4f1628ad4eb0a7be877c96f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Johannes Schindelin <johannes.schindelin@gmx.de>
|
||||||
|
Date: Fri, 7 Dec 2018 17:04:39 +0100
|
||||||
|
Subject: [PATCH] Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
|
||||||
|
|
||||||
|
This is a companion patch to cbea2fd2c (NTLM: force the connection to
|
||||||
|
HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1
|
||||||
|
preemptively. However, with other (Negotiate) authentication it is not
|
||||||
|
clear to this developer whether there is a way to make it work with
|
||||||
|
HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the
|
||||||
|
error HTTP_1_1_REQUIRED.
|
||||||
|
|
||||||
|
Note: we will still keep the NTLM workaround, as it avoids an extra
|
||||||
|
round trip.
|
||||||
|
|
||||||
|
Daniel Stenberg helped a lot with this patch, in particular by
|
||||||
|
suggesting to introduce the Curl_h2_http_1_1_error() function.
|
||||||
|
|
||||||
|
Closes #3349
|
||||||
|
|
||||||
|
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
||||||
|
|
||||||
|
Upstream-commit: d997aa0e963c5be5de100dccdc5208d39bd3d62b
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http2.c | 8 ++++++++
|
||||||
|
lib/http2.h | 4 ++++
|
||||||
|
lib/multi.c | 20 ++++++++++++++++++++
|
||||||
|
3 files changed, 32 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/http2.c b/lib/http2.c
|
||||||
|
index d769193..3071097 100644
|
||||||
|
--- a/lib/http2.c
|
||||||
|
+++ b/lib/http2.c
|
||||||
|
@@ -2300,6 +2300,14 @@ void Curl_http2_cleanup_dependencies(struct Curl_easy *data)
|
||||||
|
Curl_http2_remove_child(data->set.stream_depends_on, data);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Only call this function for a transfer that already got a HTTP/2
|
||||||
|
+ CURLE_HTTP2_STREAM error! */
|
||||||
|
+bool Curl_h2_http_1_1_error(struct connectdata *conn)
|
||||||
|
+{
|
||||||
|
+ struct http_conn *httpc = &conn->proto.httpc;
|
||||||
|
+ return (httpc->error_code == NGHTTP2_HTTP_1_1_REQUIRED);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#else /* !USE_NGHTTP2 */
|
||||||
|
|
||||||
|
/* Satisfy external references even if http2 is not compiled in. */
|
||||||
|
diff --git a/lib/http2.h b/lib/http2.h
|
||||||
|
index 21cd9b8..91e504c 100644
|
||||||
|
--- a/lib/http2.h
|
||||||
|
+++ b/lib/http2.h
|
||||||
|
@@ -59,6 +59,9 @@ CURLcode Curl_http2_add_child(struct Curl_easy *parent,
|
||||||
|
void Curl_http2_remove_child(struct Curl_easy *parent,
|
||||||
|
struct Curl_easy *child);
|
||||||
|
void Curl_http2_cleanup_dependencies(struct Curl_easy *data);
|
||||||
|
+
|
||||||
|
+/* returns true if the HTTP/2 stream error was HTTP_1_1_REQUIRED */
|
||||||
|
+bool Curl_h2_http_1_1_error(struct connectdata *conn);
|
||||||
|
#else /* USE_NGHTTP2 */
|
||||||
|
#define Curl_http2_init(x) CURLE_UNSUPPORTED_PROTOCOL
|
||||||
|
#define Curl_http2_send_request(x) CURLE_UNSUPPORTED_PROTOCOL
|
||||||
|
@@ -74,6 +77,7 @@ void Curl_http2_cleanup_dependencies(struct Curl_easy *data);
|
||||||
|
#define Curl_http2_add_child(x, y, z)
|
||||||
|
#define Curl_http2_remove_child(x, y)
|
||||||
|
#define Curl_http2_cleanup_dependencies(x)
|
||||||
|
+#define Curl_h2_http_1_1_error(x) 0
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* HEADER_CURL_HTTP2_H */
|
||||||
|
diff --git a/lib/multi.c b/lib/multi.c
|
||||||
|
index 0f57fd5..d64ba94 100644
|
||||||
|
--- a/lib/multi.c
|
||||||
|
+++ b/lib/multi.c
|
||||||
|
@@ -46,6 +46,7 @@
|
||||||
|
#include "vtls/vtls.h"
|
||||||
|
#include "connect.h"
|
||||||
|
#include "http_proxy.h"
|
||||||
|
+#include "http2.h"
|
||||||
|
/* The last 3 #include files should be in this order */
|
||||||
|
#include "curl_printf.h"
|
||||||
|
#include "curl_memory.h"
|
||||||
|
@@ -1943,6 +1944,25 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
|
||||||
|
done = TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ else if((CURLE_HTTP2_STREAM == result) &&
|
||||||
|
+ Curl_h2_http_1_1_error(data->easy_conn)) {
|
||||||
|
+ CURLcode ret = Curl_retry_request(data->easy_conn, &newurl);
|
||||||
|
+
|
||||||
|
+ infof(data, "Forcing HTTP/1.1 for NTLM");
|
||||||
|
+ data->set.httpversion = CURL_HTTP_VERSION_1_1;
|
||||||
|
+
|
||||||
|
+ if(!ret)
|
||||||
|
+ retry = (newurl)?TRUE:FALSE;
|
||||||
|
+ else
|
||||||
|
+ result = ret;
|
||||||
|
+
|
||||||
|
+ if(retry) {
|
||||||
|
+ /* if we are to retry, set the result to OK and consider the
|
||||||
|
+ request as done */
|
||||||
|
+ result = CURLE_OK;
|
||||||
|
+ done = TRUE;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if(result) {
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -20,16 +20,16 @@ diff --git a/lib/smb.c b/lib/smb.c
|
|||||||
index 039d680..f682c1f 100644
|
index 039d680..f682c1f 100644
|
||||||
--- a/lib/smb.c
|
--- a/lib/smb.c
|
||||||
+++ b/lib/smb.c
|
+++ b/lib/smb.c
|
||||||
@@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done);
|
@@ -61,8 +61,6 @@ static CURLcode smb_connect(struct connectdata *conn, bool *done);
|
||||||
static CURLcode smb_connection_state(struct Curl_easy *data, bool *done);
|
static CURLcode smb_connection_state(struct connectdata *conn, bool *done);
|
||||||
static CURLcode smb_do(struct Curl_easy *data, bool *done);
|
static CURLcode smb_do(struct connectdata *conn, bool *done);
|
||||||
static CURLcode smb_request_state(struct Curl_easy *data, bool *done);
|
static CURLcode smb_request_state(struct connectdata *conn, bool *done);
|
||||||
-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
|
-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
|
||||||
- bool premature);
|
- bool premature);
|
||||||
static CURLcode smb_disconnect(struct Curl_easy *data,
|
static CURLcode smb_disconnect(struct connectdata *conn, bool dead);
|
||||||
struct connectdata *conn, bool dead);
|
static int smb_getsock(struct connectdata *conn, curl_socket_t *socks,
|
||||||
static int smb_getsock(struct Curl_easy *data, struct connectdata *conn,
|
int numsocks);
|
||||||
@@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = {
|
@@ -75,7 +73,7 @@ const struct Curl_handler Curl_handler_smb = {
|
||||||
"SMB", /* scheme */
|
"SMB", /* scheme */
|
||||||
smb_setup_connection, /* setup_connection */
|
smb_setup_connection, /* setup_connection */
|
||||||
smb_do, /* do_it */
|
smb_do, /* do_it */
|
||||||
@ -38,7 +38,7 @@ index 039d680..f682c1f 100644
|
|||||||
ZERO_NULL, /* do_more */
|
ZERO_NULL, /* do_more */
|
||||||
smb_connect, /* connect_it */
|
smb_connect, /* connect_it */
|
||||||
smb_connection_state, /* connecting */
|
smb_connection_state, /* connecting */
|
||||||
@@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = {
|
@@ -100,7 +98,7 @@ const struct Curl_handler Curl_handler_smbs = {
|
||||||
"SMBS", /* scheme */
|
"SMBS", /* scheme */
|
||||||
smb_setup_connection, /* setup_connection */
|
smb_setup_connection, /* setup_connection */
|
||||||
smb_do, /* do_it */
|
smb_do, /* do_it */
|
||||||
@ -47,31 +47,31 @@ index 039d680..f682c1f 100644
|
|||||||
ZERO_NULL, /* do_more */
|
ZERO_NULL, /* do_more */
|
||||||
smb_connect, /* connect_it */
|
smb_connect, /* connect_it */
|
||||||
smb_connection_state, /* connecting */
|
smb_connection_state, /* connecting */
|
||||||
@@ -941,14 +939,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
|
@@ -915,14 +913,6 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
-static CURLcode smb_done(struct Curl_easy *data, CURLcode status,
|
-static CURLcode smb_done(struct connectdata *conn, CURLcode status,
|
||||||
- bool premature)
|
- bool premature)
|
||||||
-{
|
-{
|
||||||
- (void) premature;
|
- (void) premature;
|
||||||
- Curl_safefree(data->req.p.smb);
|
- Curl_safefree(conn->data->req.protop);
|
||||||
- return status;
|
- return status;
|
||||||
-}
|
-}
|
||||||
-
|
-
|
||||||
static CURLcode smb_disconnect(struct Curl_easy *data,
|
static CURLcode smb_disconnect(struct connectdata *conn, bool dead)
|
||||||
struct connectdata *conn, bool dead)
|
|
||||||
{
|
{
|
||||||
|
struct smb_conn *smbc = &conn->proto.smbc;
|
||||||
diff --git a/lib/telnet.c b/lib/telnet.c
|
diff --git a/lib/telnet.c b/lib/telnet.c
|
||||||
index 923c7f8..48cd0d7 100644
|
index 923c7f8..48cd0d7 100644
|
||||||
--- a/lib/telnet.c
|
--- a/lib/telnet.c
|
||||||
+++ b/lib/telnet.c
|
+++ b/lib/telnet.c
|
||||||
@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data,
|
@@ -1294,9 +1294,6 @@ static CURLcode telnet_done(struct connectdata *conn,
|
||||||
|
|
||||||
curl_slist_free_all(tn->telnet_vars);
|
curl_slist_free_all(tn->telnet_vars);
|
||||||
tn->telnet_vars = NULL;
|
tn->telnet_vars = NULL;
|
||||||
-
|
-
|
||||||
- Curl_safefree(data->req.p.telnet);
|
- Curl_safefree(conn->data->req.protop);
|
||||||
-
|
-
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
}
|
}
|
44
SOURCES/0046-curl-7.61.1-h2-window-size.patch
Normal file
44
SOURCES/0046-curl-7.61.1-h2-window-size.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From 4bbd1947aeb26d5dbcddbb058652e0e64771b71d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Mon, 6 Feb 2023 17:46:36 +0100
|
||||||
|
Subject: [PATCH] h2: lower initial window size to 32 MiB
|
||||||
|
|
||||||
|
Cherry-picked from upstream commit
|
||||||
|
15f51474c837679c0b79825c23356ac681ffabde which was focused on paused
|
||||||
|
transfers but required an update of nghttp2 to work properly.
|
||||||
|
|
||||||
|
Bug: https://bugzilla.redhat.com/2166254
|
||||||
|
---
|
||||||
|
lib/http2.c | 2 +-
|
||||||
|
tests/data/test1800 | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http2.c b/lib/http2.c
|
||||||
|
index 3071097..1fd2233 100644
|
||||||
|
--- a/lib/http2.c
|
||||||
|
+++ b/lib/http2.c
|
||||||
|
@@ -63,7 +63,7 @@
|
||||||
|
#define NGHTTP2_HAS_SET_LOCAL_WINDOW_SIZE 1
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#define HTTP2_HUGE_WINDOW_SIZE (1 << 30)
|
||||||
|
+#define HTTP2_HUGE_WINDOW_SIZE (32 * 1024 * 1024) /* 32 MB */
|
||||||
|
|
||||||
|
#ifdef DEBUG_HTTP2
|
||||||
|
#define H2BUGF(x) x
|
||||||
|
diff --git a/tests/data/test1800 b/tests/data/test1800
|
||||||
|
index 0110184..c308c99 100644
|
||||||
|
--- a/tests/data/test1800
|
||||||
|
+++ b/tests/data/test1800
|
||||||
|
@@ -48,7 +48,7 @@ Host: %HOSTIP:%HTTPPORT
|
||||||
|
Accept: */*
|
||||||
|
Connection: Upgrade, HTTP2-Settings
|
||||||
|
Upgrade: %H2CVER
|
||||||
|
-HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
|
||||||
|
+HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA
|
||||||
|
|
||||||
|
</protocol>
|
||||||
|
</verify>
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
331
SOURCES/0047-curl-7.61.1-CVE-2023-23916.patch
Normal file
331
SOURCES/0047-curl-7.61.1-CVE-2023-23916.patch
Normal file
@ -0,0 +1,331 @@
|
|||||||
|
From 95f873ff983a1ae57415b3c16a881e74432cf8b8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Fabian Keil <fk@fabiankeil.de>
|
||||||
|
Date: Tue, 9 Feb 2021 14:04:32 +0100
|
||||||
|
Subject: [PATCH 1/2] runtests.pl: support the nonewline attribute for the data
|
||||||
|
part
|
||||||
|
|
||||||
|
Closes #8239
|
||||||
|
|
||||||
|
Upstream-commit: 736847611a40c01e7c290407e22e2f0f5f8efd6a
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/runtests.pl | 7 +++++++
|
||||||
|
tests/server/getpart.c | 11 ++++++++++-
|
||||||
|
2 files changed, 17 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
||||||
|
index 40315aa..2e1500d 100755
|
||||||
|
--- a/tests/runtests.pl
|
||||||
|
+++ b/tests/runtests.pl
|
||||||
|
@@ -3817,6 +3817,13 @@ sub singletest {
|
||||||
|
else {
|
||||||
|
# check against the data section
|
||||||
|
@reply = getpart("reply", "data");
|
||||||
|
+ if(@reply) {
|
||||||
|
+ my %hash = getpartattr("reply", "data");
|
||||||
|
+ if($hash{'nonewline'}) {
|
||||||
|
+ # cut off the final newline from the final line of the data
|
||||||
|
+ chomp($reply[$#reply]);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
# get the mode attribute
|
||||||
|
my $filemode=$replyattr{'mode'};
|
||||||
|
if($filemode && ($filemode eq "text") && $has_textaware) {
|
||||||
|
diff --git a/tests/server/getpart.c b/tests/server/getpart.c
|
||||||
|
index 32b55bc..f8fe3f6 100644
|
||||||
|
--- a/tests/server/getpart.c
|
||||||
|
+++ b/tests/server/getpart.c
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
* | (__| |_| | _ <| |___
|
||||||
|
* \___|\___/|_| \_\_____|
|
||||||
|
*
|
||||||
|
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
*
|
||||||
|
* This software is licensed as described in the file COPYING, which
|
||||||
|
* you should have received as part of this distribution. The terms
|
||||||
|
@@ -295,6 +295,7 @@ int getpart(char **outbuf, size_t *outlen,
|
||||||
|
size_t outalloc = 256;
|
||||||
|
int in_wanted_part = 0;
|
||||||
|
int base64 = 0;
|
||||||
|
+ int nonewline = 0;
|
||||||
|
int error;
|
||||||
|
|
||||||
|
enum {
|
||||||
|
@@ -360,6 +361,8 @@ int getpart(char **outbuf, size_t *outlen,
|
||||||
|
if(error)
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
+ if(nonewline)
|
||||||
|
+ (*outlen)--;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -377,6 +380,8 @@ int getpart(char **outbuf, size_t *outlen,
|
||||||
|
if(error)
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
+ if(nonewline)
|
||||||
|
+ (*outlen)--;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -451,6 +456,10 @@ int getpart(char **outbuf, size_t *outlen,
|
||||||
|
/* bit rough test, but "mostly" functional, */
|
||||||
|
/* treat wanted part data as base64 encoded */
|
||||||
|
base64 = 1;
|
||||||
|
+ if(strstr(patt, "nonewline=")) {
|
||||||
|
+ show(("* setting nonewline\n"));
|
||||||
|
+ nonewline = 1;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
||||||
|
|
||||||
|
From bc5fc958b017895728962c9d44c469418cbec1a0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Monnerat <patrick@monnerat.net>
|
||||||
|
Date: Mon, 13 Feb 2023 08:33:09 +0100
|
||||||
|
Subject: [PATCH 2/2] content_encoding: do not reset stage counter for each
|
||||||
|
header
|
||||||
|
|
||||||
|
Test 418 verifies
|
||||||
|
|
||||||
|
Closes #10492
|
||||||
|
|
||||||
|
Upstream-commit: 119fb187192a9ea13dc90d9d20c215fc82799ab9
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/content_encoding.c | 7 +-
|
||||||
|
lib/urldata.h | 1 +
|
||||||
|
tests/data/Makefile.inc | 1 +
|
||||||
|
tests/data/test387 | 2 +-
|
||||||
|
tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++
|
||||||
|
5 files changed, 158 insertions(+), 5 deletions(-)
|
||||||
|
create mode 100644 tests/data/test418
|
||||||
|
|
||||||
|
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
|
||||||
|
index bfc13e2..94344d6 100644
|
||||||
|
--- a/lib/content_encoding.c
|
||||||
|
+++ b/lib/content_encoding.c
|
||||||
|
@@ -944,7 +944,6 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
|
||||||
|
{
|
||||||
|
struct Curl_easy *data = conn->data;
|
||||||
|
struct SingleRequest *k = &data->req;
|
||||||
|
- int counter = 0;
|
||||||
|
|
||||||
|
do {
|
||||||
|
const char *name;
|
||||||
|
@@ -979,9 +978,9 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
|
||||||
|
if(!encoding)
|
||||||
|
encoding = &error_encoding; /* Defer error at stack use. */
|
||||||
|
|
||||||
|
- if(++counter >= MAX_ENCODE_STACK) {
|
||||||
|
- failf(data, "Reject response due to %u content encodings",
|
||||||
|
- counter);
|
||||||
|
+ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
|
||||||
|
+ failf(data, "Reject response due to more than %u content encodings",
|
||||||
|
+ MAX_ENCODE_STACK);
|
||||||
|
return CURLE_BAD_CONTENT_ENCODING;
|
||||||
|
}
|
||||||
|
/* Stack the unencoding stage. */
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 5b4b34f..8c8c20b 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -539,6 +539,7 @@ struct SingleRequest {
|
||||||
|
|
||||||
|
struct curltime start; /* transfer started at this time */
|
||||||
|
struct curltime now; /* current time */
|
||||||
|
+ unsigned char writer_stack_depth; /* Unencoding stack depth. */
|
||||||
|
bool header; /* incoming data has HTTP header */
|
||||||
|
enum {
|
||||||
|
HEADER_NORMAL, /* no bad header at all */
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index fb51cd6..86b6f85 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -66,6 +66,7 @@ test393 test394 test395 \
|
||||||
|
\
|
||||||
|
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
|
||||||
|
test409 \
|
||||||
|
+test418 \
|
||||||
|
\
|
||||||
|
test500 test501 test502 test503 test504 test505 test506 test507 test508 \
|
||||||
|
test509 test510 test511 test512 test513 test514 test515 test516 test517 \
|
||||||
|
diff --git a/tests/data/test387 b/tests/data/test387
|
||||||
|
index 015ec25..644fc7f 100644
|
||||||
|
--- a/tests/data/test387
|
||||||
|
+++ b/tests/data/test387
|
||||||
|
@@ -47,7 +47,7 @@ Accept: */*
|
||||||
|
61
|
||||||
|
</errorcode>
|
||||||
|
<stderr mode="text">
|
||||||
|
-curl: (61) Reject response due to 5 content encodings
|
||||||
|
+curl: (61) Reject response due to more than 5 content encodings
|
||||||
|
</stderr>
|
||||||
|
</verify>
|
||||||
|
</testcase>
|
||||||
|
diff --git a/tests/data/test418 b/tests/data/test418
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..50e974e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test418
|
||||||
|
@@ -0,0 +1,152 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+gzip
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data nocheck="yes">
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+Transfer-Encoding: gzip
|
||||||
|
+
|
||||||
|
+-foo-
|
||||||
|
+</data>
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+Response with multiple Transfer-Encoding headers
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET /%TESTNUMBER HTTP/1.1
|
||||||
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
|
+User-Agent: curl/7.61.1
|
||||||
|
+Accept: */*
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+
|
||||||
|
+# CURLE_BAD_CONTENT_ENCODING is 61
|
||||||
|
+<errorcode>
|
||||||
|
+61
|
||||||
|
+</errorcode>
|
||||||
|
+<stderr mode="text">
|
||||||
|
+curl: (61) Reject response due to more than 5 content encodings
|
||||||
|
+</stderr>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
@ -25,7 +25,7 @@ diff --git a/lib/strcase.c b/lib/strcase.c
|
|||||||
index f932485..c73907d 100644
|
index f932485..c73907d 100644
|
||||||
--- a/lib/strcase.c
|
--- a/lib/strcase.c
|
||||||
+++ b/lib/strcase.c
|
+++ b/lib/strcase.c
|
||||||
@@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b)
|
@@ -175,6 +175,28 @@ bool Curl_safecmp(char *a, char *b)
|
||||||
return !a && !b;
|
return !a && !b;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -58,8 +58,8 @@ diff --git a/lib/strcase.h b/lib/strcase.h
|
|||||||
index d245929..11a67a1 100644
|
index d245929..11a67a1 100644
|
||||||
--- a/lib/strcase.h
|
--- a/lib/strcase.h
|
||||||
+++ b/lib/strcase.h
|
+++ b/lib/strcase.h
|
||||||
@@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n);
|
@@ -48,5 +48,6 @@ char Curl_raw_toupper(char in);
|
||||||
void Curl_strntolower(char *dest, const char *src, size_t n);
|
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
||||||
|
|
||||||
bool Curl_safecmp(char *a, char *b);
|
bool Curl_safecmp(char *a, char *b);
|
||||||
+int Curl_timestrcmp(const char *first, const char *second);
|
+int Curl_timestrcmp(const char *first, const char *second);
|
||||||
@ -83,30 +83,30 @@ Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|||||||
lib/ftp.c | 28 ++++++++++++++++++++++++++--
|
lib/ftp.c | 28 ++++++++++++++++++++++++++--
|
||||||
lib/ftp.h | 5 +++++
|
lib/ftp.h | 5 +++++
|
||||||
lib/setopt.c | 2 +-
|
lib/setopt.c | 2 +-
|
||||||
lib/url.c | 12 ++++++++++++
|
lib/url.c | 13 ++++++++++++-
|
||||||
lib/urldata.h | 4 ++--
|
lib/urldata.h | 4 ++--
|
||||||
5 files changed, 46 insertions(+), 5 deletions(-)
|
5 files changed, 46 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
diff --git a/lib/ftp.c b/lib/ftp.c
|
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||||
index 9442832..df15bc0 100644
|
index 9442832..df15bc0 100644
|
||||||
--- a/lib/ftp.c
|
--- a/lib/ftp.c
|
||||||
+++ b/lib/ftp.c
|
+++ b/lib/ftp.c
|
||||||
@@ -4086,6 +4086,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data,
|
@@ -4080,6 +4080,8 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
|
||||||
}
|
}
|
||||||
|
|
||||||
freedirs(ftpc);
|
freedirs(ftpc);
|
||||||
+ Curl_safefree(ftpc->account);
|
+ Curl_safefree(ftpc->account);
|
||||||
+ Curl_safefree(ftpc->alternative_to_user);
|
+ Curl_safefree(ftpc->alternative_to_user);
|
||||||
Curl_safefree(ftpc->prevpath);
|
free(ftpc->prevpath);
|
||||||
Curl_safefree(ftpc->server_os);
|
ftpc->prevpath = NULL;
|
||||||
Curl_pp_disconnect(pp);
|
free(ftpc->server_os);
|
||||||
@@ -4346,11 +4348,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
|
@@ -4391,11 +4393,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
|
||||||
{
|
struct Curl_easy *data = conn->data;
|
||||||
char *type;
|
char *type;
|
||||||
struct FTP *ftp;
|
struct FTP *ftp;
|
||||||
+ struct ftp_conn *ftpc = &conn->proto.ftpc;
|
+ struct ftp_conn *ftpc = &conn->proto.ftpc;
|
||||||
|
|
||||||
- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1);
|
- conn->data->req.protop = ftp = malloc(sizeof(struct FTP));
|
||||||
+ ftp = calloc(sizeof(struct FTP), 1);
|
+ ftp = calloc(sizeof(struct FTP), 1);
|
||||||
if(NULL == ftp)
|
if(NULL == ftp)
|
||||||
return CURLE_OUT_OF_MEMORY;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
@ -128,15 +128,15 @@ index 9442832..df15bc0 100644
|
|||||||
+ return CURLE_OUT_OF_MEMORY;
|
+ return CURLE_OUT_OF_MEMORY;
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ data->req.p.ftp = ftp;
|
+ data->req.protop = ftp;
|
||||||
+
|
+
|
||||||
ftp->path = &data->state.up.path[1]; /* don't include the initial slash */
|
data->state.path++; /* don't include the initial slash */
|
||||||
|
data->state.slash_removed = TRUE; /* we've skipped the slash */
|
||||||
|
|
||||||
|
@@ -4445,7 +4467,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
|
||||||
|
if(isBadFtpString(ftp->passwd))
|
||||||
|
return CURLE_URL_MALFORMAT;
|
||||||
|
|
||||||
/* FTP URLs support an extension like ";type=<typecode>" that
|
|
||||||
@@ -4385,7 +4407,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data,
|
|
||||||
/* get some initial data into the ftp struct */
|
|
||||||
ftp->transfer = PPTRANSFER_BODY;
|
|
||||||
ftp->downloadsize = 0;
|
|
||||||
- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
|
- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
|
||||||
+ ftpc->known_filesize = -1; /* unknown size for now */
|
+ ftpc->known_filesize = -1; /* unknown size for now */
|
||||||
+ ftpc->use_ssl = data->set.use_ssl;
|
+ ftpc->use_ssl = data->set.use_ssl;
|
||||||
@ -148,15 +148,15 @@ diff --git a/lib/ftp.h b/lib/ftp.h
|
|||||||
index 7f6f432..3f33e27 100644
|
index 7f6f432..3f33e27 100644
|
||||||
--- a/lib/ftp.h
|
--- a/lib/ftp.h
|
||||||
+++ b/lib/ftp.h
|
+++ b/lib/ftp.h
|
||||||
@@ -115,6 +115,8 @@ struct FTP {
|
@@ -117,6 +117,8 @@ struct FTP {
|
||||||
struct */
|
struct */
|
||||||
struct ftp_conn {
|
struct ftp_conn {
|
||||||
struct pingpong pp;
|
struct pingpong pp;
|
||||||
+ char *account;
|
+ char *account;
|
||||||
+ char *alternative_to_user;
|
+ char *alternative_to_user;
|
||||||
char *entrypath; /* the PWD reply when we logged on */
|
char *entrypath; /* the PWD reply when we logged on */
|
||||||
char *file; /* url-decoded file name (or path) */
|
|
||||||
char **dirs; /* realloc()ed array for path components */
|
char **dirs; /* realloc()ed array for path components */
|
||||||
|
int dirdepth; /* number of entries used in the 'dirs' array */
|
||||||
@@ -144,6 +146,9 @@ struct ftp_conn {
|
@@ -144,6 +146,9 @@ struct ftp_conn {
|
||||||
ftpstate state; /* always use ftp.c:state() to change state! */
|
ftpstate state; /* always use ftp.c:state() to change state! */
|
||||||
ftpstate state_saved; /* transfer type saved to be reloaded after
|
ftpstate state_saved; /* transfer type saved to be reloaded after
|
||||||
@ -171,9 +171,9 @@ diff --git a/lib/setopt.c b/lib/setopt.c
|
|||||||
index 3339a67..6fc111d 100644
|
index 3339a67..6fc111d 100644
|
||||||
--- a/lib/setopt.c
|
--- a/lib/setopt.c
|
||||||
+++ b/lib/setopt.c
|
+++ b/lib/setopt.c
|
||||||
@@ -2264,7 +2264,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
@@ -2039,7 +2039,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||||
arg = va_arg(param, long);
|
arg = va_arg(param, long);
|
||||||
if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST))
|
if((arg < CURLUSESSL_NONE) || (arg > CURLUSESSL_ALL))
|
||||||
return CURLE_BAD_FUNCTION_ARGUMENT;
|
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||||
- data->set.use_ssl = (curl_usessl)arg;
|
- data->set.use_ssl = (curl_usessl)arg;
|
||||||
+ data->set.use_ssl = (unsigned char)arg;
|
+ data->set.use_ssl = (unsigned char)arg;
|
||||||
@ -184,12 +184,13 @@ diff --git a/lib/url.c b/lib/url.c
|
|||||||
index 61ba832..4e21838 100644
|
index 61ba832..4e21838 100644
|
||||||
--- a/lib/url.c
|
--- a/lib/url.c
|
||||||
+++ b/lib/url.c
|
+++ b/lib/url.c
|
||||||
@@ -1329,6 +1329,18 @@ ConnectionExists(struct Curl_easy *data,
|
@@ -1309,7 +1309,18 @@ ConnectionExists(struct Curl_easy *data,
|
||||||
if(!ssh_config_matches(needle, check))
|
if(!ssh_config_matches(needle, check))
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
-
|
||||||
+#ifndef CURL_DISABLE_FTP
|
+#ifndef CURL_DISABLE_FTP
|
||||||
+ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) {
|
+ if(needle->handler->protocol & (CURLPROTO_FTP|CURLPROTO_FTPS)) {
|
||||||
+ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
|
+ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
|
||||||
+ if(Curl_timestrcmp(needle->proto.ftpc.account,
|
+ if(Curl_timestrcmp(needle->proto.ftpc.account,
|
||||||
+ check->proto.ftpc.account) ||
|
+ check->proto.ftpc.account) ||
|
||||||
@ -200,31 +201,31 @@ index 61ba832..4e21838 100644
|
|||||||
+ continue;
|
+ continue;
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
|
if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
|
||||||
if((needle->handler->flags&PROTOPT_SSL)
|
needle->bits.tunnel_proxy) {
|
||||||
#ifndef CURL_DISABLE_PROXY
|
/* The requested connection does not use a HTTP proxy or it uses SSL or
|
||||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
index 9d9ca92..4e2f5b9 100644
|
index 9d9ca92..4e2f5b9 100644
|
||||||
--- a/lib/urldata.h
|
--- a/lib/urldata.h
|
||||||
+++ b/lib/urldata.h
|
+++ b/lib/urldata.h
|
||||||
@@ -1749,8 +1749,6 @@ struct UserDefined {
|
@@ -1498,6 +1498,8 @@ struct UserDefined {
|
||||||
void *ssh_keyfunc_userp; /* custom pointer to callback */
|
curl_write_callback fwrite_header; /* function that stores headers */
|
||||||
enum CURL_NETRC_OPTION
|
curl_write_callback fwrite_rtp; /* function that stores interleaved RTP */
|
||||||
use_netrc; /* defined in include/curl.h */
|
curl_read_callback fread_func_set; /* function that reads the input */
|
||||||
- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
|
||||||
- IMAP or POP3 or others! */
|
|
||||||
long new_file_perms; /* Permissions to use when creating remote files */
|
|
||||||
long new_directory_perms; /* Permissions to use when creating remote dirs */
|
|
||||||
long ssh_auth_types; /* allowed SSH auth types */
|
|
||||||
@@ -1793,6 +1791,8 @@ struct UserDefined {
|
|
||||||
CURLU *uh; /* URL handle for the current parsed URL */
|
|
||||||
void *trailer_data; /* pointer to pass to trailer data callback */
|
|
||||||
curl_trailer_callback trailer_callback; /* trailing data callback */
|
|
||||||
+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
||||||
+ IMAP or POP3 or others! (type: curl_usessl)*/
|
+ IMAP or POP3 or others! (type: curl_usessl)*/
|
||||||
BIT(is_fread_set); /* has read callback been set to non-NULL? */
|
int is_fread_set; /* boolean, has read callback been set to non-NULL? */
|
||||||
BIT(is_fwrite_set); /* has write callback been set to non-NULL? */
|
int is_fwrite_set; /* boolean, has write callback been set to non-NULL? */
|
||||||
BIT(free_referer); /* set TRUE if 'referer' points to a string we
|
curl_progress_callback fprogress; /* OLD and deprecated progress callback */
|
||||||
|
@@ -1622,8 +1624,6 @@ struct UserDefined {
|
||||||
|
bool ftp_use_eprt; /* if EPRT is to be attempted or not */
|
||||||
|
bool ftp_use_pret; /* if PRET is to be used before PASV or not */
|
||||||
|
|
||||||
|
- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
||||||
|
- IMAP or POP3 or others! */
|
||||||
|
curl_ftpauth ftpsslauth; /* what AUTH XXX to be attempted */
|
||||||
|
curl_ftpccc ftp_ccc; /* FTP CCC options */
|
||||||
|
bool no_signal; /* do not use any signal/alarm handler */
|
||||||
--
|
--
|
||||||
2.39.2
|
2.39.2
|
||||||
|
|
55
SOURCES/0049-curl-7.61.1-CVE-2023-27536.patch
Normal file
55
SOURCES/0049-curl-7.61.1-CVE-2023-27536.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Fri, 10 Mar 2023 09:22:43 +0100
|
||||||
|
Subject: [PATCH] url: only reuse connections with same GSS delegation
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Closes #10731
|
||||||
|
|
||||||
|
Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/url.c | 6 ++++++
|
||||||
|
lib/urldata.h | 2 ++
|
||||||
|
2 files changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index 3b11b7e..cbbc7f3 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -1305,6 +1305,11 @@ ConnectionExists(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* GSS delegation differences do not actually affect every connection
|
||||||
|
+ and auth method, but this check takes precaution before efficiency */
|
||||||
|
+ if(needle->gssapi_delegation != check->gssapi_delegation)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
if(needle->handler->protocol & (CURLPROTO_SCP|CURLPROTO_SFTP)) {
|
||||||
|
if(!ssh_config_matches(needle, check))
|
||||||
|
continue;
|
||||||
|
@@ -1949,6 +1954,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
|
||||||
|
it may live on without (this specific) Curl_easy */
|
||||||
|
conn->fclosesocket = data->set.fclosesocket;
|
||||||
|
conn->closesocket_client = data->set.closesocket_client;
|
||||||
|
+ conn->gssapi_delegation = data->set.gssapi_delegation;
|
||||||
|
|
||||||
|
return conn;
|
||||||
|
error:
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index ce90304..9e16f26 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -856,6 +856,8 @@ struct connectdata {
|
||||||
|
int httpversion; /* the HTTP version*10 reported by the server */
|
||||||
|
int rtspversion; /* the RTSP version*10 reported by the server */
|
||||||
|
|
||||||
|
+ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
|
||||||
|
+
|
||||||
|
struct curltime now; /* "current" time */
|
||||||
|
struct curltime created; /* creation time */
|
||||||
|
curl_socket_t sock[2]; /* two sockets, the second is used for the data
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
34
SOURCES/0050-curl-7.61.1-sftp-upload-flags.patch
Normal file
34
SOURCES/0050-curl-7.61.1-sftp-upload-flags.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From cc52b2d89397ff26b01d791cd1c605cba741aaa4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
|
||||||
|
Date: Wed, 24 Jul 2019 11:47:51 +0200
|
||||||
|
Subject: [PATCH] ssh-libssh: do not specify O_APPEND when not in append mode
|
||||||
|
|
||||||
|
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
|
||||||
|
make much sense. And this combination of flags is not accepted by all
|
||||||
|
SFTP servers (at least not Apache SSHD).
|
||||||
|
|
||||||
|
Fixes #4147
|
||||||
|
Closes #4148
|
||||||
|
|
||||||
|
Upstream-commit: 62617495102c60124db8a909f592f063e38a89aa
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/ssh-libssh.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||||
|
index 4110be2..2414173 100644
|
||||||
|
--- a/lib/ssh-libssh.c
|
||||||
|
+++ b/lib/ssh-libssh.c
|
||||||
|
@@ -1112,7 +1112,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
|
||||||
|
flags = O_WRONLY|O_APPEND;
|
||||||
|
else
|
||||||
|
/* Clear file before writing (normal behaviour) */
|
||||||
|
- flags = O_WRONLY|O_APPEND|O_CREAT|O_TRUNC;
|
||||||
|
+ flags = O_WRONLY|O_CREAT|O_TRUNC;
|
||||||
|
|
||||||
|
if(sshc->sftp_file)
|
||||||
|
sftp_close(sshc->sftp_file);
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -143,7 +143,7 @@ index 84f962abebee3..f31b2c2a3f330 100644
|
|||||||
</keywords>
|
</keywords>
|
||||||
</info>
|
</info>
|
||||||
|
|
||||||
@@ -14,9 +13,9 @@ none
|
@@ -15,10 +14,10 @@ none
|
||||||
<features>
|
<features>
|
||||||
unittest
|
unittest
|
||||||
</features>
|
</features>
|
||||||
@ -153,9 +153,10 @@ index 84f962abebee3..f31b2c2a3f330 100644
|
|||||||
+<name>
|
+<name>
|
||||||
+Curl_cert_hostcheck unit tests
|
+Curl_cert_hostcheck unit tests
|
||||||
+</name>
|
+</name>
|
||||||
|
<tool>
|
||||||
|
unit1397
|
||||||
|
</tool>
|
||||||
</client>
|
</client>
|
||||||
|
|
||||||
</testcase>
|
|
||||||
diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
|
diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
|
||||||
index 2f3d3aa4d09e1..3ae75618d5d10 100644
|
index 2f3d3aa4d09e1..3ae75618d5d10 100644
|
||||||
--- a/tests/unit/unit1397.c
|
--- a/tests/unit/unit1397.c
|
||||||
@ -179,7 +180,7 @@ index 2f3d3aa4d09e1..3ae75618d5d10 100644
|
|||||||
-UNITTEST_START
|
-UNITTEST_START
|
||||||
-
|
-
|
||||||
/* only these backends define the tested functions */
|
/* only these backends define the tested functions */
|
||||||
-#if defined(USE_OPENSSL) || defined(USE_GSKIT)
|
-#if defined(USE_OPENSSL) || defined(USE_AXTLS) || defined(USE_GSKIT)
|
||||||
-
|
-
|
||||||
- /* here you start doing things and checking that the results are good */
|
- /* here you start doing things and checking that the results are good */
|
||||||
+#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
|
+#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
|
2768
SOURCES/0052-curl-7.61.1-certs.patch
Normal file
2768
SOURCES/0052-curl-7.61.1-certs.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,169 @@
|
|||||||
|
From be17dc9d31e805c03372b690dde67838b3bfc12d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Wed, 24 May 2023 16:34:11 +0200
|
||||||
|
Subject: [PATCH] libssh: when keyboard-interactive auth fails, try password
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The state machine had a mistake in that it would not carry on to that
|
||||||
|
next step.
|
||||||
|
|
||||||
|
This also adds a verbose output what methods that are available from the
|
||||||
|
server and renames the macros that change to the next auth methods to
|
||||||
|
try.
|
||||||
|
|
||||||
|
Reported-by: 左潇峰
|
||||||
|
Fixes #11196
|
||||||
|
Closes #11197
|
||||||
|
---
|
||||||
|
lib/ssh-libssh.c | 43 +++++++++++++++++++++++++++----------------
|
||||||
|
1 file changed, 27 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||||
|
index 7ebe61321419f..1cecb649cb623 100644
|
||||||
|
--- a/lib/ssh-libssh.c
|
||||||
|
+++ b/lib/ssh-libssh.c
|
||||||
|
@@ -442,7 +442,7 @@ static int myssh_is_known(struct Curl_easy *data)
|
||||||
|
break; \
|
||||||
|
}
|
||||||
|
|
||||||
|
-#define MOVE_TO_LAST_AUTH \
|
||||||
|
+#define MOVE_TO_PASSWD_AUTH \
|
||||||
|
if(sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD) { \
|
||||||
|
rc = SSH_OK; \
|
||||||
|
state(conn, SSH_AUTH_PASS_INIT); \
|
||||||
|
@@ -452,25 +452,25 @@ static int myssh_is_known(struct Curl_easy *data)
|
||||||
|
MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); \
|
||||||
|
}
|
||||||
|
|
||||||
|
-#define MOVE_TO_TERTIARY_AUTH \
|
||||||
|
+#define MOVE_TO_KEY_AUTH \
|
||||||
|
if(sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE) { \
|
||||||
|
rc = SSH_OK; \
|
||||||
|
state(conn, SSH_AUTH_KEY_INIT); \
|
||||||
|
break; \
|
||||||
|
} \
|
||||||
|
else { \
|
||||||
|
- MOVE_TO_LAST_AUTH; \
|
||||||
|
+ MOVE_TO_PASSWD_AUTH; \
|
||||||
|
}
|
||||||
|
|
||||||
|
-#define MOVE_TO_SECONDARY_AUTH \
|
||||||
|
+#define MOVE_TO_GSSAPI_AUTH \
|
||||||
|
if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { \
|
||||||
|
rc = SSH_OK; \
|
||||||
|
state(conn, SSH_AUTH_GSSAPI); \
|
||||||
|
break; \
|
||||||
|
} \
|
||||||
|
else { \
|
||||||
|
- MOVE_TO_TERTIARY_AUTH; \
|
||||||
|
+ MOVE_TO_KEY_AUTH; \
|
||||||
|
}
|
||||||
|
|
||||||
|
static
|
||||||
|
int myssh_auth_interactive(struct connectdata *conn)
|
||||||
|
@@ -617,6 +617,16 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
|
}
|
||||||
|
|
||||||
|
sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
|
||||||
|
+ if(sshc->auth_methods)
|
||||||
|
+ infof(data, "SSH authentication methods available: %s%s%s%s",
|
||||||
|
+ sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY ?
|
||||||
|
+ "public key, ": "",
|
||||||
|
+ sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC ?
|
||||||
|
+ "GSSAPI, " : "",
|
||||||
|
+ sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE ?
|
||||||
|
+ "keyboard-interactive, " : "",
|
||||||
|
+ sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
|
||||||
|
+ "password": "");
|
||||||
|
if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
|
||||||
|
state(conn, SSH_AUTH_PKEY_INIT);
|
||||||
|
infof(data, "Authentication using SSH public key file\n");
|
||||||
|
@@ -761,8 +761,8 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
|
}
|
||||||
|
case SSH_AUTH_PKEY_INIT:
|
||||||
|
if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PUBLICKEY)) {
|
||||||
|
- MOVE_TO_SECONDARY_AUTH;
|
||||||
|
+ MOVE_TO_GSSAPI_AUTH;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Two choices, (1) private key was given on CMD,
|
||||||
|
* (2) use the "default" keys. */
|
||||||
|
@@ -776,7 +776,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
|
}
|
||||||
|
|
||||||
|
if(rc != SSH_OK) {
|
||||||
|
- MOVE_TO_SECONDARY_AUTH;
|
||||||
|
+ MOVE_TO_GSSAPI_AUTH;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -826,7 +836,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
- MOVE_TO_SECONDARY_AUTH;
|
||||||
|
+ MOVE_TO_GSSAPI_AUTH;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case SSH_AUTH_PKEY:
|
||||||
|
@@ -828,13 +828,13 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
infof(data, "Failed public key authentication (rc: %d)\n", rc);
|
||||||
|
- MOVE_TO_SECONDARY_AUTH;
|
||||||
|
+ MOVE_TO_GSSAPI_AUTH;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSH_AUTH_GSSAPI:
|
||||||
|
if(!(data->set.ssh_auth_types & CURLSSH_AUTH_GSSAPI)) {
|
||||||
|
- MOVE_TO_TERTIARY_AUTH;
|
||||||
|
+ MOVE_TO_KEY_AUTH;
|
||||||
|
}
|
||||||
|
|
||||||
|
rc = ssh_userauth_gssapi(sshc->ssh_session);
|
||||||
|
@@ -851,7 +851,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
- MOVE_TO_TERTIARY_AUTH;
|
||||||
|
+ MOVE_TO_KEY_AUTH;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSH_AUTH_KEY_INIT:
|
||||||
|
@@ -736,13 +736,12 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
|
state(conn, SSH_AUTH_KEY);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- MOVE_TO_LAST_AUTH;
|
||||||
|
+ MOVE_TO_PASSWD_AUTH;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSH_AUTH_KEY:
|
||||||
|
-
|
||||||
|
- /* Authentication failed. Continue with keyboard-interactive now. */
|
||||||
|
+ /* keyboard-interactive authentication */
|
||||||
|
rc = myssh_auth_interactive(conn);
|
||||||
|
if(rc == SSH_AGAIN) {
|
||||||
|
break;
|
||||||
|
@@ -759,13 +759,15 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
|
if(rc == SSH_OK) {
|
||||||
|
sshc->authed = TRUE;
|
||||||
|
infof(data, "completed keyboard interactive authentication\n");
|
||||||
|
+ state(conn, SSH_AUTH_DONE);
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ MOVE_TO_PASSWD_AUTH;
|
||||||
|
}
|
||||||
|
- state(conn, SSH_AUTH_DONE);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case SSH_AUTH_PASS_INIT:
|
||||||
|
if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PASSWORD)) {
|
||||||
|
- /* Host key authentication is intentionally not implemented */
|
||||||
|
MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED);
|
||||||
|
}
|
||||||
|
state(conn, SSH_AUTH_PASS);
|
31
SOURCES/0054-curl-7.61.1-64K-sftp.patch
Normal file
31
SOURCES/0054-curl-7.61.1-64K-sftp.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From 35eb2614d86316ba9f5a6806ce64f56680fa1e97 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Tue, 5 Sep 2023 17:33:41 +0200
|
||||||
|
Subject: [PATCH] libssh: cap SFTP packet size sent
|
||||||
|
|
||||||
|
Due to libssh limitations
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
|
||||||
|
Closes #11804
|
||||||
|
---
|
||||||
|
lib/ssh-libssh.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||||
|
index dea0084575859..7c6a2e53f338f 100644
|
||||||
|
--- a/lib/ssh-libssh.c
|
||||||
|
+++ b/lib/ssh-libssh.c
|
||||||
|
@@ -2412,6 +2412,12 @@ static ssize_t sftp_send(struct Curl_easy *data, int sockindex,
|
||||||
|
ssize_t nwrite;
|
||||||
|
(void)sockindex;
|
||||||
|
|
||||||
|
+ /* limit the writes to the maximum specified in Section 3 of
|
||||||
|
+ * https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02
|
||||||
|
+ */
|
||||||
|
+ if(len > 32768)
|
||||||
|
+ len = 32768;
|
||||||
|
+
|
||||||
|
nwrite = sftp_write(conn->proto.sshc.sftp_file, mem, len);
|
||||||
|
|
||||||
|
myssh_block2waitfor(conn, FALSE);
|
@ -19,10 +19,9 @@ internally and externally.
|
|||||||
lib/tftp.c | 8 ++++----
|
lib/tftp.c | 8 ++++----
|
||||||
lib/transfer.c | 4 ++--
|
lib/transfer.c | 4 ++--
|
||||||
lib/urldata.h | 2 +-
|
lib/urldata.h | 2 +-
|
||||||
lib/vssh/libssh.c | 6 +++---
|
lib/ssh-libssh.c | 6 +++---
|
||||||
lib/vssh/libssh2.c | 6 +++---
|
lib/ssh.c | 6 +++---
|
||||||
lib/vssh/wolfssh.c | 2 +-
|
14 files changed, 36 insertions(+), 38 deletions(-)
|
||||||
15 files changed, 36 insertions(+), 38 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c
|
diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c
|
||||||
index 2679a2cdc1afe..406fb42ac0f44 100644
|
index 2679a2cdc1afe..406fb42ac0f44 100644
|
||||||
@ -32,8 +31,8 @@ index 2679a2cdc1afe..406fb42ac0f44 100644
|
|||||||
/* We have to know if it's a write before we send the
|
/* We have to know if it's a write before we send the
|
||||||
* connect request packet
|
* connect request packet
|
||||||
*/
|
*/
|
||||||
- if(data->set.upload)
|
- if(conn->data->set.upload)
|
||||||
+ if(data->state.upload)
|
+ if(conn->data->state.upload)
|
||||||
r->Link.protocol |= RTMP_FEATURE_WRITE;
|
r->Link.protocol |= RTMP_FEATURE_WRITE;
|
||||||
|
|
||||||
/* For plain streams, use the buffer toggle trick to keep data flowing */
|
/* For plain streams, use the buffer toggle trick to keep data flowing */
|
||||||
@ -41,10 +40,10 @@ index 2679a2cdc1afe..406fb42ac0f44 100644
|
|||||||
if(!RTMP_ConnectStream(r, 0))
|
if(!RTMP_ConnectStream(r, 0))
|
||||||
return CURLE_FAILED_INIT;
|
return CURLE_FAILED_INIT;
|
||||||
|
|
||||||
- if(data->set.upload) {
|
- if(conn->data->set.upload) {
|
||||||
+ if(data->state.upload) {
|
+ if(conn->data->state.upload) {
|
||||||
Curl_pgrsSetUploadSize(data, data->state.infilesize);
|
Curl_pgrsSetUploadSize(conn->data, conn->data->state.infilesize);
|
||||||
Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET);
|
Curl_setup_transfer(conn, -1, -1, FALSE, NULL, FIRSTSOCKET, NULL);
|
||||||
}
|
}
|
||||||
diff --git a/lib/file.c b/lib/file.c
|
diff --git a/lib/file.c b/lib/file.c
|
||||||
index 51c5d07ce40ab..c751e8861a99b 100644
|
index 51c5d07ce40ab..c751e8861a99b 100644
|
||||||
@ -56,8 +55,8 @@ index 51c5d07ce40ab..c751e8861a99b 100644
|
|||||||
file->fd = fd;
|
file->fd = fd;
|
||||||
- if(!data->set.upload && (fd == -1)) {
|
- if(!data->set.upload && (fd == -1)) {
|
||||||
+ if(!data->state.upload && (fd == -1)) {
|
+ if(!data->state.upload && (fd == -1)) {
|
||||||
failf(data, "Couldn't open file %s", data->state.up.path);
|
failf(data, "Couldn't open file %s", data->state.path);
|
||||||
file_done(data, CURLE_FILE_COULDNT_READ_FILE, FALSE);
|
file_done(conn, CURLE_FILE_COULDNT_READ_FILE, FALSE);
|
||||||
return CURLE_FILE_COULDNT_READ_FILE;
|
return CURLE_FILE_COULDNT_READ_FILE;
|
||||||
@@ -422,7 +422,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done)
|
@@ -422,7 +422,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done)
|
||||||
|
|
||||||
@ -65,22 +64,22 @@ index 51c5d07ce40ab..c751e8861a99b 100644
|
|||||||
|
|
||||||
- if(data->set.upload)
|
- if(data->set.upload)
|
||||||
+ if(data->state.upload)
|
+ if(data->state.upload)
|
||||||
return file_upload(data);
|
return file_upload(conn);
|
||||||
|
|
||||||
file = data->req.p.file;
|
file = conn->data->req.protop;
|
||||||
diff --git a/lib/ftp.c b/lib/ftp.c
|
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||||
index f50d7baf622f8..4ff68cc454cbc 100644
|
index f50d7baf622f8..4ff68cc454cbc 100644
|
||||||
--- a/lib/ftp.c
|
--- a/lib/ftp.c
|
||||||
+++ b/lib/ftp.c
|
+++ b/lib/ftp.c
|
||||||
@@ -1381,7 +1381,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data)
|
@@ -1381,7 +1381,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data)
|
||||||
data->set.str[STRING_CUSTOMREQUEST]?
|
|
||||||
data->set.str[STRING_CUSTOMREQUEST]:
|
data->set.str[STRING_CUSTOMREQUEST]:
|
||||||
(data->state.list_only?"NLST":"LIST"));
|
(data->set.ftp_list_only?"NLST":"LIST"));
|
||||||
- else if(data->set.upload)
|
}
|
||||||
+ else if(data->state.upload)
|
- else if(data->set.upload) {
|
||||||
result = Curl_pp_sendf(data, &ftpc->pp, "PRET STOR %s",
|
+ else if(data->state.upload) {
|
||||||
conn->proto.ftpc.file);
|
PPSENDF(&conn->proto.ftpc.pp, "PRET STOR %s", conn->proto.ftpc.file);
|
||||||
else
|
}
|
||||||
|
else {
|
||||||
@@ -3368,7 +3368,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status,
|
@@ -3368,7 +3368,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status,
|
||||||
/* the response code from the transfer showed an error already so no
|
/* the response code from the transfer showed an error already so no
|
||||||
use checking further */
|
use checking further */
|
||||||
@ -88,7 +87,7 @@ index f50d7baf622f8..4ff68cc454cbc 100644
|
|||||||
- else if(data->set.upload) {
|
- else if(data->set.upload) {
|
||||||
+ else if(data->state.upload) {
|
+ else if(data->state.upload) {
|
||||||
if((-1 != data->state.infilesize) &&
|
if((-1 != data->state.infilesize) &&
|
||||||
(data->state.infilesize != data->req.writebytecount) &&
|
(data->state.infilesize != *ftp->bytecountp) &&
|
||||||
!data->set.crlf &&
|
!data->set.crlf &&
|
||||||
@@ -3640,7 +3640,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep)
|
@@ -3640,7 +3640,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep)
|
||||||
connected back to us */
|
connected back to us */
|
||||||
@ -96,68 +95,66 @@ index f50d7baf622f8..4ff68cc454cbc 100644
|
|||||||
}
|
}
|
||||||
- else if(data->set.upload) {
|
- else if(data->set.upload) {
|
||||||
+ else if(data->state.upload) {
|
+ else if(data->state.upload) {
|
||||||
result = ftp_nb_type(data, conn, data->state.prefer_ascii,
|
result = ftp_nb_type(conn, data->set.prefer_ascii, FTP_STOR_TYPE);
|
||||||
FTP_STOR_TYPE);
|
|
||||||
if(result)
|
if(result)
|
||||||
|
return result;
|
||||||
@@ -4217,7 +4217,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data)
|
@@ -4217,7 +4217,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data)
|
||||||
ftpc->file = NULL; /* instead of point to a zero byte,
|
ftpc->file = NULL; /* instead of point to a zero byte, we make it a NULL
|
||||||
we make it a NULL pointer */
|
pointer */
|
||||||
|
|
||||||
- if(data->set.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) {
|
- if(data->set.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
|
||||||
+ if(data->state.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) {
|
+ if(data->state.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
|
||||||
/* We need a file name when uploading. Return error! */
|
/* We need a file name when uploading. Return error! */
|
||||||
failf(data, "Uploading to a URL without a file name!");
|
failf(data, "Uploading to a URL without a file name!");
|
||||||
free(rawPath);
|
return CURLE_URL_MALFORMAT;
|
||||||
diff --git a/lib/http.c b/lib/http.c
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
index 80e43f6f361e8..bffdd3468536d 100644
|
index 80e43f6f361e8..bffdd3468536d 100644
|
||||||
--- a/lib/http.c
|
--- a/lib/http.c
|
||||||
+++ b/lib/http.c
|
+++ b/lib/http.c
|
||||||
@@ -2112,7 +2112,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn,
|
@@ -2112,7 +2112,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn,
|
||||||
Curl_HttpReq httpreq = data->state.httpreq;
|
http->writebytecount = http->readbytecount = 0;
|
||||||
const char *request;
|
|
||||||
if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
|
if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
|
||||||
- data->set.upload)
|
- data->set.upload) {
|
||||||
+ data->state.upload)
|
+ data->state.upload) {
|
||||||
httpreq = HTTPREQ_PUT;
|
httpreq = HTTPREQ_PUT;
|
||||||
|
}
|
||||||
|
|
||||||
/* Now set the 'request' pointer to the proper request string */
|
|
||||||
@@ -2423,7 +2423,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn,
|
@@ -2423,7 +2423,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn,
|
||||||
if((conn->handler->protocol & PROTO_FAMILY_HTTP) &&
|
if((conn->handler->protocol & PROTO_FAMILY_HTTP) &&
|
||||||
(((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) &&
|
(((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) &&
|
||||||
http->postsize < 0) ||
|
http->postsize < 0) ||
|
||||||
- ((data->set.upload || httpreq == HTTPREQ_POST) &&
|
- (data->set.upload && data->state.infilesize == -1))) {
|
||||||
+ ((data->state.upload || httpreq == HTTPREQ_POST) &&
|
+ (data->state.upload && data->state.infilesize == -1))) {
|
||||||
data->state.infilesize == -1))) {
|
|
||||||
if(conn->bits.authneg)
|
if(conn->bits.authneg)
|
||||||
/* don't enable chunked during auth neg */
|
/* don't enable chunked during auth neg */
|
||||||
|
;
|
||||||
diff --git a/lib/imap.c b/lib/imap.c
|
diff --git a/lib/imap.c b/lib/imap.c
|
||||||
index c2f675d4b2618..1952e66a1efcd 100644
|
index c2f675d4b2618..1952e66a1efcd 100644
|
||||||
--- a/lib/imap.c
|
--- a/lib/imap.c
|
||||||
+++ b/lib/imap.c
|
+++ b/lib/imap.c
|
||||||
@@ -1511,11 +1511,11 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status,
|
@@ -1511,10 +1511,10 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status,
|
||||||
result = status; /* use the already set error code */
|
result = status; /* use the already set error code */
|
||||||
}
|
}
|
||||||
else if(!data->set.connect_only && !imap->custom &&
|
else if(!data->set.connect_only && !imap->custom &&
|
||||||
- (imap->uid || imap->mindex || data->set.upload ||
|
- (imap->uid || data->set.upload ||
|
||||||
+ (imap->uid || imap->mindex || data->state.upload ||
|
+ (imap->uid || data->state.upload ||
|
||||||
data->set.mimepost.kind != MIMEKIND_NONE)) {
|
data->set.mimepost.kind != MIMEKIND_NONE)) {
|
||||||
/* Handle responses after FETCH or APPEND transfer has finished */
|
/* Handle responses after FETCH or APPEND transfer has finished */
|
||||||
|
|
||||||
- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE)
|
- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE)
|
||||||
+ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE)
|
+ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE)
|
||||||
state(data, IMAP_FETCH_FINAL);
|
state(conn, IMAP_FETCH_FINAL);
|
||||||
else {
|
else {
|
||||||
/* End the APPEND command first by sending an empty line */
|
/* End the APPEND command first by sending an empty line */
|
||||||
@@ -1581,7 +1581,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected,
|
@@ -1581,7 +1581,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected,
|
||||||
selected = TRUE;
|
selected = TRUE;
|
||||||
|
|
||||||
/* Start the first command in the DO phase */
|
/* Start the first command in the DO phase */
|
||||||
- if(data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE)
|
- if(conn->data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE)
|
||||||
+ if(data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE)
|
+ if(conn->data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE)
|
||||||
/* APPEND can be executed directly */
|
/* APPEND can be executed directly */
|
||||||
result = imap_perform_append(data);
|
result = imap_perform_append(conn);
|
||||||
else if(imap->custom && (selected || !imap->mailbox))
|
else if(imap->custom && (selected || !imap->mailbox))
|
||||||
diff --git a/lib/rtsp.c b/lib/rtsp.c
|
|
||||||
index ea99d720ec4eb..ccd7264b00e74 100644
|
index ea99d720ec4eb..ccd7264b00e74 100644
|
||||||
--- a/lib/rtsp.c
|
--- a/lib/rtsp.c
|
||||||
+++ b/lib/rtsp.c
|
+++ b/lib/rtsp.c
|
||||||
@ -168,11 +165,11 @@ index ea99d720ec4eb..ccd7264b00e74 100644
|
|||||||
- if(data->set.upload) {
|
- if(data->set.upload) {
|
||||||
+ if(data->state.upload) {
|
+ if(data->state.upload) {
|
||||||
putsize = data->state.infilesize;
|
putsize = data->state.infilesize;
|
||||||
data->state.httpreq = HTTPREQ_PUT;
|
data->set.httpreq = HTTPREQ_PUT;
|
||||||
|
|
||||||
@@ -512,7 +512,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done)
|
@@ -512,7 +512,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done)
|
||||||
result =
|
if(!Curl_checkheaders(conn, "Content-Length")) {
|
||||||
Curl_dyn_addf(&req_buffer,
|
result = Curl_add_bufferf(req_buffer,
|
||||||
"Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
|
"Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
|
||||||
- (data->set.upload ? putsize : postsize));
|
- (data->set.upload ? putsize : postsize));
|
||||||
+ (data->state.upload ? putsize : postsize));
|
+ (data->state.upload ? putsize : postsize));
|
||||||
@ -192,20 +189,12 @@ index 38f5711e44191..0c3b9634d1192 100644
|
|||||||
+ arg = va_arg(param, long);
|
+ arg = va_arg(param, long);
|
||||||
+ if(arg) {
|
+ if(arg) {
|
||||||
/* If this is HTTP, PUT is what's needed to "upload" */
|
/* If this is HTTP, PUT is what's needed to "upload" */
|
||||||
data->set.method = HTTPREQ_PUT;
|
data->set.httpreq = HTTPREQ_PUT;
|
||||||
data->set.opt_no_body = FALSE; /* this is implied */
|
data->set.opt_no_body = FALSE; /* this is implied */
|
||||||
@@ -628,7 +628,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
|
||||||
}
|
|
||||||
else
|
|
||||||
data->set.method = HTTPREQ_GET;
|
|
||||||
- data->set.upload = FALSE;
|
|
||||||
break;
|
|
||||||
|
|
||||||
case CURLOPT_HTTPPOST:
|
|
||||||
@@ -888,7 +887,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
@@ -888,7 +887,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||||
*/
|
*/
|
||||||
if(va_arg(param, long)) {
|
if(va_arg(param, long)) {
|
||||||
data->set.method = HTTPREQ_GET;
|
data->set.httpreq = HTTPREQ_GET;
|
||||||
- data->set.upload = FALSE; /* switch off upload */
|
- data->set.upload = FALSE; /* switch off upload */
|
||||||
data->set.opt_no_body = FALSE; /* this is implied */
|
data->set.opt_no_body = FALSE; /* this is implied */
|
||||||
}
|
}
|
||||||
@ -218,19 +207,19 @@ index a1e444ee6b97e..d6822213529bc 100644
|
|||||||
byte_count = strlen(req->path);
|
byte_count = strlen(req->path);
|
||||||
msg.name_length = smb_swap16((unsigned short)byte_count);
|
msg.name_length = smb_swap16((unsigned short)byte_count);
|
||||||
msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
|
msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
|
||||||
- if(data->set.upload) {
|
- if(conn->data->set.upload) {
|
||||||
+ if(data->state.upload) {
|
+ if(conn->data->state.upload) {
|
||||||
msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
|
msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
|
||||||
msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
|
msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
|
||||||
}
|
}
|
||||||
@@ -813,7 +813,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
|
@@ -813,7 +813,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
|
||||||
smb_m = (const struct smb_nt_create_response*) msg;
|
smb_m = (const struct smb_nt_create_response*) msg;
|
||||||
req->fid = smb_swap16(smb_m->fid);
|
req->fid = smb_swap16(smb_m->fid);
|
||||||
data->req.offset = 0;
|
conn->data->req.offset = 0;
|
||||||
- if(data->set.upload) {
|
- if(conn->data->set.upload) {
|
||||||
+ if(data->state.upload) {
|
+ if(conn->data->state.upload) {
|
||||||
data->req.size = data->state.infilesize;
|
conn->data->req.size = conn->data->state.infilesize;
|
||||||
Curl_pgrsSetUploadSize(data, data->req.size);
|
Curl_pgrsSetUploadSize(conn->data, conn->data->req.size);
|
||||||
next_state = SMB_UPLOAD;
|
next_state = SMB_UPLOAD;
|
||||||
diff --git a/lib/smtp.c b/lib/smtp.c
|
diff --git a/lib/smtp.c b/lib/smtp.c
|
||||||
index 7a030308d4689..c182cace742d7 100644
|
index 7a030308d4689..c182cace742d7 100644
|
||||||
@ -252,7 +241,7 @@ index 7a030308d4689..c182cace742d7 100644
|
|||||||
- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
|
- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
|
||||||
+ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
|
+ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
|
||||||
/* MAIL transfer */
|
/* MAIL transfer */
|
||||||
result = smtp_perform_mail(data);
|
result = smtp_perform_mail(conn);
|
||||||
else
|
else
|
||||||
diff --git a/lib/tftp.c b/lib/tftp.c
|
diff --git a/lib/tftp.c b/lib/tftp.c
|
||||||
index 164d3c723c5b9..8ed1b887b4d21 100644
|
index 164d3c723c5b9..8ed1b887b4d21 100644
|
||||||
@ -275,14 +264,14 @@ index 164d3c723c5b9..8ed1b887b4d21 100644
|
|||||||
+ if(data->state.upload) {
|
+ if(data->state.upload) {
|
||||||
/* If we are uploading, send an WRQ */
|
/* If we are uploading, send an WRQ */
|
||||||
setpacketevent(&state->spacket, TFTP_EVENT_WRQ);
|
setpacketevent(&state->spacket, TFTP_EVENT_WRQ);
|
||||||
state->data->req.upload_fromhere =
|
state->conn->data->req.upload_fromhere =
|
||||||
@@ -486,7 +486,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
|
@@ -486,7 +486,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
|
||||||
if(!data->set.tftp_no_options) {
|
if(!data->set.tftp_no_options) {
|
||||||
char buf[64];
|
char buf[64];
|
||||||
/* add tsize option */
|
/* add tsize option */
|
||||||
- if(data->set.upload && (data->state.infilesize != -1))
|
- if(data->set.upload && (data->state.infilesize != -1))
|
||||||
+ if(data->state.upload && (data->state.infilesize != -1))
|
+ if(data->state.upload && (data->state.infilesize != -1))
|
||||||
msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
|
snprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
|
||||||
data->state.infilesize);
|
data->state.infilesize);
|
||||||
else
|
else
|
||||||
@@ -540,7 +540,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
|
@@ -540,7 +540,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
|
||||||
@ -302,18 +291,10 @@ index e9ab8fbf09510..cb69f3365855a 100644
|
|||||||
{
|
{
|
||||||
data->state.fread_func = data->set.fread_func_set;
|
data->state.fread_func = data->set.fread_func_set;
|
||||||
data->state.in = data->set.in_set;
|
data->state.in = data->set.in_set;
|
||||||
+ data->state.upload = (data->state.httpreq == HTTPREQ_PUT);
|
+ data->state.upload = (data->set.httpreq == HTTPREQ_PUT);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1801,7 +1801,6 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
|
||||||
data->state.httpreq != HTTPREQ_POST_MIME) ||
|
|
||||||
!(data->set.keep_post & CURL_REDIR_POST_303))) {
|
|
||||||
data->state.httpreq = HTTPREQ_GET;
|
|
||||||
- data->set.upload = false;
|
|
||||||
infof(data, "Switch to %s\n",
|
|
||||||
data->set.opt_no_body?"HEAD":"GET");
|
|
||||||
}
|
|
||||||
@@ -1770,7 +1770,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url)
|
@@ -1770,7 +1770,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url)
|
||||||
|
|
||||||
/* if we're talking upload, we can't do the checks below, unless the protocol
|
/* if we're talking upload, we can't do the checks below, unless the protocol
|
||||||
@ -328,32 +309,32 @@ index cca992a0295aa..a8580bdb66fe8 100644
|
|||||||
--- a/lib/urldata.h
|
--- a/lib/urldata.h
|
||||||
+++ b/lib/urldata.h
|
+++ b/lib/urldata.h
|
||||||
@@ -1494,6 +1494,7 @@ struct UrlState {
|
@@ -1494,6 +1494,7 @@ struct UrlState {
|
||||||
BIT(url_alloc); /* URL string is malloc()'ed */
|
#ifdef CURLDEBUG
|
||||||
BIT(referer_alloc); /* referer string is malloc()ed */
|
bool conncache_lock;
|
||||||
BIT(wildcard_resolve); /* Set to true if any resolve change is a wildcard */
|
#endif
|
||||||
+ BIT(upload); /* upload request */
|
+ bool upload; /* upload request */
|
||||||
};
|
};
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1838,7 +1839,6 @@ struct UserDefined {
|
@@ -1838,7 +1839,6 @@ struct UserDefined {
|
||||||
BIT(http_auto_referer); /* set "correct" referer when following
|
bool http_set_referer; /* is a custom referer used */
|
||||||
location: */
|
bool http_auto_referer; /* set "correct" referer when following location: */
|
||||||
BIT(opt_no_body); /* as set with CURLOPT_NOBODY */
|
bool opt_no_body; /* as set with CURLOPT_NOBODY */
|
||||||
- BIT(upload); /* upload request */
|
- bool upload; /* upload request */
|
||||||
BIT(verbose); /* output verbosity */
|
enum CURL_NETRC_OPTION
|
||||||
BIT(krb); /* Kerberos connection requested */
|
use_netrc; /* defined in include/curl.h */
|
||||||
BIT(reuse_forbid); /* forbidden to be reused, close after use */
|
bool verbose; /* output verbosity */
|
||||||
diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
|
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||||
index b31f741ba9492..d60edaa303642 100644
|
index b31f741ba9492..d60edaa303642 100644
|
||||||
--- a/lib/vssh/libssh.c
|
--- a/lib/ssh-libssh.c
|
||||||
+++ b/lib/vssh/libssh.c
|
+++ b/lib/ssh-libssh.c
|
||||||
@@ -1209,7 +1209,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
@@ -1209,7 +1209,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
}
|
}
|
||||||
|
|
||||||
case SSH_SFTP_TRANS_INIT:
|
case SSH_SFTP_TRANS_INIT:
|
||||||
- if(data->set.upload)
|
- if(data->set.upload)
|
||||||
+ if(data->state.upload)
|
+ if(data->state.upload)
|
||||||
state(data, SSH_SFTP_UPLOAD_INIT);
|
state(conn, SSH_SFTP_UPLOAD_INIT);
|
||||||
else {
|
else {
|
||||||
if(protop->path[strlen(protop->path)-1] == '/')
|
if(protop->path[strlen(protop->path)-1] == '/')
|
||||||
@@ -1802,7 +1802,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
@@ -1802,7 +1802,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
@ -371,22 +352,22 @@ index b31f741ba9492..d60edaa303642 100644
|
|||||||
case SSH_SCP_DONE:
|
case SSH_SCP_DONE:
|
||||||
- if(data->set.upload)
|
- if(data->set.upload)
|
||||||
+ if(data->state.upload)
|
+ if(data->state.upload)
|
||||||
state(data, SSH_SCP_SEND_EOF);
|
state(conn, SSH_SCP_SEND_EOF);
|
||||||
else
|
else
|
||||||
state(data, SSH_SCP_CHANNEL_FREE);
|
state(conn, SSH_SCP_CHANNEL_FREE);
|
||||||
diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
|
diff --git a/lib/ssh.c b/lib/ssh.c
|
||||||
index f1154dc47a74e..f2e5352d1fd3a 100644
|
index f1154dc47a74e..f2e5352d1fd3a 100644
|
||||||
--- a/lib/vssh/libssh2.c
|
--- a/lib/ssh.c
|
||||||
+++ b/lib/vssh/libssh2.c
|
+++ b/lib/ssh.c
|
||||||
@@ -2019,7 +2019,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
|
@@ -2019,7 +2019,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
}
|
}
|
||||||
|
|
||||||
case SSH_SFTP_TRANS_INIT:
|
case SSH_SFTP_TRANS_INIT:
|
||||||
- if(data->set.upload)
|
- if(data->set.upload)
|
||||||
+ if(data->state.upload)
|
+ if(data->state.upload)
|
||||||
state(data, SSH_SFTP_UPLOAD_INIT);
|
state(conn, SSH_SFTP_UPLOAD_INIT);
|
||||||
else {
|
else {
|
||||||
if(sshp->path[strlen(sshp->path)-1] == '/')
|
if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')
|
||||||
@@ -2691,7 +2691,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
|
@@ -2691,7 +2691,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -402,19 +383,6 @@ index f1154dc47a74e..f2e5352d1fd3a 100644
|
|||||||
case SSH_SCP_DONE:
|
case SSH_SCP_DONE:
|
||||||
- if(data->set.upload)
|
- if(data->set.upload)
|
||||||
+ if(data->state.upload)
|
+ if(data->state.upload)
|
||||||
state(data, SSH_SCP_SEND_EOF);
|
state(conn, SSH_SCP_SEND_EOF);
|
||||||
else
|
else
|
||||||
state(data, SSH_SCP_CHANNEL_FREE);
|
state(conn, SSH_SCP_CHANNEL_FREE);
|
||||||
diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c
|
|
||||||
index 17d59ecd23bc8..2ca91b7363b1d 100644
|
|
||||||
--- a/lib/vssh/wolfssh.c
|
|
||||||
+++ b/lib/vssh/wolfssh.c
|
|
||||||
@@ -557,7 +557,7 @@ static CURLcode wssh_statemach_act(struct Curl_easy *data, bool *block)
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case SSH_SFTP_TRANS_INIT:
|
|
||||||
- if(data->set.upload)
|
|
||||||
+ if(data->state.upload)
|
|
||||||
state(data, SSH_SFTP_UPLOAD_INIT);
|
|
||||||
else {
|
|
||||||
if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')
|
|
124
SOURCES/0056-curl-7.61.1-CVE-2023-38546.patch
Normal file
124
SOURCES/0056-curl-7.61.1-CVE-2023-38546.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 14 Sep 2023 23:28:32 +0200
|
||||||
|
Subject: [PATCH] cookie: remove unnecessary struct fields
|
||||||
|
|
||||||
|
Plus: reduce the hash table size from 256 to 63. It seems unlikely to
|
||||||
|
make much of a speed difference for most use cases but saves 1.5KB of
|
||||||
|
data per instance.
|
||||||
|
|
||||||
|
Closes #11862
|
||||||
|
---
|
||||||
|
lib/cookie.c | 13 +------------
|
||||||
|
lib/cookie.h | 13 ++++---------
|
||||||
|
lib/easy.c | 4 +---
|
||||||
|
3 files changed, 6 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||||
|
index 4345a84c6fd9d..e39c89a94a960 100644
|
||||||
|
--- a/lib/cookie.c
|
||||||
|
+++ b/lib/cookie.c
|
||||||
|
@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
|
||||||
|
free(co->name);
|
||||||
|
free(co->value);
|
||||||
|
free(co->maxage);
|
||||||
|
- free(co->version);
|
||||||
|
free(co);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if(strcasecompare("version", name)) {
|
||||||
|
- strstore(&co->version, whatptr);
|
||||||
|
- if(!co->version) {
|
||||||
|
- badcookie = TRUE;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
+ /* just ignore */
|
||||||
|
}
|
||||||
|
else if(strcasecompare("max-age", name)) {
|
||||||
|
/* Defined in RFC2109:
|
||||||
|
@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data,
|
||||||
|
free(clist->path);
|
||||||
|
free(clist->spath);
|
||||||
|
free(clist->expirestr);
|
||||||
|
- free(clist->version);
|
||||||
|
free(clist->maxage);
|
||||||
|
|
||||||
|
*clist = *co; /* then store all the new data */
|
||||||
|
@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
|
||||||
|
c = calloc(1, sizeof(struct CookieInfo));
|
||||||
|
if(!c)
|
||||||
|
return NULL; /* failed to get memory */
|
||||||
|
- c->filename = strdup(file?file:"none"); /* copy the name just in case */
|
||||||
|
- if(!c->filename)
|
||||||
|
- goto fail; /* failed to get memory */
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
/* we got an already existing one, use that */
|
||||||
|
@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
|
||||||
|
CLONE(name);
|
||||||
|
CLONE(value);
|
||||||
|
CLONE(maxage);
|
||||||
|
- CLONE(version);
|
||||||
|
d->expires = src->expires;
|
||||||
|
d->tailmatch = src->tailmatch;
|
||||||
|
d->secure = src->secure;
|
||||||
|
@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
|
||||||
|
{
|
||||||
|
if(c) {
|
||||||
|
unsigned int i;
|
||||||
|
- free(c->filename);
|
||||||
|
for(i = 0; i < COOKIE_HASH_SIZE; i++)
|
||||||
|
Curl_cookie_freelist(c->cookies[i]);
|
||||||
|
free(c); /* free the base struct as well */
|
||||||
|
diff --git a/lib/cookie.h b/lib/cookie.h
|
||||||
|
index b3c0063b2cfb2..41e9e7a6914e0 100644
|
||||||
|
--- a/lib/cookie.h
|
||||||
|
+++ b/lib/cookie.h
|
||||||
|
@@ -36,11 +36,7 @@ struct Cookie {
|
||||||
|
curl_off_t expires; /* expires = <this> */
|
||||||
|
char *expirestr; /* the plain text version */
|
||||||
|
bool tailmatch; /* whether we do tail-matching of the domain name */
|
||||||
|
-
|
||||||
|
- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
|
||||||
|
- char *version; /* Version = <value> */
|
||||||
|
char *maxage; /* Max-Age = <value> */
|
||||||
|
-
|
||||||
|
bool secure; /* whether the 'secure' keyword was used */
|
||||||
|
bool livecookie; /* updated from a server, not a stored file */
|
||||||
|
bool httponly; /* true if the httponly directive is present */
|
||||||
|
@@ -56,15 +52,14 @@ struct Cookie {
|
||||||
|
int creationtime; /* time when the cookie was written */
|
||||||
|
};
|
||||||
|
|
||||||
|
-#define COOKIE_HASH_SIZE 256
|
||||||
|
+#define COOKIE_HASH_SIZE 63
|
||||||
|
|
||||||
|
struct CookieInfo {
|
||||||
|
/* linked list of cookies we know of */
|
||||||
|
struct Cookie *cookies[COOKIE_HASH_SIZE];
|
||||||
|
|
||||||
|
- char *filename; /* file we read from/write to */
|
||||||
|
bool running; /* state info, for cookie adding information */
|
||||||
|
- long numcookies; /* number of cookies in the "jar" */
|
||||||
|
+ int numcookies; /* number of cookies in the "jar" */
|
||||||
|
bool newsession; /* new session, discard session cookies on load */
|
||||||
|
int lastct; /* last creation-time used in the jar */
|
||||||
|
};
|
||||||
|
diff --git a/lib/easy.c b/lib/easy.c
|
||||||
|
index 16bbd35251d40..03195481f9780 100644
|
||||||
|
--- a/lib/easy.c
|
||||||
|
+++ b/lib/easy.c
|
||||||
|
@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
|
||||||
|
if(data->cookies) {
|
||||||
|
/* If cookies are enabled in the parent handle, we enable them
|
||||||
|
in the clone as well! */
|
||||||
|
- outcurl->cookies = Curl_cookie_init(data,
|
||||||
|
- data->cookies->filename,
|
||||||
|
- outcurl->cookies,
|
||||||
|
+ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
|
||||||
|
data->set.cookiesession);
|
||||||
|
if(!outcurl->cookies)
|
||||||
|
goto fail;
|
@ -0,0 +1,193 @@
|
|||||||
|
diff -up curl-7.61.1/lib/http2.c.25a25f45 curl-7.61.1/lib/http2.c
|
||||||
|
--- curl-7.61.1/lib/http2.c.25a25f45 2023-08-07 14:03:42.043463284 +0200
|
||||||
|
+++ curl-7.61.1/lib/http2.c 2023-08-07 14:10:24.769489855 +0200
|
||||||
|
@@ -1202,7 +1202,7 @@ CURLcode Curl_http2_request_upgrade(Curl
|
||||||
|
binlen = nghttp2_pack_settings_payload(binsettings, H2_BINSETTINGS_LEN,
|
||||||
|
httpc->local_settings,
|
||||||
|
httpc->local_settings_num);
|
||||||
|
- if(!binlen) {
|
||||||
|
+ if(binlen <= 0) {
|
||||||
|
failf(conn->data, "nghttp2 unexpectedly failed on pack_settings_payload");
|
||||||
|
Curl_add_buffer_free(req);
|
||||||
|
return CURLE_FAILED_INIT;
|
||||||
|
@@ -1285,6 +1285,14 @@ static int h2_process_pending_input(stru
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if(nghttp2_session_check_request_allowed(httpc->h2) == 0) {
|
||||||
|
+ /* No more requests are allowed in the current session, so
|
||||||
|
+ the connection may not be reused. This is set when a
|
||||||
|
+ GOAWAY frame has been received or when the limit of stream
|
||||||
|
+ identifiers has been reached. */
|
||||||
|
+ connclose(conn, "http/2: No new requests allowed");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if(should_close_session(httpc)) {
|
||||||
|
H2BUGF(infof(data,
|
||||||
|
"h2_process_pending_input: nothing to do in this session\n"));
|
||||||
|
@@ -1297,7 +1305,6 @@ static int h2_process_pending_input(stru
|
||||||
|
}
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1455,8 +1462,6 @@ static int h2_session_send(struct Curl_e
|
||||||
|
static ssize_t http2_recv(struct connectdata *conn, int sockindex,
|
||||||
|
char *mem, size_t len, CURLcode *err)
|
||||||
|
{
|
||||||
|
- CURLcode result = CURLE_OK;
|
||||||
|
- ssize_t rv;
|
||||||
|
ssize_t nread;
|
||||||
|
struct http_conn *httpc = &conn->proto.httpc;
|
||||||
|
struct Curl_easy *data = conn->data;
|
||||||
|
@@ -1519,8 +1524,7 @@ static ssize_t http2_recv(struct connect
|
||||||
|
/* We have paused nghttp2, but we have no pause data (see
|
||||||
|
on_data_chunk_recv). */
|
||||||
|
httpc->pause_stream_id = 0;
|
||||||
|
- if(h2_process_pending_input(conn, httpc, &result) != 0) {
|
||||||
|
- *err = result;
|
||||||
|
+ if(h2_process_pending_input(conn, httpc, err) != 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1549,8 +1553,7 @@ static ssize_t http2_recv(struct connect
|
||||||
|
frames, then we have to call it again with 0-length data.
|
||||||
|
Without this, on_stream_close callback will not be called,
|
||||||
|
and stream could be hanged. */
|
||||||
|
- if(h2_process_pending_input(conn, httpc, &result) != 0) {
|
||||||
|
- *err = result;
|
||||||
|
+ if(h2_process_pending_input(conn, httpc, err) != 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1573,7 +1576,6 @@ static ssize_t http2_recv(struct connect
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- char *inbuf;
|
||||||
|
/* remember where to store incoming data for this stream and how big the
|
||||||
|
buffer is */
|
||||||
|
stream->mem = mem;
|
||||||
|
@@ -1582,16 +1584,15 @@ static ssize_t http2_recv(struct connect
|
||||||
|
|
||||||
|
if(httpc->inbuflen == 0) {
|
||||||
|
nread = ((Curl_recv *)httpc->recv_underlying)(
|
||||||
|
- conn, FIRSTSOCKET, httpc->inbuf, H2_BUFSIZE, &result);
|
||||||
|
+ conn, FIRSTSOCKET, httpc->inbuf, H2_BUFSIZE, err);
|
||||||
|
|
||||||
|
if(nread == -1) {
|
||||||
|
- if(result != CURLE_AGAIN)
|
||||||
|
+ if(*err != CURLE_AGAIN)
|
||||||
|
failf(data, "Failed receiving HTTP2 data");
|
||||||
|
else if(stream->closed)
|
||||||
|
/* received when the stream was already closed! */
|
||||||
|
return http2_handle_stream_close(conn, data, stream, err);
|
||||||
|
|
||||||
|
- *err = result;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1604,47 +1605,17 @@ static ssize_t http2_recv(struct connect
|
||||||
|
H2BUGF(infof(data, "nread=%zd\n", nread));
|
||||||
|
|
||||||
|
httpc->inbuflen = nread;
|
||||||
|
- inbuf = httpc->inbuf;
|
||||||
|
+
|
||||||
|
+ DEBUGASSERT(httpc->nread_inbuf == 0);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
nread = httpc->inbuflen - httpc->nread_inbuf;
|
||||||
|
- inbuf = httpc->inbuf + httpc->nread_inbuf;
|
||||||
|
-
|
||||||
|
+ (void)nread; /* silence warning, used in debug */
|
||||||
|
H2BUGF(infof(data, "Use data left in connection buffer, nread=%zd\n",
|
||||||
|
nread));
|
||||||
|
}
|
||||||
|
- rv = nghttp2_session_mem_recv(httpc->h2, (const uint8_t *)inbuf, nread);
|
||||||
|
-
|
||||||
|
- if(nghttp2_is_fatal((int)rv)) {
|
||||||
|
- failf(data, "nghttp2_session_mem_recv() returned %zd:%s\n",
|
||||||
|
- rv, nghttp2_strerror((int)rv));
|
||||||
|
- *err = CURLE_RECV_ERROR;
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
- H2BUGF(infof(data, "nghttp2_session_mem_recv() returns %zd\n", rv));
|
||||||
|
- if(nread == rv) {
|
||||||
|
- H2BUGF(infof(data, "All data in connection buffer processed\n"));
|
||||||
|
- httpc->inbuflen = 0;
|
||||||
|
- httpc->nread_inbuf = 0;
|
||||||
|
- }
|
||||||
|
- else {
|
||||||
|
- httpc->nread_inbuf += rv;
|
||||||
|
- H2BUGF(infof(data, "%zu bytes left in connection buffer\n",
|
||||||
|
- httpc->inbuflen - httpc->nread_inbuf));
|
||||||
|
- }
|
||||||
|
- /* Always send pending frames in nghttp2 session, because
|
||||||
|
- nghttp2_session_mem_recv() may queue new frame */
|
||||||
|
- rv = h2_session_send(data, httpc->h2);
|
||||||
|
- if(rv != 0) {
|
||||||
|
- *err = CURLE_SEND_ERROR;
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if(should_close_session(httpc)) {
|
||||||
|
- H2BUGF(infof(data, "http2_recv: nothing to do in this session\n"));
|
||||||
|
- *err = CURLE_HTTP2;
|
||||||
|
+ if(h2_process_pending_input(conn, httpc, err) != 0)
|
||||||
|
return -1;
|
||||||
|
- }
|
||||||
|
}
|
||||||
|
if(stream->memlen) {
|
||||||
|
ssize_t retlen = stream->memlen;
|
||||||
|
@@ -2108,7 +2079,6 @@ CURLcode Curl_http2_switched(struct conn
|
||||||
|
CURLcode result;
|
||||||
|
struct http_conn *httpc = &conn->proto.httpc;
|
||||||
|
int rv;
|
||||||
|
- ssize_t nproc;
|
||||||
|
struct Curl_easy *data = conn->data;
|
||||||
|
struct HTTP *stream = conn->data->req.protop;
|
||||||
|
|
||||||
|
@@ -2186,39 +2156,10 @@ CURLcode Curl_http2_switched(struct conn
|
||||||
|
memcpy(httpc->inbuf, mem, nread);
|
||||||
|
httpc->inbuflen = nread;
|
||||||
|
|
||||||
|
- nproc = nghttp2_session_mem_recv(httpc->h2, (const uint8_t *)httpc->inbuf,
|
||||||
|
- httpc->inbuflen);
|
||||||
|
+ DEBUGASSERT(httpc->nread_inbuf == 0);
|
||||||
|
|
||||||
|
- if(nghttp2_is_fatal((int)nproc)) {
|
||||||
|
- failf(data, "nghttp2_session_mem_recv() failed: %s(%d)",
|
||||||
|
- nghttp2_strerror((int)nproc), (int)nproc);
|
||||||
|
+ if(-1 == h2_process_pending_input(conn, httpc, &result))
|
||||||
|
return CURLE_HTTP2;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- H2BUGF(infof(data, "nghttp2_session_mem_recv() returns %zd\n", nproc));
|
||||||
|
-
|
||||||
|
- if((ssize_t)nread == nproc) {
|
||||||
|
- httpc->inbuflen = 0;
|
||||||
|
- httpc->nread_inbuf = 0;
|
||||||
|
- }
|
||||||
|
- else {
|
||||||
|
- httpc->nread_inbuf += nproc;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* Try to send some frames since we may read SETTINGS already. */
|
||||||
|
- rv = h2_session_send(data, httpc->h2);
|
||||||
|
-
|
||||||
|
- if(rv != 0) {
|
||||||
|
- failf(data, "nghttp2_session_send() failed: %s(%d)",
|
||||||
|
- nghttp2_strerror(rv), rv);
|
||||||
|
- return CURLE_HTTP2;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if(should_close_session(httpc)) {
|
||||||
|
- H2BUGF(infof(data,
|
||||||
|
- "nghttp2_session_send(): nothing to do in this session\n"));
|
||||||
|
- return CURLE_HTTP2;
|
||||||
|
- }
|
||||||
|
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
@ -0,0 +1,15 @@
|
|||||||
|
diff -up curl-7.61.1/lib/http2.c.c1b6a384 curl-7.61.1/lib/http2.c
|
||||||
|
--- curl-7.61.1/lib/http2.c.c1b6a384 2023-08-07 13:59:18.482137005 +0200
|
||||||
|
+++ curl-7.61.1/lib/http2.c 2023-08-07 14:03:42.043463284 +0200
|
||||||
|
@@ -1467,6 +1467,11 @@ static ssize_t http2_recv(struct connect
|
||||||
|
if(should_close_session(httpc)) {
|
||||||
|
H2BUGF(infof(data,
|
||||||
|
"http2_recv: nothing to do in this session\n"));
|
||||||
|
+ if(conn->bits.close) {
|
||||||
|
+ /* already marked for closure, return OK and we're done */
|
||||||
|
+ *err = CURLE_OK;
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
*err = CURLE_HTTP2;
|
||||||
|
return -1;
|
||||||
|
}
|
48
SOURCES/0059-curl-7.61.1-CVE-2023-46218.patch
Normal file
48
SOURCES/0059-curl-7.61.1-CVE-2023-46218.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 23 Nov 2023 08:15:47 +0100
|
||||||
|
Subject: [PATCH] cookie: lowercase the domain names before PSL checks
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
|
||||||
|
Closes #12387
|
||||||
|
---
|
||||||
|
lib/cookie.c | 24 ++++++++++++++++--------
|
||||||
|
1 file changed, 16 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||||
|
index 568cf537ad1b1f..9095cea3e97f22 100644
|
||||||
|
--- a/lib/cookie.c
|
||||||
|
+++ b/lib/cookie.c
|
||||||
|
@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data,
|
||||||
|
#ifdef USE_LIBPSL
|
||||||
|
/* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
|
||||||
|
if(domain && co->domain && !isip(co->domain)) {
|
||||||
|
- const psl_ctx_t *psl = Curl_psl_use(data);
|
||||||
|
- int acceptable;
|
||||||
|
-
|
||||||
|
- if(psl) {
|
||||||
|
- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
|
||||||
|
- Curl_psl_release(data);
|
||||||
|
+ bool acceptable = FALSE;
|
||||||
|
+ char lcase[256];
|
||||||
|
+ char lcookie[256];
|
||||||
|
+ size_t dlen = strlen(domain);
|
||||||
|
+ size_t clen = strlen(co->domain);
|
||||||
|
+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
|
||||||
|
+ const psl_ctx_t *psl = Curl_psl_use(data);
|
||||||
|
+ if(psl) {
|
||||||
|
+ /* the PSL check requires lowercase domain name and pattern */
|
||||||
|
+ Curl_strntolower(lcase, domain, dlen + 1);
|
||||||
|
+ Curl_strntolower(lcookie, co->domain, clen + 1);
|
||||||
|
+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
|
||||||
|
+ Curl_psl_release(data);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ acceptable = !bad_domain(domain);
|
||||||
|
}
|
||||||
|
- else
|
||||||
|
- acceptable = !bad_domain(domain);
|
||||||
|
|
||||||
|
if(!acceptable) {
|
||||||
|
infof(data, "cookie '%s' dropped, domain '%s' must not "
|
136
SOURCES/0060-curl-7.61.1-lowercase-headernames.patch
Normal file
136
SOURCES/0060-curl-7.61.1-lowercase-headernames.patch
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
From 0023fce38d3bd6ee0e9b6ff8708fee1195057846 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Barry Pollard <barry_pollard@hotmail.com>
|
||||||
|
Date: Sun, 22 Sep 2019 21:17:12 +0100
|
||||||
|
Subject: [PATCH] http: lowercase headernames for HTTP/2 and HTTP/3
|
||||||
|
|
||||||
|
Closes #4401
|
||||||
|
Fixes #4400
|
||||||
|
---
|
||||||
|
lib/strcase.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
lib/strcase.h | 2 ++
|
||||||
|
5 files changed, 95 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/strcase.c b/lib/strcase.c
|
||||||
|
index 24bcca932..098cec7a8 100644
|
||||||
|
--- a/lib/strcase.c
|
||||||
|
+++ b/lib/strcase.c
|
||||||
|
@@ -93,6 +93,75 @@ char Curl_raw_toupper(char in)
|
||||||
|
return in;
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
+/* Portable, consistent tolower (remember EBCDIC). Do not use tolower() because
|
||||||
|
+ its behavior is altered by the current locale. */
|
||||||
|
+char Curl_raw_tolower(char in)
|
||||||
|
+{
|
||||||
|
+#if !defined(CURL_DOES_CONVERSIONS)
|
||||||
|
+ if(in >= 'A' && in <= 'Z')
|
||||||
|
+ return (char)('a' + in - 'A');
|
||||||
|
+#else
|
||||||
|
+ switch(in) {
|
||||||
|
+ case 'A':
|
||||||
|
+ return 'a';
|
||||||
|
+ case 'B':
|
||||||
|
+ return 'b';
|
||||||
|
+ case 'C':
|
||||||
|
+ return 'c';
|
||||||
|
+ case 'D':
|
||||||
|
+ return 'd';
|
||||||
|
+ case 'E':
|
||||||
|
+ return 'e';
|
||||||
|
+ case 'F':
|
||||||
|
+ return 'f';
|
||||||
|
+ case 'G':
|
||||||
|
+ return 'g';
|
||||||
|
+ case 'H':
|
||||||
|
+ return 'h';
|
||||||
|
+ case 'I':
|
||||||
|
+ return 'i';
|
||||||
|
+ case 'J':
|
||||||
|
+ return 'j';
|
||||||
|
+ case 'K':
|
||||||
|
+ return 'k';
|
||||||
|
+ case 'L':
|
||||||
|
+ return 'l';
|
||||||
|
+ case 'M':
|
||||||
|
+ return 'm';
|
||||||
|
+ case 'N':
|
||||||
|
+ return 'n';
|
||||||
|
+ case 'O':
|
||||||
|
+ return 'o';
|
||||||
|
+ case 'P':
|
||||||
|
+ return 'p';
|
||||||
|
+ case 'Q':
|
||||||
|
+ return 'q';
|
||||||
|
+ case 'R':
|
||||||
|
+ return 'r';
|
||||||
|
+ case 'S':
|
||||||
|
+ return 's';
|
||||||
|
+ case 'T':
|
||||||
|
+ return 't';
|
||||||
|
+ case 'U':
|
||||||
|
+ return 'u';
|
||||||
|
+ case 'V':
|
||||||
|
+ return 'v';
|
||||||
|
+ case 'W':
|
||||||
|
+ return 'w';
|
||||||
|
+ case 'X':
|
||||||
|
+ return 'X';
|
||||||
|
+ case 'Y':
|
||||||
|
+ return 'y';
|
||||||
|
+ case 'Z':
|
||||||
|
+ return 'z';
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ return in;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Curl_strcasecompare() is for doing "raw" case insensitive strings. This is
|
||||||
|
* meant to be locale independent and only compare strings we know are safe
|
||||||
|
@@ -234,6 +303,21 @@ void Curl_strntoupper(char *dest, const char *src, size_t n)
|
||||||
|
} while(*src++ && --n);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Copy a lower case version of the string from src to dest. The
|
||||||
|
+ * strings may overlap. No more than n characters of the string are copied
|
||||||
|
+ * (including any NUL) and the destination string will NOT be
|
||||||
|
+ * NUL-terminated if that limit is reached.
|
||||||
|
+ */
|
||||||
|
+void Curl_strntolower(char *dest, const char *src, size_t n)
|
||||||
|
+{
|
||||||
|
+ if(n < 1)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ do {
|
||||||
|
+ *dest++ = Curl_raw_tolower(*src);
|
||||||
|
+ } while(*src++ && --n);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* Compare case-sensitive NUL-terminated strings, taking care of possible
|
||||||
|
* null pointers. Return true if arguments match.
|
||||||
|
*/
|
||||||
|
diff --git a/lib/strcase.h b/lib/strcase.h
|
||||||
|
index 6fee3840e..2f07a74c9 100644
|
||||||
|
--- a/lib/strcase.h
|
||||||
|
+++ b/lib/strcase.h
|
||||||
|
@@ -40,12 +40,14 @@ int Curl_safe_strcasecompare(const char *first, const char *second);
|
||||||
|
int Curl_strncasecompare(const char *first, const char *second, size_t max);
|
||||||
|
|
||||||
|
char Curl_raw_toupper(char in);
|
||||||
|
+char Curl_raw_tolower(char in);
|
||||||
|
|
||||||
|
/* checkprefix() is a shorter version of the above, used when the first
|
||||||
|
argument is zero-byte terminated */
|
||||||
|
#define checkprefix(a,b) curl_strnequal(a,b,strlen(a))
|
||||||
|
|
||||||
|
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
||||||
|
+void Curl_strntolower(char *dest, const char *src, size_t n);
|
||||||
|
|
||||||
|
bool Curl_safecmp(char *a, char *b);
|
||||||
|
int Curl_timestrcmp(const char *first, const char *second);
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
80
SOURCES/0061-curl-7.61.1-CVE-2024-2398.patch
Normal file
80
SOURCES/0061-curl-7.61.1-CVE-2024-2398.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Eissing <stefan@eissing.org>
|
||||||
|
Date: Wed, 6 Mar 2024 09:36:08 +0100
|
||||||
|
Subject: [PATCH] http2: push headers better cleanup
|
||||||
|
|
||||||
|
- provide common cleanup method for push headers
|
||||||
|
|
||||||
|
Closes #13054
|
||||||
|
---
|
||||||
|
lib/http2.c | 34 +++++++++++++++-------------------
|
||||||
|
1 file changed, 15 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http2.c b/lib/http2.c
|
||||||
|
index c63ecd38371ab4..96868728a53a1f 100644
|
||||||
|
--- a/lib/http2.c
|
||||||
|
+++ b/lib/http2.c
|
||||||
|
@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf,
|
||||||
|
return http2_perform_getsock(conn, sock, numsocks);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void free_push_headers(struct HTTP *http)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+ for(i = 0; i<http->push_headers_used; i++)
|
||||||
|
+ free(http->push_headers[i]);
|
||||||
|
+ Curl_safefree(http->push_headers);
|
||||||
|
+ http->push_headers_used = 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* http2_stream_free() free HTTP2 stream related data
|
||||||
|
*/
|
||||||
|
@@ -306,11 +315,7 @@ static void http2_data_done(struct Curl_cfilter *cf,
|
||||||
|
http->header_recvbuf = NULL; /* clear the pointer */
|
||||||
|
Curl_add_buffer_free(http->trailer_recvbuf);
|
||||||
|
http->trailer_recvbuf = NULL; /* clear the pointer */
|
||||||
|
- for(; http->push_headers_used > 0; --http->push_headers_used) {
|
||||||
|
- free(http->push_headers[http->push_headers_used - 1]);
|
||||||
|
- }
|
||||||
|
- free(http->push_headers);
|
||||||
|
- http->push_headers = NULL;
|
||||||
|
+ free_push_headers(http);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -860,7 +861,6 @@ static int push_promise(struct Curl_cfilter *cf,
|
||||||
|
struct curl_pushheaders heads;
|
||||||
|
CURLMcode rc;
|
||||||
|
struct http_conn *httpc;
|
||||||
|
- size_t i;
|
||||||
|
/* clone the parent */
|
||||||
|
struct Curl_easy *newhandle = duphandle(data);
|
||||||
|
if(!newhandle) {
|
||||||
|
@@ -904,11 +904,7 @@ static int push_promise(struct Curl_cfilter *cf,
|
||||||
|
Curl_set_in_callback(data, false);
|
||||||
|
|
||||||
|
/* free the headers again */
|
||||||
|
- for(i = 0; i<stream->push_headers_used; i++)
|
||||||
|
- free(stream->push_headers[i]);
|
||||||
|
- free(stream->push_headers);
|
||||||
|
- stream->push_headers = NULL;
|
||||||
|
- stream->push_headers_used = 0;
|
||||||
|
+ free_push_headers(stream);
|
||||||
|
|
||||||
|
if(rv) {
|
||||||
|
/* denied, kill off the new handle again */
|
||||||
|
@@ -1426,10 +1422,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
|
||||||
|
stream->push_headers_alloc) {
|
||||||
|
char **headp;
|
||||||
|
stream->push_headers_alloc *= 2;
|
||||||
|
- headp = Curl_saferealloc(stream->push_headers,
|
||||||
|
- stream->push_headers_alloc * sizeof(char *));
|
||||||
|
+ headp = realloc(stream->push_headers,
|
||||||
|
+ stream->push_headers_alloc * sizeof(char *));
|
||||||
|
if(!headp) {
|
||||||
|
- stream->push_headers = NULL;
|
||||||
|
+ free_push_headers(stream);
|
||||||
|
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
|
||||||
|
}
|
||||||
|
stream->push_headers = headp;
|
@ -4,10 +4,10 @@ Date: Fri, 12 Apr 2013 12:04:05 +0200
|
|||||||
Subject: [PATCH] prevent multilib conflicts on the curl-config script
|
Subject: [PATCH] prevent multilib conflicts on the curl-config script
|
||||||
|
|
||||||
---
|
---
|
||||||
curl-config.in | 23 +++++------------------
|
curl-config.in | 21 +++------------------
|
||||||
docs/curl-config.1 | 4 +++-
|
docs/curl-config.1 | 4 +++-
|
||||||
libcurl.pc.in | 1 +
|
libcurl.pc.in | 1 +
|
||||||
3 files changed, 9 insertions(+), 19 deletions(-)
|
3 files changed, 7 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
diff --git a/curl-config.in b/curl-config.in
|
diff --git a/curl-config.in b/curl-config.in
|
||||||
index 150004d..95d0759 100644
|
index 150004d..95d0759 100644
|
||||||
@ -22,7 +22,7 @@ index 150004d..95d0759 100644
|
|||||||
;;
|
;;
|
||||||
|
|
||||||
--prefix)
|
--prefix)
|
||||||
@@ -155,32 +155,19 @@ while test $# -gt 0; do
|
@@ -143,32 +143,17 @@ while test $# -gt 0; do
|
||||||
;;
|
;;
|
||||||
|
|
||||||
--libs)
|
--libs)
|
||||||
@ -31,7 +31,7 @@ index 150004d..95d0759 100644
|
|||||||
- else
|
- else
|
||||||
- CURLLIBDIR=""
|
- CURLLIBDIR=""
|
||||||
- fi
|
- fi
|
||||||
- if test "X@ENABLE_SHARED@" = "Xno"; then
|
- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
|
||||||
- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
|
- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
|
||||||
- else
|
- else
|
||||||
- echo ${CURLLIBDIR}-lcurl
|
- echo ${CURLLIBDIR}-lcurl
|
||||||
@ -49,8 +49,6 @@ index 150004d..95d0759 100644
|
|||||||
- echo "curl was built with static libraries disabled" >&2
|
- echo "curl was built with static libraries disabled" >&2
|
||||||
- exit 1
|
- exit 1
|
||||||
- fi
|
- fi
|
||||||
+ echo "curl was built with static libraries disabled" >&2
|
|
||||||
+ exit 1
|
|
||||||
;;
|
;;
|
||||||
|
|
||||||
--configure)
|
--configure)
|
||||||
@ -85,7 +83,7 @@ index 2ba9c39..f8f8b00 100644
|
|||||||
+configure_options=@CONFIGURE_OPTIONS@
|
+configure_options=@CONFIGURE_OPTIONS@
|
||||||
|
|
||||||
Name: libcurl
|
Name: libcurl
|
||||||
URL: https://curl.se/
|
URL: https://curl.haxx.se/
|
||||||
--
|
--
|
||||||
2.26.2
|
2.5.0
|
||||||
|
|
||||||
|
@ -1,21 +1,21 @@
|
|||||||
From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001
|
From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001
|
||||||
From: Kamil Dudka <kdudka@redhat.com>
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
Date: Wed, 31 Oct 2012 11:38:30 +0100
|
Date: Wed, 31 Oct 2012 11:38:30 +0100
|
||||||
Subject: [PATCH] prevent configure script from discarding -g in CFLAGS
|
Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778)
|
||||||
(#496778)
|
|
||||||
|
|
||||||
---
|
---
|
||||||
m4/curl-compilers.m4 | 26 ++++++--------------------
|
configure | 13 +++----------
|
||||||
1 file changed, 6 insertions(+), 20 deletions(-)
|
m4/curl-compilers.m4 | 13 +++----------
|
||||||
|
2 files changed, 6 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
|
diff --git a/configure b/configure
|
||||||
index c64db4bc6..d115a4aed 100644
|
index 8f079a3..53b4774 100755
|
||||||
--- a/m4/curl-compilers.m4
|
--- a/configure
|
||||||
+++ b/m4/curl-compilers.m4
|
+++ b/configure
|
||||||
@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
|
@@ -16414,18 +16414,11 @@ $as_echo "yes" >&6; }
|
||||||
clangvhi=`echo $clangver | cut -d . -f1`
|
gccvhi=`echo $gccver | cut -d . -f1`
|
||||||
clangvlo=`echo $clangver | cut -d . -f2`
|
gccvlo=`echo $gccver | cut -d . -f2`
|
||||||
compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null`
|
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||||
- flags_dbg_all="-g -g0 -g1 -g2 -g3"
|
- flags_dbg_all="-g -g0 -g1 -g2 -g3"
|
||||||
- flags_dbg_all="$flags_dbg_all -ggdb"
|
- flags_dbg_all="$flags_dbg_all -ggdb"
|
||||||
- flags_dbg_all="$flags_dbg_all -gstabs"
|
- flags_dbg_all="$flags_dbg_all -gstabs"
|
||||||
@ -27,14 +27,18 @@ index c64db4bc6..d115a4aed 100644
|
|||||||
+ flags_dbg_all=""
|
+ flags_dbg_all=""
|
||||||
flags_dbg_yes="-g"
|
flags_dbg_yes="-g"
|
||||||
flags_dbg_off=""
|
flags_dbg_off=""
|
||||||
- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
|
- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
|
||||||
- flags_opt_yes="-Os"
|
- flags_opt_yes="-O2"
|
||||||
+ flags_opt_all=""
|
+ flags_opt_all=""
|
||||||
+ flags_opt_yes=""
|
+ flags_opt_yes=""
|
||||||
flags_opt_off="-O0"
|
flags_opt_off="-O0"
|
||||||
else
|
|
||||||
AC_MSG_RESULT([no])
|
OLDCPPFLAGS=$CPPFLAGS
|
||||||
@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
|
diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
|
||||||
|
index 0cbba7a..9175b5b 100644
|
||||||
|
--- a/m4/curl-compilers.m4
|
||||||
|
+++ b/m4/curl-compilers.m4
|
||||||
|
@@ -157,18 +157,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
|
||||||
gccvhi=`echo $gccver | cut -d . -f1`
|
gccvhi=`echo $gccver | cut -d . -f1`
|
||||||
gccvlo=`echo $gccver | cut -d . -f2`
|
gccvlo=`echo $gccver | cut -d . -f2`
|
||||||
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
|
||||||
|
140
SOURCES/0103-curl-7.59.0-python3.patch
Normal file
140
SOURCES/0103-curl-7.59.0-python3.patch
Normal file
@ -0,0 +1,140 @@
|
|||||||
|
From bdba7b54224814055185513de1e7ff6619031553 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Thu, 15 Mar 2018 13:21:40 +0100
|
||||||
|
Subject: [PATCH 1/2] tests/http_pipe.py: migrate to Python 3
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/http_pipe.py | 4 ++--
|
||||||
|
tests/runtests.pl | 2 +-
|
||||||
|
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/http_pipe.py b/tests/http_pipe.py
|
||||||
|
index bc32173..75ac165 100755
|
||||||
|
--- a/tests/http_pipe.py
|
||||||
|
+++ b/tests/http_pipe.py
|
||||||
|
@@ -383,13 +383,13 @@ class PipelineRequestHandler(socketserver.BaseRequestHandler):
|
||||||
|
self.request.setblocking(True)
|
||||||
|
if not new_data:
|
||||||
|
return
|
||||||
|
- new_requests = self._request_parser.ParseAdditionalData(new_data)
|
||||||
|
+ new_requests = self._request_parser.ParseAdditionalData(new_data.decode('utf8'))
|
||||||
|
self._response_builder.QueueRequests(
|
||||||
|
new_requests, self._request_parser.were_all_requests_http_1_1)
|
||||||
|
self._num_queued += len(new_requests)
|
||||||
|
self._last_queued_time = time.time()
|
||||||
|
elif fileno in wlist:
|
||||||
|
- num_bytes_sent = self.request.send(self._send_buffer[0:4096])
|
||||||
|
+ num_bytes_sent = self.request.send(self._send_buffer[0:4096].encode('utf8'))
|
||||||
|
self._send_buffer = self._send_buffer[num_bytes_sent:]
|
||||||
|
time.sleep(0.05)
|
||||||
|
|
||||||
|
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
||||||
|
index d6aa5ca..4d395ef 100755
|
||||||
|
--- a/tests/runtests.pl
|
||||||
|
+++ b/tests/runtests.pl
|
||||||
|
@@ -1439,7 +1439,7 @@ sub runhttpserver {
|
||||||
|
elsif($alt eq "pipe") {
|
||||||
|
# basically the same, but another ID
|
||||||
|
$idnum = 3;
|
||||||
|
- $exe = "python $srcdir/http_pipe.py";
|
||||||
|
+ $exe = "python3 $srcdir/http_pipe.py";
|
||||||
|
$verbose_flag .= "1 ";
|
||||||
|
}
|
||||||
|
elsif($alt eq "unix") {
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
||||||
|
|
||||||
|
From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Thu, 15 Mar 2018 14:49:56 +0100
|
||||||
|
Subject: [PATCH 2/2] tests/{negtelnet,smb}server.py: migrate to Python 3
|
||||||
|
|
||||||
|
Unfortunately, smbserver.py does not work with Python 3 because
|
||||||
|
there is no 'impacket' module available for Python 3:
|
||||||
|
|
||||||
|
https://github.com/CoreSecurity/impacket/issues/61
|
||||||
|
---
|
||||||
|
tests/negtelnetserver.py | 12 ++++++------
|
||||||
|
tests/smbserver.py | 4 ++--
|
||||||
|
2 files changed, 8 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
|
||||||
|
index 8cfd409..72ee771 100755
|
||||||
|
--- a/tests/negtelnetserver.py
|
||||||
|
+++ b/tests/negtelnetserver.py
|
||||||
|
@@ -23,7 +23,7 @@ IDENT = "NTEL"
|
||||||
|
|
||||||
|
# The strings that indicate the test framework is checking our aliveness
|
||||||
|
VERIFIED_REQ = b"verifiedserver"
|
||||||
|
-VERIFIED_RSP = b"WE ROOLZ: {pid}"
|
||||||
|
+VERIFIED_RSP = "WE ROOLZ: {pid}"
|
||||||
|
|
||||||
|
|
||||||
|
def telnetserver(options):
|
||||||
|
@@ -34,7 +34,7 @@ def telnetserver(options):
|
||||||
|
if options.pidfile:
|
||||||
|
pid = os.getpid()
|
||||||
|
with open(options.pidfile, "w") as f:
|
||||||
|
- f.write(b"{0}".format(pid))
|
||||||
|
+ f.write("{0}".format(pid))
|
||||||
|
|
||||||
|
local_bind = (HOST, options.port)
|
||||||
|
log.info("Listening on %s", local_bind)
|
||||||
|
@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
|
||||||
|
response_data = VERIFIED_RSP.format(pid=os.getpid())
|
||||||
|
else:
|
||||||
|
log.debug("Received normal request - echoing back")
|
||||||
|
- response_data = data.strip()
|
||||||
|
+ response_data = data.decode('utf8').strip()
|
||||||
|
|
||||||
|
if response_data:
|
||||||
|
log.debug("Sending %r", response_data)
|
||||||
|
- self.request.sendall(response_data)
|
||||||
|
+ self.request.sendall(response_data.encode('utf8'))
|
||||||
|
|
||||||
|
except IOError:
|
||||||
|
log.exception("IOError hit during request")
|
||||||
|
@@ -132,7 +132,7 @@ class Negotiator(object):
|
||||||
|
return buffer
|
||||||
|
|
||||||
|
def byte_to_int(self, byte):
|
||||||
|
- return struct.unpack(b'B', byte)[0]
|
||||||
|
+ return int(byte)
|
||||||
|
|
||||||
|
def no_neg(self, byte, byte_int, buffer):
|
||||||
|
# Not negotiating anything thus far. Check to see if we
|
||||||
|
@@ -197,7 +197,7 @@ class Negotiator(object):
|
||||||
|
self.tcp.sendall(packed_message)
|
||||||
|
|
||||||
|
def pack(self, arr):
|
||||||
|
- return struct.pack(b'{0}B'.format(len(arr)), *arr)
|
||||||
|
+ return struct.pack('{0}B'.format(len(arr)), *arr)
|
||||||
|
|
||||||
|
def send_iac(self, arr):
|
||||||
|
message = [NegTokens.IAC]
|
||||||
|
diff --git a/tests/smbserver.py b/tests/smbserver.py
|
||||||
|
index 195ae39..b09cd44 100755
|
||||||
|
--- a/tests/smbserver.py
|
||||||
|
+++ b/tests/smbserver.py
|
||||||
|
@@ -24,7 +24,7 @@
|
||||||
|
from __future__ import (absolute_import, division, print_function)
|
||||||
|
# unicode_literals)
|
||||||
|
import argparse
|
||||||
|
-import ConfigParser
|
||||||
|
+import configparser
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
import logging
|
||||||
|
@@ -58,7 +58,7 @@ def smbserver(options):
|
||||||
|
f.write("{0}".format(pid))
|
||||||
|
|
||||||
|
# Here we write a mini config for the server
|
||||||
|
- smb_config = ConfigParser.ConfigParser()
|
||||||
|
+ smb_config = configparser.ConfigParser()
|
||||||
|
smb_config.add_section("global")
|
||||||
|
smb_config.set("global", "server_name", "SERVICE")
|
||||||
|
smb_config.set("global", "server_os", "UNIX")
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
51
SOURCES/0104-curl-7.19.7-localhost6.patch
Normal file
51
SOURCES/0104-curl-7.19.7-localhost6.patch
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
diff --git a/tests/data/test1083 b/tests/data/test1083
|
||||||
|
index e441278..b0958b6 100644
|
||||||
|
--- a/tests/data/test1083
|
||||||
|
+++ b/tests/data/test1083
|
||||||
|
@@ -33,13 +33,13 @@ ipv6
|
||||||
|
http-ipv6
|
||||||
|
</server>
|
||||||
|
<name>
|
||||||
|
-HTTP-IPv6 GET with ip6-localhost --interface
|
||||||
|
+HTTP-IPv6 GET with localhost6 --interface
|
||||||
|
</name>
|
||||||
|
<command>
|
||||||
|
--g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost
|
||||||
|
+-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6
|
||||||
|
</command>
|
||||||
|
<precheck>
|
||||||
|
-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
|
||||||
|
+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
|
||||||
|
</precheck>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
diff --git a/tests/data/test241 b/tests/data/test241
|
||||||
|
index 46eae1f..4e1632c 100644
|
||||||
|
--- a/tests/data/test241
|
||||||
|
+++ b/tests/data/test241
|
||||||
|
@@ -30,13 +30,13 @@ ipv6
|
||||||
|
http-ipv6
|
||||||
|
</server>
|
||||||
|
<name>
|
||||||
|
-HTTP-IPv6 GET (using ip6-localhost)
|
||||||
|
+HTTP-IPv6 GET (using localhost6)
|
||||||
|
</name>
|
||||||
|
<command>
|
||||||
|
--g "http://ip6-localhost:%HTTP6PORT/241"
|
||||||
|
+-g "http://localhost6:%HTTP6PORT/241"
|
||||||
|
</command>
|
||||||
|
<precheck>
|
||||||
|
-./server/resolve --ipv6 ip6-localhost
|
||||||
|
+./server/resolve --ipv6 localhost6
|
||||||
|
</precheck>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost)
|
||||||
|
</strip>
|
||||||
|
<protocol>
|
||||||
|
GET /241 HTTP/1.1
|
||||||
|
-Host: ip6-localhost:%HTTP6PORT
|
||||||
|
+Host: localhost6:%HTTP6PORT
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
|
</protocol>
|
71
SOURCES/0105-curl-7.61.1-test-ports.patch
Normal file
71
SOURCES/0105-curl-7.61.1-test-ports.patch
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
From e6507a9abbfd4ac93ea3053c8f3385a2405f19d8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Fri, 29 Jan 2021 11:34:49 +0100
|
||||||
|
Subject: [PATCH] tests: do not hard-wire ports of test servers
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/data/test1448 | 4 ++--
|
||||||
|
tests/data/test651 | 2 +-
|
||||||
|
tests/data/test653 | 4 ++--
|
||||||
|
3 files changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/data/test1448 b/tests/data/test1448
|
||||||
|
index e04f47b..5022ef9 100644
|
||||||
|
--- a/tests/data/test1448
|
||||||
|
+++ b/tests/data/test1448
|
||||||
|
@@ -17,7 +17,7 @@ HTTP/1.1 302 OK swsbounce
|
||||||
|
Date: Thu, 09 Nov 2010 14:49:00 GMT
|
||||||
|
Content-Length: 9
|
||||||
|
Content-Type: text/plain
|
||||||
|
-Location: http://åäö.se:8990/14480001
|
||||||
|
+Location: http://åäö.se:%HTTPPORT/14480001
|
||||||
|
|
||||||
|
redirect
|
||||||
|
</data>
|
||||||
|
@@ -52,7 +52,7 @@ Redirect following to UTF-8 IDN host name
|
||||||
|
</name>
|
||||||
|
|
||||||
|
<command>
|
||||||
|
-http://åäö.se:%HTTPPORT/1448 --resolve xn--4cab6c.se:%HTTPPORT:%HOSTIP -L --connect-to %HOSTIP:8990:%HOSTIP:%HTTPPORT
|
||||||
|
+http://åäö.se:%HTTPPORT/1448 --resolve xn--4cab6c.se:%HTTPPORT:%HOSTIP -L --connect-to %HOSTIP:%HTTPPORT:%HOSTIP:%HTTPPORT
|
||||||
|
</command>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
diff --git a/tests/data/test651 b/tests/data/test651
|
||||||
|
index b00ca5d..8d47c9f 100644
|
||||||
|
--- a/tests/data/test651
|
||||||
|
+++ b/tests/data/test651
|
||||||
|
@@ -57,7 +57,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
|
||||||
|
# (5*12) == 60 bytes less
|
||||||
|
<protocol>
|
||||||
|
POST /651 HTTP/1.1
|
||||||
|
-Host: 127.0.0.1:8990
|
||||||
|
+Host: 127.0.0.1:%HTTPPORT
|
||||||
|
Accept: */*
|
||||||
|
Content-Length: 17139
|
||||||
|
Content-Type: multipart/form-data; boundary=----------------------------
|
||||||
|
diff --git a/tests/data/test653 b/tests/data/test653
|
||||||
|
index d620b57..492d551 100644
|
||||||
|
--- a/tests/data/test653
|
||||||
|
+++ b/tests/data/test653
|
||||||
|
@@ -67,7 +67,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=--------------------------
|
||||||
|
# (5*12) == 60 bytes less
|
||||||
|
<protocol>
|
||||||
|
POST /653 HTTP/1.1
|
||||||
|
-Host: 127.0.0.1:8990
|
||||||
|
+Host: 127.0.0.1:%HTTPPORT
|
||||||
|
Accept: */*
|
||||||
|
Content-Length: 150
|
||||||
|
Content-Type: multipart/form-data; boundary=----------------------------
|
||||||
|
@@ -78,7 +78,7 @@ Content-Disposition: form-data; name="name"
|
||||||
|
short value
|
||||||
|
--------------------------------
|
||||||
|
POST /653 HTTP/1.1
|
||||||
|
-Host: 127.0.0.1:8990
|
||||||
|
+Host: 127.0.0.1:%HTTPPORT
|
||||||
|
Accept: */*
|
||||||
|
Content-Length: 167
|
||||||
|
Content-Type: multipart/form-data; boundary=----------------------------
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -1,39 +0,0 @@
|
|||||||
From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kamil Dudka <kdudka@redhat.com>
|
|
||||||
Date: Mon, 4 Feb 2019 17:32:56 +0100
|
|
||||||
Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
|
|
||||||
|
|
||||||
... to prevent valgrind from reporting false positives on x86_64:
|
|
||||||
|
|
||||||
Conditional jump or move depends on uninitialised value(s)
|
|
||||||
at 0x10BCAA: part2id (lib1560.c:489)
|
|
||||||
by 0x10BCAA: updateurl (lib1560.c:521)
|
|
||||||
by 0x10BCAA: set_parts (lib1560.c:630)
|
|
||||||
by 0x10BCAA: test (lib1560.c:802)
|
|
||||||
by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
|
|
||||||
|
|
||||||
Conditional jump or move depends on uninitialised value(s)
|
|
||||||
at 0x10BCC3: part2id (lib1560.c:491)
|
|
||||||
by 0x10BCC3: updateurl (lib1560.c:521)
|
|
||||||
by 0x10BCC3: set_parts (lib1560.c:630)
|
|
||||||
by 0x10BCC3: test (lib1560.c:802)
|
|
||||||
by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
|
|
||||||
---
|
|
||||||
tests/libtest/Makefile.inc | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
|
|
||||||
index 080421b..ea3b806 100644
|
|
||||||
--- a/tests/libtest/Makefile.inc
|
|
||||||
+++ b/tests/libtest/Makefile.inc
|
|
||||||
@@ -593,6 +593,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
|
||||||
lib1559_LDADD = $(TESTUTIL_LIBS)
|
|
||||||
|
|
||||||
lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
|
||||||
+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
|
|
||||||
lib1560_LDADD = $(TESTUTIL_LIBS)
|
|
||||||
|
|
||||||
lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
|
|
||||||
--
|
|
||||||
2.17.2
|
|
||||||
|
|
751
SPECS/curl.spec
751
SPECS/curl.spec
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user