diff --git a/SOURCES/0001-Use-system-copy-of-effective_tld_names.dat.patch b/SOURCES/0001-Use-system-copy-of-effective_tld_names.dat.patch index 938cbc6..a647334 100644 --- a/SOURCES/0001-Use-system-copy-of-effective_tld_names.dat.patch +++ b/SOURCES/0001-Use-system-copy-of-effective_tld_names.dat.patch @@ -1,14 +1,14 @@ -From 3514ce0f38dddafd052d76e6a0da9bbb862ff8a4 Mon Sep 17 00:00:00 2001 +From 46c89afa0fc522c1f6906a72f505ee16f36d2360 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Tue, 20 Jan 2015 16:04:31 +0100 -Subject: [PATCH] Use system copy of effective_tld_names.dat +Subject: [PATCH 1/2] Use system copy of effective_tld_names.dat --- - .../java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java | 7 +++---- + .../apache/http/conn/util/PublicSuffixMatcherLoader.java | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/httpclient/src/main/java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java b/httpclient/src/main/java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java -index 8783c5b..c858220 100644 +index 8783c5b96..c858220bf 100644 --- a/httpclient/src/main/java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java +++ b/httpclient/src/main/java/org/apache/http/conn/util/PublicSuffixMatcherLoader.java @@ -82,11 +82,10 @@ public final class PublicSuffixMatcherLoader { @@ -27,5 +27,5 @@ index 8783c5b..c858220 100644 // Should never happen final Log log = LogFactory.getLog(PublicSuffixMatcherLoader.class); -- -2.9.3 +2.31.1 diff --git a/SOURCES/0002-Incorrect-handling-of-malformed-authority-component-.patch b/SOURCES/0002-Incorrect-handling-of-malformed-authority-component-.patch new file mode 100644 index 0000000..f7139b9 --- /dev/null +++ b/SOURCES/0002-Incorrect-handling-of-malformed-authority-component-.patch @@ -0,0 +1,126 @@ +From 11ce5ceabac935674a95da3ee56cd94a70c626a3 Mon Sep 17 00:00:00 2001 +From: Oleg Kalnichevski +Date: Tue, 29 Sep 2020 09:37:38 +0200 +Subject: [PATCH 2/2] Incorrect handling of malformed authority component by + URIUtils#extractHost + +--- + .../apache/http/client/utils/URIUtils.java | 69 ++++++++----------- + .../http/client/utils/TestURIUtils.java | 6 +- + 2 files changed, 32 insertions(+), 43 deletions(-) + +diff --git a/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java b/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java +index 02f8c1ae9..7cbad777c 100644 +--- a/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java ++++ b/httpclient/src/main/java/org/apache/http/client/utils/URIUtils.java +@@ -334,56 +334,43 @@ public class URIUtils { + if (uri == null) { + return null; + } +- HttpHost target = null; + if (uri.isAbsolute()) { +- int port = uri.getPort(); // may be overridden later +- String host = uri.getHost(); +- if (host == null) { // normal parse failed; let's do it ourselves ++ if (uri.getHost() == null) { // normal parse failed; let's do it ourselves + // authority does not seem to care about the valid character-set for host names +- host = uri.getAuthority(); +- if (host != null) { ++ if (uri.getAuthority() != null) { ++ String content = uri.getAuthority(); + // Strip off any leading user credentials +- final int at = host.indexOf('@'); +- if (at >= 0) { +- if (host.length() > at+1 ) { +- host = host.substring(at+1); +- } else { +- host = null; // @ on its own +- } ++ int at = content.indexOf('@'); ++ if (at != -1) { ++ content = content.substring(at + 1); + } +- // Extract the port suffix, if present +- if (host != null) { +- final int colon = host.indexOf(':'); +- if (colon >= 0) { +- final int pos = colon + 1; +- int len = 0; +- for (int i = pos; i < host.length(); i++) { +- if (Character.isDigit(host.charAt(i))) { +- len++; +- } else { +- break; +- } +- } +- if (len > 0) { +- try { +- port = Integer.parseInt(host.substring(pos, pos + len)); +- } catch (final NumberFormatException ex) { +- } +- } +- host = host.substring(0, colon); ++ final String scheme = uri.getScheme(); ++ final String hostname; ++ final int port; ++ at = content.indexOf(":"); ++ if (at != -1) { ++ hostname = content.substring(0, at); ++ try { ++ final String portText = content.substring(at + 1); ++ port = !TextUtils.isEmpty(portText) ? Integer.parseInt(portText) : -1; ++ } catch (final NumberFormatException ex) { ++ return null; + } ++ } else { ++ hostname = content; ++ port = -1; ++ } ++ try { ++ return new HttpHost(hostname, port, scheme); ++ } catch (final IllegalArgumentException ex) { ++ return null; + } + } +- } +- final String scheme = uri.getScheme(); +- if (!TextUtils.isBlank(host)) { +- try { +- target = new HttpHost(host, port, scheme); +- } catch (final IllegalArgumentException ignore) { +- } ++ } else { ++ return new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme()); + } + } +- return target; ++ return null; + } + + /** +diff --git a/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java b/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java +index e33477fce..8da6a26b2 100644 +--- a/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java ++++ b/httpclient/src/test/java/org/apache/http/client/utils/TestURIUtils.java +@@ -256,14 +256,16 @@ public class TestURIUtils { + + Assert.assertEquals(new HttpHost("localhost",8080), + URIUtils.extractHost(new URI("http://localhost:8080/;sessionid=stuff/abcd"))); +- Assert.assertEquals(new HttpHost("localhost",8080), ++ Assert.assertEquals(null, + URIUtils.extractHost(new URI("http://localhost:8080;sessionid=stuff/abcd"))); +- Assert.assertEquals(new HttpHost("localhost",-1), ++ Assert.assertEquals(null, + URIUtils.extractHost(new URI("http://localhost:;sessionid=stuff/abcd"))); + Assert.assertEquals(null, + URIUtils.extractHost(new URI("http://:80/robots.txt"))); + Assert.assertEquals(null, + URIUtils.extractHost(new URI("http://some%20domain:80/robots.txt"))); ++ Assert.assertEquals(null, ++ URIUtils.extractHost(new URI("http://blah@goggle.com:80@google.com/"))); + } + + @Test +-- +2.31.1 + diff --git a/SPECS/httpcomponents-client.spec b/SPECS/httpcomponents-client.spec index 6824b7b..ca084cc 100644 --- a/SPECS/httpcomponents-client.spec +++ b/SPECS/httpcomponents-client.spec @@ -4,12 +4,13 @@ Name: httpcomponents-client Summary: HTTP agent implementation based on httpcomponents HttpCore Version: 4.5.5 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 URL: http://hc.apache.org/ Source0: http://www.apache.org/dist/httpcomponents/httpclient/source/%{name}-%{version}-src.tar.gz Patch0: 0001-Use-system-copy-of-effective_tld_names.dat.patch +Patch1: 0002-Incorrect-handling-of-malformed-authority-component-.patch BuildArch: noarch @@ -58,6 +59,7 @@ Summary: API documentation for %{name} %prep %setup -q -n %{name}-%{version} %patch0 -p1 +%patch1 -p1 %mvn_package :httpclient-cache cache @@ -185,6 +187,10 @@ rm -r httpclient-cache/src/*/java/org/apache/http/impl/client/cache/ehcache %doc LICENSE.txt NOTICE.txt %changelog +* Sat Sep 25 2021 Mikolaj Izdebski - 4.5.5-5 +- Fix incorrect handling of malformed authority component in request URIs +- Resolves: CVE-2020-13956 + * Mon Mar 19 2018 Michael Simacek - 4.5.5-4 - Fix FTBFS (weak crypto in test data)