You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
635 lines
15 KiB
635 lines
15 KiB
From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001 |
|
From: Daniel Stenberg <daniel@haxx.se> |
|
Date: Mon, 25 Apr 2022 16:24:33 +0200 |
|
Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct |
|
|
|
To make it available after the connection ended. |
|
|
|
Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839 |
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
|
--- |
|
lib/connect.c | 1 + |
|
lib/urldata.h | 6 +++++- |
|
2 files changed, 6 insertions(+), 1 deletion(-) |
|
|
|
diff --git a/lib/connect.c b/lib/connect.c |
|
index 64f9511..7518807 100644 |
|
--- a/lib/connect.c |
|
+++ b/lib/connect.c |
|
@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, |
|
data->info.conn_scheme = conn->handler->scheme; |
|
data->info.conn_protocol = conn->handler->protocol; |
|
data->info.conn_primary_port = conn->port; |
|
+ data->info.conn_remote_port = conn->remote_port; |
|
data->info.conn_local_port = local_port; |
|
} |
|
|
|
diff --git a/lib/urldata.h b/lib/urldata.h |
|
index f92052a..5218f76 100644 |
|
--- a/lib/urldata.h |
|
+++ b/lib/urldata.h |
|
@@ -1167,7 +1167,11 @@ struct PureInfo { |
|
reused, in the connection cache. */ |
|
|
|
char conn_primary_ip[MAX_IPADR_LEN]; |
|
- int conn_primary_port; |
|
+ int conn_primary_port; /* this is the destination port to the connection, |
|
+ which might have been a proxy */ |
|
+ int conn_remote_port; /* this is the "remote port", which is the port |
|
+ number of the used URL, independent of proxy or |
|
+ not */ |
|
char conn_local_ip[MAX_IPADR_LEN]; |
|
int conn_local_port; |
|
const char *conn_scheme; |
|
-- |
|
2.34.1 |
|
|
|
|
|
From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001 |
|
From: Daniel Stenberg <daniel@haxx.se> |
|
Date: Mon, 25 Apr 2022 16:24:33 +0200 |
|
Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear |
|
auth |
|
|
|
... unless explicitly permitted. |
|
|
|
Bug: https://curl.se/docs/CVE-2022-27774.html |
|
Reported-by: Harry Sintonen |
|
Closes #8748 |
|
|
|
Upstream-commit: 620ea21410030a9977396b4661806bc187231b79 |
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
|
--- |
|
lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- |
|
1 file changed, 48 insertions(+), 1 deletion(-) |
|
|
|
diff --git a/lib/transfer.c b/lib/transfer.c |
|
index 1f8019b..752fe14 100644 |
|
--- a/lib/transfer.c |
|
+++ b/lib/transfer.c |
|
@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data, |
|
return CURLE_OUT_OF_MEMORY; |
|
} |
|
else { |
|
- |
|
uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); |
|
if(uc) |
|
return Curl_uc_to_curlcode(uc); |
|
+ |
|
+ /* Clear auth if this redirects to a different port number or protocol, |
|
+ unless permitted */ |
|
+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { |
|
+ char *portnum; |
|
+ int port; |
|
+ bool clear = FALSE; |
|
+ |
|
+ if(data->set.use_port && data->state.allow_port) |
|
+ /* a custom port is used */ |
|
+ port = (int)data->set.use_port; |
|
+ else { |
|
+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, |
|
+ CURLU_DEFAULT_PORT); |
|
+ if(uc) { |
|
+ free(newurl); |
|
+ return Curl_uc_to_curlcode(uc); |
|
+ } |
|
+ port = atoi(portnum); |
|
+ free(portnum); |
|
+ } |
|
+ if(port != data->info.conn_remote_port) { |
|
+ infof(data, "Clear auth, redirects to port from %u to %u", |
|
+ data->info.conn_remote_port, port); |
|
+ clear = TRUE; |
|
+ } |
|
+ else { |
|
+ char *scheme; |
|
+ const struct Curl_handler *p; |
|
+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); |
|
+ if(uc) { |
|
+ free(newurl); |
|
+ return Curl_uc_to_curlcode(uc); |
|
+ } |
|
+ |
|
+ p = Curl_builtin_scheme(scheme); |
|
+ if(p && (p->protocol != data->info.conn_protocol)) { |
|
+ infof(data, "Clear auth, redirects scheme from %s to %s", |
|
+ data->info.conn_scheme, scheme); |
|
+ clear = TRUE; |
|
+ } |
|
+ free(scheme); |
|
+ } |
|
+ if(clear) { |
|
+ Curl_safefree(data->state.aptr.user); |
|
+ Curl_safefree(data->state.aptr.passwd); |
|
+ } |
|
+ } |
|
} |
|
|
|
if(type == FOLLOW_FAKE) { |
|
-- |
|
2.34.1 |
|
|
|
|
|
From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001 |
|
From: Daniel Stenberg <daniel@haxx.se> |
|
Date: Mon, 25 Apr 2022 16:24:33 +0200 |
|
Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774 |
|
|
|
- Test 973 redirects from HTTP to FTP, clear auth |
|
- Test 974 redirects from HTTP to HTTP different port, clear auth |
|
- Test 975 redirects from HTTP to FTP, permitted to keep auth |
|
- Test 976 redirects from HTTP to HTTP different port, permitted to keep |
|
auth |
|
|
|
Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8 |
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
|
--- |
|
tests/data/Makefile.inc | 1 + |
|
tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++ |
|
tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++ |
|
tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++ |
|
tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++ |
|
5 files changed, 352 insertions(+) |
|
create mode 100644 tests/data/test973 |
|
create mode 100644 tests/data/test974 |
|
create mode 100644 tests/data/test975 |
|
create mode 100644 tests/data/test976 |
|
|
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc |
|
index 7ae2cf8..175fc43 100644 |
|
--- a/tests/data/Makefile.inc |
|
+++ b/tests/data/Makefile.inc |
|
@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ |
|
test945 test946 test947 test948 test949 test950 test951 test952 test953 \ |
|
test954 test955 test956 test957 test958 test959 test960 test961 test962 \ |
|
test963 test964 test965 test966 test967 test968 test969 test970 test971 \ |
|
+test973 test974 test975 test976 \ |
|
\ |
|
test980 test981 test982 test983 test984 test985 test986 \ |
|
\ |
|
diff --git a/tests/data/test973 b/tests/data/test973 |
|
new file mode 100644 |
|
index 0000000..6ced107 |
|
--- /dev/null |
|
+++ b/tests/data/test973 |
|
@@ -0,0 +1,88 @@ |
|
+<testcase> |
|
+<info> |
|
+<keywords> |
|
+HTTP |
|
+FTP |
|
+--location |
|
+</keywords> |
|
+</info> |
|
+ |
|
+# |
|
+# Server-side |
|
+<reply> |
|
+<data> |
|
+HTTP/1.1 301 redirect |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 0 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 |
|
+ |
|
+</data> |
|
+<data2> |
|
+data |
|
+ to |
|
+ see |
|
+that FTP |
|
+works |
|
+ so does it? |
|
+</data2> |
|
+ |
|
+<datacheck> |
|
+HTTP/1.1 301 redirect |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 0 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 |
|
+ |
|
+data |
|
+ to |
|
+ see |
|
+that FTP |
|
+works |
|
+ so does it? |
|
+</datacheck> |
|
+ |
|
+</reply> |
|
+ |
|
+# |
|
+# Client-side |
|
+<client> |
|
+<server> |
|
+http |
|
+ftp |
|
+</server> |
|
+ <name> |
|
+HTTP with auth redirected to FTP w/o auth |
|
+ </name> |
|
+ <command> |
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret |
|
+</command> |
|
+</client> |
|
+ |
|
+# |
|
+# Verify data after the test has been "shot" |
|
+<verify> |
|
+<protocol> |
|
+GET /%TESTNUMBER HTTP/1.1 |
|
+Host: %HOSTIP:%HTTPPORT |
|
+Authorization: Basic am9lOnNlY3JldA== |
|
+User-Agent: curl/%VERSION |
|
+Accept: */* |
|
+ |
|
+USER anonymous |
|
+PASS ftp@example.com |
|
+PWD |
|
+CWD a |
|
+CWD path |
|
+EPSV |
|
+TYPE I |
|
+SIZE %TESTNUMBER0002 |
|
+RETR %TESTNUMBER0002 |
|
+QUIT |
|
+</protocol> |
|
+</verify> |
|
+</testcase> |
|
diff --git a/tests/data/test974 b/tests/data/test974 |
|
new file mode 100644 |
|
index 0000000..ac4e641 |
|
--- /dev/null |
|
+++ b/tests/data/test974 |
|
@@ -0,0 +1,87 @@ |
|
+<testcase> |
|
+<info> |
|
+<keywords> |
|
+HTTP |
|
+--location |
|
+</keywords> |
|
+</info> |
|
+ |
|
+# |
|
+# Server-side |
|
+<reply> |
|
+<data> |
|
+HTTP/1.1 301 redirect |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 0 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 |
|
+ |
|
+</data> |
|
+<data2> |
|
+HTTP/1.1 200 OK |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 4 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+ |
|
+hey |
|
+</data2> |
|
+ |
|
+<datacheck> |
|
+HTTP/1.1 301 redirect |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 0 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 |
|
+ |
|
+HTTP/1.1 200 OK |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 4 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+ |
|
+hey |
|
+</datacheck> |
|
+ |
|
+</reply> |
|
+ |
|
+# |
|
+# Client-side |
|
+<client> |
|
+<server> |
|
+http |
|
+</server> |
|
+ <name> |
|
+HTTP with auth redirected to HTTP on a diff port w/o auth |
|
+ </name> |
|
+ <command> |
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret |
|
+</command> |
|
+</client> |
|
+ |
|
+# |
|
+# Verify data after the test has been "shot" |
|
+<verify> |
|
+<protocol> |
|
+GET http://firsthost.com/ HTTP/1.1 |
|
+Host: firsthost.com |
|
+Authorization: Basic am9lOnNlY3JldA== |
|
+User-Agent: curl/%VERSION |
|
+Accept: */* |
|
+Proxy-Connection: Keep-Alive |
|
+ |
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 |
|
+Host: firsthost.com:9999 |
|
+User-Agent: curl/%VERSION |
|
+Accept: */* |
|
+Proxy-Connection: Keep-Alive |
|
+ |
|
+</protocol> |
|
+</verify> |
|
+</testcase> |
|
diff --git a/tests/data/test975 b/tests/data/test975 |
|
new file mode 100644 |
|
index 0000000..85e03e4 |
|
--- /dev/null |
|
+++ b/tests/data/test975 |
|
@@ -0,0 +1,88 @@ |
|
+<testcase> |
|
+<info> |
|
+<keywords> |
|
+HTTP |
|
+FTP |
|
+--location-trusted |
|
+</keywords> |
|
+</info> |
|
+ |
|
+# |
|
+# Server-side |
|
+<reply> |
|
+<data> |
|
+HTTP/1.1 301 redirect |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 0 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 |
|
+ |
|
+</data> |
|
+<data2> |
|
+data |
|
+ to |
|
+ see |
|
+that FTP |
|
+works |
|
+ so does it? |
|
+</data2> |
|
+ |
|
+<datacheck> |
|
+HTTP/1.1 301 redirect |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 0 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 |
|
+ |
|
+data |
|
+ to |
|
+ see |
|
+that FTP |
|
+works |
|
+ so does it? |
|
+</datacheck> |
|
+ |
|
+</reply> |
|
+ |
|
+# |
|
+# Client-side |
|
+<client> |
|
+<server> |
|
+http |
|
+ftp |
|
+</server> |
|
+ <name> |
|
+HTTP with auth redirected to FTP allowing auth to continue |
|
+ </name> |
|
+ <command> |
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret |
|
+</command> |
|
+</client> |
|
+ |
|
+# |
|
+# Verify data after the test has been "shot" |
|
+<verify> |
|
+<protocol> |
|
+GET /%TESTNUMBER HTTP/1.1 |
|
+Host: %HOSTIP:%HTTPPORT |
|
+Authorization: Basic am9lOnNlY3JldA== |
|
+User-Agent: curl/%VERSION |
|
+Accept: */* |
|
+ |
|
+USER joe |
|
+PASS secret |
|
+PWD |
|
+CWD a |
|
+CWD path |
|
+EPSV |
|
+TYPE I |
|
+SIZE %TESTNUMBER0002 |
|
+RETR %TESTNUMBER0002 |
|
+QUIT |
|
+</protocol> |
|
+</verify> |
|
+</testcase> |
|
diff --git a/tests/data/test976 b/tests/data/test976 |
|
new file mode 100644 |
|
index 0000000..c4dd61e |
|
--- /dev/null |
|
+++ b/tests/data/test976 |
|
@@ -0,0 +1,88 @@ |
|
+<testcase> |
|
+<info> |
|
+<keywords> |
|
+HTTP |
|
+--location-trusted |
|
+</keywords> |
|
+</info> |
|
+ |
|
+# |
|
+# Server-side |
|
+<reply> |
|
+<data> |
|
+HTTP/1.1 301 redirect |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 0 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 |
|
+ |
|
+</data> |
|
+<data2> |
|
+HTTP/1.1 200 OK |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 4 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+ |
|
+hey |
|
+</data2> |
|
+ |
|
+<datacheck> |
|
+HTTP/1.1 301 redirect |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 0 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 |
|
+ |
|
+HTTP/1.1 200 OK |
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT |
|
+Server: test-server/fake |
|
+Content-Length: 4 |
|
+Connection: close |
|
+Content-Type: text/html |
|
+ |
|
+hey |
|
+</datacheck> |
|
+ |
|
+</reply> |
|
+ |
|
+# |
|
+# Client-side |
|
+<client> |
|
+<server> |
|
+http |
|
+</server> |
|
+ <name> |
|
+HTTP with auth redirected to HTTP on a diff port --location-trusted |
|
+ </name> |
|
+ <command> |
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret |
|
+</command> |
|
+</client> |
|
+ |
|
+# |
|
+# Verify data after the test has been "shot" |
|
+<verify> |
|
+<protocol> |
|
+GET http://firsthost.com/ HTTP/1.1 |
|
+Host: firsthost.com |
|
+Authorization: Basic am9lOnNlY3JldA== |
|
+User-Agent: curl/%VERSION |
|
+Accept: */* |
|
+Proxy-Connection: Keep-Alive |
|
+ |
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 |
|
+Host: firsthost.com:9999 |
|
+Authorization: Basic am9lOnNlY3JldA== |
|
+User-Agent: curl/%VERSION |
|
+Accept: */* |
|
+Proxy-Connection: Keep-Alive |
|
+ |
|
+</protocol> |
|
+</verify> |
|
+</testcase> |
|
-- |
|
2.34.1 |
|
|
|
|
|
From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001 |
|
From: Daniel Stenberg <daniel@haxx.se> |
|
Date: Mon, 25 Apr 2022 17:59:15 +0200 |
|
Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects |
|
either |
|
|
|
Follow-up to 620ea21410030 |
|
|
|
Reported-by: Harry Sintonen |
|
Closes #8751 |
|
|
|
Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 |
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
|
--- |
|
lib/http.c | 10 +++++----- |
|
lib/http.h | 6 ++++++ |
|
lib/vtls/openssl.c | 3 ++- |
|
3 files changed, 13 insertions(+), 6 deletions(-) |
|
|
|
diff --git a/lib/http.c b/lib/http.c |
|
index 0791dcf..4433824 100644 |
|
--- a/lib/http.c |
|
+++ b/lib/http.c |
|
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, |
|
} |
|
|
|
/* |
|
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive |
|
- * data" can (still) be sent to this host. |
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other |
|
+ * "sensitive data" can (still) be sent to this host. |
|
*/ |
|
-static bool allow_auth_to_host(struct Curl_easy *data) |
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data) |
|
{ |
|
struct connectdata *conn = data->conn; |
|
return (!data->state.this_is_a_follow || |
|
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, |
|
|
|
/* To prevent the user+password to get sent to other than the original host |
|
due to a location-follow */ |
|
- if(allow_auth_to_host(data) |
|
+ if(Curl_allow_auth_to_host(data) |
|
|| conn->bits.netrc) |
|
result = output_auth_headers(data, conn, authhost, request, path, FALSE); |
|
else |
|
@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, |
|
checkprefix("Cookie:", compare)) && |
|
/* be careful of sending this potentially sensitive header to |
|
other hosts */ |
|
- !allow_auth_to_host(data)) |
|
+ !Curl_allow_auth_to_host(data)) |
|
; |
|
else { |
|
#ifdef USE_HYPER |
|
diff --git a/lib/http.h b/lib/http.h |
|
index 07e963d..9000bae 100644 |
|
--- a/lib/http.h |
|
+++ b/lib/http.h |
|
@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data, |
|
bool proxytunnel); /* TRUE if this is the request setting |
|
up the proxy tunnel */ |
|
|
|
+/* |
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other |
|
+ * "sensitive data" can (still) be sent to this host. |
|
+ */ |
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data); |
|
+ |
|
#endif /* HEADER_CURL_HTTP_H */ |
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c |
|
index 1bafe96..97c5666 100644 |
|
--- a/lib/vtls/openssl.c |
|
+++ b/lib/vtls/openssl.c |
|
@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, |
|
#endif |
|
|
|
#ifdef USE_OPENSSL_SRP |
|
- if(ssl_authtype == CURL_TLSAUTH_SRP) { |
|
+ if((ssl_authtype == CURL_TLSAUTH_SRP) && |
|
+ Curl_allow_auth_to_host(data)) { |
|
char * const ssl_username = SSL_SET_OPTION(username); |
|
|
|
infof(data, "Using TLS-SRP username: %s\n", ssl_username); |
|
-- |
|
2.34.1 |
|
|
|
|