Commit c39703d9 authored by Leo's avatar Leo
Browse files

main/curl: fix CVE-2020-8169 and CVE-2020-8177

See #11682
parent b96a3dad
Pipeline #23880 failed with stages
in 13 minutes and 21 seconds
......@@ -4,7 +4,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=curl
pkgver=7.66.0
pkgrel=0
pkgrel=1
pkgdesc="URL retrival utility and library"
url="https://curl.haxx.se/"
arch="all"
......@@ -14,9 +14,15 @@ depends_dev="openssl-dev nghttp2-dev zlib-dev"
checkdepends="python3"
makedepends="$depends_dev autoconf automake groff libtool perl"
subpackages="$pkgname-dbg $pkgname-static $pkgname-doc $pkgname-dev libcurl"
source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz"
source="https://curl.haxx.se/download/$pkgname-$pkgver.tar.xz
CVE-2020-8169.patch
CVE-2020-8177.patch
"
# secfixes:
# 7.66.0-r1:
# - CVE-2020-8169
# - CVE-2020-8177
# 7.66.0-r0:
# - CVE-2019-5481
# - CVE-2019-5482
......@@ -123,4 +129,6 @@ libcurl() {
mv "$pkgdir"/usr/lib "$subpkgdir"/usr
}
sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz"
sha512sums="81170e7e4fa9d99ee2038d96d7f2ab10dcf52435331c818c7565c1a733891720f845a08029915e52ba532c6a344c346e1678474624aac1cc333aea6d1eacde35 curl-7.66.0.tar.xz
f2cff2158a011e78c341db57d1ad918bc2cb4b10227ed90adb1d06af5540cab54f652f92a3e779e4657fab3db28c8d37ee541e23006f3ad237e9030f81bdc4b3 CVE-2020-8169.patch
ff01645fb6b4f1bd279d3600923b093a3877461ad9971d1f4d0c552e0c39542b8f7ff9c76d07d2382fde297e53bfb6e20b8115a6dade32f790c57a34a3242b0d CVE-2020-8177.patch"
From 600a8cded447cd7118ed50142c576567c0cf5158 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 14 May 2020 14:37:12 +0200
Subject: [PATCH] url: make the updated credentials URL-encoded in the URL
Found-by: Gregory Jefferis
Reported-by: Jeroen Ooms
Added test 1168 to verify. Bug spotted when doing a redirect.
Bug: https://github.com/jeroen/curl/issues/224
Closes #5400
---
lib/url.c | 6 ++--
tests/data/Makefile.inc | 1 +
tests/data/test1168 | 78 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 83 insertions(+), 2 deletions(-)
create mode 100644 tests/data/test1168
diff --git a/lib/url.c b/lib/url.c
index f250f2ff20a..9b8b2bdde64 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2788,12 +2788,14 @@ static CURLcode override_login(struct Curl_easy *data,
/* for updated strings, we update them in the URL */
if(user_changed) {
- uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0);
+ uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
+ CURLU_URLENCODE);
if(uc)
return Curl_uc_to_curlcode(uc);
}
if(passwd_changed) {
- uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0);
+ uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
+ CURLU_URLENCODE);
if(uc)
return Curl_uc_to_curlcode(uc);
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 004a90b2360..bb6bf0f2fd0 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -136,6 +136,7 @@ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \
test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 \
+test1168 \
\
test1170 test1171 test1172 test1173 test1174 test1175 test1176 test1177 \
\
diff --git a/tests/data/test1168 b/tests/data/test1168
new file mode 100644
index 00000000000..283e91e0197
--- /dev/null
+++ b/tests/data/test1168
@@ -0,0 +1,78 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+followlocation
+</keywords>
+</info>
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: /data/11680002.txt
+Connection: close
+
+This server reply is for testing a simple Location: following
+
+</data>
+<data2>
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</data2>
+<datacheck>
+HTTP/1.1 301 This is a weirdo text message swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Location: /data/11680002.txt
+Connection: close
+
+HTTP/1.1 200 Followed here fine swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 52
+
+If this is received, the location following worked
+
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP redirect with credentials using # in user and password
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /want/1168 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
+Accept: */*
+
+GET /data/11680002.txt HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>
From 8236aba58542c5f89f1d41ca09d84579efb05e22 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 31 May 2020 23:09:59 +0200
Subject: [PATCH] tool_getparam: -i is not OK if -J is used
Reported-by: sn on hackerone
Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
---
src/tool_cb_hdr.c | 22 ++++------------------
src/tool_getparam.c | 5 +++++
2 files changed, 9 insertions(+), 18 deletions(-)
diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
index 3b102388866..b80707fde57 100644
--- a/src/tool_cb_hdr.c
+++ b/src/tool_cb_hdr.c
@@ -186,25 +186,11 @@ size_t tool_header_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
filename = parse_filename(p, len);
if(filename) {
if(outs->stream) {
- int rc;
- /* already opened and possibly written to */
- if(outs->fopened)
- fclose(outs->stream);
- outs->stream = NULL;
-
- /* rename the initial file name to the new file name */
- rc = rename(outs->filename, filename);
- if(rc != 0) {
- warnf(per->config->global, "Failed to rename %s -> %s: %s\n",
- outs->filename, filename, strerror(errno));
- }
- if(outs->alloc_filename)
- Curl_safefree(outs->filename);
- if(rc != 0) {
- free(filename);
- return failure;
- }
+ /* indication of problem, get out! */
+ free(filename);
+ return failure;
}
+
outs->is_cd_filename = TRUE;
outs->s_isreg = TRUE;
outs->fopened = FALSE;
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 0cd11c47986..1ab3983f4ac 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -1817,6 +1817,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
}
break;
case 'i':
+ if(config->content_disposition) {
+ warnf(global,
+ "--include and --remote-header-name cannot be combined.\n");
+ return PARAM_BAD_USE;
+ }
config->show_headers = toggle; /* show the headers as well in the
general output stream */
break;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment