Home Explore Help
Register Sign In
wareck
/
openwrt_lede
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 488fc98adf
Branches Tags
openwrt_lede
/
package
/
network
/
utils
/
curl
/
patches
/
110-CVE-2018-1000007.patch

110-CVE-2018-1000007.patch 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102 
  1. From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
    2. 

  2. From: Daniel Stenberg <daniel@haxx.se>
    3. 

  3. Date: Fri, 19 Jan 2018 13:19:25 +0100
    4. 

  4. Subject: [PATCH] http: prevent custom Authorization headers in redirects
    5. 

  5. 

  6. ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
    7. 

  7. curl already handles Authorization headers created internally.
    8. 

  8. 

  9. Note: this changes behavior slightly, for the sake of reducing mistakes.
    10. 

  10. 

  11. Added test 317 and 318 to verify.
    12. 

  12. 

  13. Reported-by: Craig de Stigter
    14. 

  14. Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
    15. 

  15. ---
    16. 

  16.  docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 +++-
    17. 

  17.  lib/http.c                             | 10 ++-
    18. 

  18.  lib/setopt.c                           |  2 +-
    19. 

  19.  lib/urldata.h                          |  2 +-
    20. 

  20.  tests/data/Makefile.inc                |  2 +-
    21. 

  21.  tests/data/test317                     | 94 +++++++++++++++++++++++++
    22. 

  22.  tests/data/test318                     | 95 ++++++++++++++++++++++++++
    23. 

  23.  7 files changed, 212 insertions(+), 5 deletions(-)
    24. 

  24.  create mode 100644 tests/data/test317
    25. 

  25.  create mode 100644 tests/data/test318
    26. 

  26. 

  27. --- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
    28. 

  28. +++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
    29. 

  29. @@ -5,7 +5,7 @@
    30. 

  30.  .\" *                            | (__| |_| |  _ <| |___
    31. 

  31.  .\" *                             \___|\___/|_| \_\_____|
    32. 

  32.  .\" *
    33. 

  33. -.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
    34. 

  34. +.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
    35. 

  35.  .\" *
    36. 

  36.  .\" * This software is licensed as described in the file COPYING, which
    37. 

  37.  .\" * you should have received as part of this distribution. The terms
    38. 

  38. @@ -77,6 +77,16 @@ the headers. They may be private or othe
    39. 

  39.  
    40. 

  40.  Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
    41. 

  41.  intend them to get sent.
    42. 

  42. +
    43. 

  43. +Custom headers are sent in all requests done by the easy handles, which
    44. 

  44. +implies that if you tell libcurl to follow redirects
    45. 

  45. +(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
    46. 

  46. +in the subsequent request. Redirects can of course go to other hosts and thus
    47. 

  47. +those servers will get all the contents of your custom headers too.
    48. 

  48. +
    49. 

  49. +Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
    50. 

  50. +from being sent to other hosts than the first used one, unless specifically
    51. 

  51. +permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
    52. 

  52.  .SH DEFAULT
    53. 

  53.  NULL
    54. 

  54.  .SH PROTOCOLS
    55. 

  55. --- a/lib/http.c
    56. 

  56. +++ b/lib/http.c
    57. 

  57. @@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata
    58. 

  58.    if(!data->state.this_is_a_follow ||
    59. 

  59.       conn->bits.netrc ||
    60. 

  60.       !data->state.first_host ||
    61. 

  61. -     data->set.http_disable_hostname_check_before_authentication ||
    62. 

  62. +     data->set.allow_auth_to_other_hosts ||
    63. 

  63.       strcasecompare(data->state.first_host, conn->host.name)) {
    64. 

  64.      result = output_auth_headers(conn, authhost, request, path, FALSE);
    65. 

  65.    }
    66. 

  66. @@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct
    67. 

  67.                    checkprefix("Transfer-Encoding:", headers->data))
    68. 

  68.              /* HTTP/2 doesn't support chunked requests */
    69. 

  69.              ;
    70. 

  70. +          else if(checkprefix("Authorization:", headers->data) &&
    71. 

  71. +                  /* be careful of sending this potentially sensitive header to
    72. 

  72. +                     other hosts */
    73. 

  73. +                  (data->state.this_is_a_follow &&
    74. 

  74. +                   data->state.first_host &&
    75. 

  75. +                   !data->set.allow_auth_to_other_hosts &&
    76. 

  76. +                   !strcasecompare(data->state.first_host, conn->host.name)))
    77. 

  77. +            ;
    78. 

  78.            else {
    79. 

  79.              CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
    80. 

  80.                                                 headers->data);
    81. 

  81. --- a/lib/url.c
    82. 

  82. +++ b/lib/url.c
    83. 

  83. @@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d
    84. 

  84.       * Send authentication (user+password) when following locations, even when
    85. 

  85.       * hostname changed.
    86. 

  86.       */
    87. 

  87. -    data->set.http_disable_hostname_check_before_authentication =
    88. 

  88. +    data->set.allow_auth_to_other_hosts =
    89. 

  89.        (0 != va_arg(param, long)) ? TRUE : FALSE;
    90. 

  90.      break;
    91. 

  91.  
    92. 

  92. --- a/lib/urldata.h
    93. 

  93. +++ b/lib/urldata.h
    94. 

  94. @@ -1675,7 +1675,7 @@ struct UserDefined {
    95. 

  95.    bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
    96. 

  96.    bool http_follow_location; /* follow HTTP redirects */
    97. 

  97.    bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
    98. 

  98. -  bool http_disable_hostname_check_before_authentication;
    99. 

  99. +  bool allow_auth_to_other_hosts;
    100. 

  100.    bool include_header;   /* include received protocol headers in data output */
    101. 

  101.    bool http_set_referer; /* is a custom referer used */
    102. 

  102.    bool http_auto_referer; /* set "correct" referer when following location: */
    103.