openwrt/package/network/utils/curl/patches/110-CVE-2018-1000007.patch

From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 19 Jan 2018 13:19:25 +0100
Subject: [PATCH] http: prevent custom Authorization headers in redirects

... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
curl already handles Authorization headers created internally.

Note: this changes behavior slightly, for the sake of reducing mistakes.

Added test 317 and 318 to verify.

Reported-by: Craig de Stigter
Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
---
 docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 +++-
 lib/http.c                             | 10 ++-
 lib/setopt.c                           |  2 +-
 lib/urldata.h                          |  2 +-
 tests/data/Makefile.inc                |  2 +-
 tests/data/test317                     | 94 +++++++++++++++++++++++++
 tests/data/test318                     | 95 ++++++++++++++++++++++++++
 7 files changed, 212 insertions(+), 5 deletions(-)
 create mode 100644 tests/data/test317
 create mode 100644 tests/data/test318

--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
+++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -77,6 +77,16 @@ the headers. They may be private or othe
 
 Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
 intend them to get sent.
+
+Custom headers are sent in all requests done by the easy handles, which
+implies that if you tell libcurl to follow redirects
+(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
+in the subsequent request. Redirects can of course go to other hosts and thus
+those servers will get all the contents of your custom headers too.
+
+Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
+from being sent to other hosts than the first used one, unless specifically
+permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
 .SH DEFAULT
 NULL
 .SH PROTOCOLS
--- a/lib/http.c
+++ b/lib/http.c
@@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata
   if(!data->state.this_is_a_follow ||
      conn->bits.netrc ||
      !data->state.first_host ||
-     data->set.http_disable_hostname_check_before_authentication ||
+     data->set.allow_auth_to_other_hosts ||
      strcasecompare(data->state.first_host, conn->host.name)) {
     result = output_auth_headers(conn, authhost, request, path, FALSE);
   }
@@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct
                   checkprefix("Transfer-Encoding:", headers->data))
             /* HTTP/2 doesn't support chunked requests */
             ;
+          else if(checkprefix("Authorization:", headers->data) &&
+                  /* be careful of sending this potentially sensitive header to
+                     other hosts */
+                  (data->state.this_is_a_follow &&
+                   data->state.first_host &&
+                   !data->set.allow_auth_to_other_hosts &&
+                   !strcasecompare(data->state.first_host, conn->host.name)))
+            ;
           else {
             CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
                                                headers->data);
--- a/lib/url.c
+++ b/lib/url.c
@@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d
      * Send authentication (user+password) when following locations, even when
      * hostname changed.
      */
-    data->set.http_disable_hostname_check_before_authentication =
+    data->set.allow_auth_to_other_hosts =
       (0 != va_arg(param, long)) ? TRUE : FALSE;
     break;
 
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1675,7 +1675,7 @@ struct UserDefined {
   bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
   bool http_follow_location; /* follow HTTP redirects */
   bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
-  bool http_disable_hostname_check_before_authentication;
+  bool allow_auth_to_other_hosts;
   bool include_header;   /* include received protocol headers in data output */
   bool http_set_referer; /* is a custom referer used */
   bool http_auto_referer; /* set "correct" referer when following location: */
curl: fix some security problems This fixes the following security problems: * CVE-2017-1000254: FTP PWD response parser out of bounds read * CVE-2017-1000257: IMAP FETCH response out of bounds read * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read * CVE-2018-1000007: HTTP authentication leak in redirects * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write * CVE-2018-1000121: LDAP NULL pointer dereference * CVE-2018-1000122: RTSP RTP buffer over-read * CVE-2018-1000301: RTSP bad headers buffer over-read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2018-08-10 21:39:06 +02:00			`From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001`
			`From: Daniel Stenberg <daniel@haxx.se>`
			`Date: Fri, 19 Jan 2018 13:19:25 +0100`
			`Subject: [PATCH] http: prevent custom Authorization headers in redirects`

			`... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how`
			`curl already handles Authorization headers created internally.`

			`Note: this changes behavior slightly, for the sake of reducing mistakes.`

			`Added test 317 and 318 to verify.`

			`Reported-by: Craig de Stigter`
			`Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html`
			`---`
			`docs/libcurl/opts/CURLOPT_HTTPHEADER.3 \| 12 +++-`
			`lib/http.c \| 10 ++-`
			`lib/setopt.c \| 2 +-`
			`lib/urldata.h \| 2 +-`
			`tests/data/Makefile.inc \| 2 +-`
			`tests/data/test317 \| 94 +++++++++++++++++++++++++`
			`tests/data/test318 \| 95 ++++++++++++++++++++++++++`
			`7 files changed, 212 insertions(+), 5 deletions(-)`
			`create mode 100644 tests/data/test317`
			`create mode 100644 tests/data/test318`

			`--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3`
			`+++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3`
			`@@ -5,7 +5,7 @@`
			`.\" * \| (__\| \|_\| \| _ <\| \|___`
			`.\" * \___\|\___/\|_\| \_\_____\|`
			`.\" *`
			`-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.`
			`+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.`
			`.\" *`
			`.\" * This software is licensed as described in the file COPYING, which`
			`.\" * you should have received as part of this distribution. The terms`
			`@@ -77,6 +77,16 @@ the headers. They may be private or othe`

			`Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you`
			`intend them to get sent.`
			`+`
			`+Custom headers are sent in all requests done by the easy handles, which`
			`+implies that if you tell libcurl to follow redirects`
			`+(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent`
			`+in the subsequent request. Redirects can of course go to other hosts and thus`
			`+those servers will get all the contents of your custom headers too.`
			`+`
			`+Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers`
			`+from being sent to other hosts than the first used one, unless specifically`
			`+permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.`
			`.SH DEFAULT`
			`NULL`
			`.SH PROTOCOLS`
			`--- a/lib/http.c`
			`+++ b/lib/http.c`
			`@@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata`
			`if(!data->state.this_is_a_follow \|\|`
			`conn->bits.netrc \|\|`
			`!data->state.first_host \|\|`
			`- data->set.http_disable_hostname_check_before_authentication \|\|`
			`+ data->set.allow_auth_to_other_hosts \|\|`
			`strcasecompare(data->state.first_host, conn->host.name)) {`
			`result = output_auth_headers(conn, authhost, request, path, FALSE);`
			`}`
			`@@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct`
			`checkprefix("Transfer-Encoding:", headers->data))`
			`/* HTTP/2 doesn't support chunked requests */`
			`;`
			`+ else if(checkprefix("Authorization:", headers->data) &&`
			`+ /* be careful of sending this potentially sensitive header to`
			`+ other hosts */`
			`+ (data->state.this_is_a_follow &&`
			`+ data->state.first_host &&`
			`+ !data->set.allow_auth_to_other_hosts &&`
			`+ !strcasecompare(data->state.first_host, conn->host.name)))`
			`+ ;`
			`else {`
			`CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",`
			`headers->data);`
			`--- a/lib/url.c`
			`+++ b/lib/url.c`
			`@@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d`
			`* Send authentication (user+password) when following locations, even when`
			`* hostname changed.`
			`*/`
			`- data->set.http_disable_hostname_check_before_authentication =`
			`+ data->set.allow_auth_to_other_hosts =`
			`(0 != va_arg(param, long)) ? TRUE : FALSE;`
			`break;`

			`--- a/lib/urldata.h`
			`+++ b/lib/urldata.h`
			`@@ -1675,7 +1675,7 @@ struct UserDefined {`
			`bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */`
			`bool http_follow_location; /* follow HTTP redirects */`
			`bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */`
			`- bool http_disable_hostname_check_before_authentication;`
			`+ bool allow_auth_to_other_hosts;`
			`bool include_header; /* include received protocol headers in data output */`
			`bool http_set_referer; /* is a custom referer used */`
			`bool http_auto_referer; /* set "correct" referer when following location: */`