mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-23 12:58:23 +00:00
9bc43f3e65
This fixes the following security problems: * CVE-2017-1000254: FTP PWD response parser out of bounds read * CVE-2017-1000257: IMAP FETCH response out of bounds read * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read * CVE-2018-1000007: HTTP authentication leak in redirects * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write * CVE-2018-1000121: LDAP NULL pointer dereference * CVE-2018-1000122: RTSP RTP buffer over-read * CVE-2018-1000301: RTSP bad headers buffer over-read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
103 lines
4.5 KiB
Diff
103 lines
4.5 KiB
Diff
From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Fri, 19 Jan 2018 13:19:25 +0100
|
|
Subject: [PATCH] http: prevent custom Authorization headers in redirects
|
|
|
|
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
|
|
curl already handles Authorization headers created internally.
|
|
|
|
Note: this changes behavior slightly, for the sake of reducing mistakes.
|
|
|
|
Added test 317 and 318 to verify.
|
|
|
|
Reported-by: Craig de Stigter
|
|
Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
|
|
---
|
|
docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 +++-
|
|
lib/http.c | 10 ++-
|
|
lib/setopt.c | 2 +-
|
|
lib/urldata.h | 2 +-
|
|
tests/data/Makefile.inc | 2 +-
|
|
tests/data/test317 | 94 +++++++++++++++++++++++++
|
|
tests/data/test318 | 95 ++++++++++++++++++++++++++
|
|
7 files changed, 212 insertions(+), 5 deletions(-)
|
|
create mode 100644 tests/data/test317
|
|
create mode 100644 tests/data/test318
|
|
|
|
--- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
|
|
+++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
|
|
@@ -5,7 +5,7 @@
|
|
.\" * | (__| |_| | _ <| |___
|
|
.\" * \___|\___/|_| \_\_____|
|
|
.\" *
|
|
-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
.\" *
|
|
.\" * This software is licensed as described in the file COPYING, which
|
|
.\" * you should have received as part of this distribution. The terms
|
|
@@ -77,6 +77,16 @@ the headers. They may be private or othe
|
|
|
|
Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
|
|
intend them to get sent.
|
|
+
|
|
+Custom headers are sent in all requests done by the easy handles, which
|
|
+implies that if you tell libcurl to follow redirects
|
|
+(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
|
|
+in the subsequent request. Redirects can of course go to other hosts and thus
|
|
+those servers will get all the contents of your custom headers too.
|
|
+
|
|
+Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
|
|
+from being sent to other hosts than the first used one, unless specifically
|
|
+permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
|
|
.SH DEFAULT
|
|
NULL
|
|
.SH PROTOCOLS
|
|
--- a/lib/http.c
|
|
+++ b/lib/http.c
|
|
@@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata
|
|
if(!data->state.this_is_a_follow ||
|
|
conn->bits.netrc ||
|
|
!data->state.first_host ||
|
|
- data->set.http_disable_hostname_check_before_authentication ||
|
|
+ data->set.allow_auth_to_other_hosts ||
|
|
strcasecompare(data->state.first_host, conn->host.name)) {
|
|
result = output_auth_headers(conn, authhost, request, path, FALSE);
|
|
}
|
|
@@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct
|
|
checkprefix("Transfer-Encoding:", headers->data))
|
|
/* HTTP/2 doesn't support chunked requests */
|
|
;
|
|
+ else if(checkprefix("Authorization:", headers->data) &&
|
|
+ /* be careful of sending this potentially sensitive header to
|
|
+ other hosts */
|
|
+ (data->state.this_is_a_follow &&
|
|
+ data->state.first_host &&
|
|
+ !data->set.allow_auth_to_other_hosts &&
|
|
+ !strcasecompare(data->state.first_host, conn->host.name)))
|
|
+ ;
|
|
else {
|
|
CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
|
|
headers->data);
|
|
--- a/lib/url.c
|
|
+++ b/lib/url.c
|
|
@@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d
|
|
* Send authentication (user+password) when following locations, even when
|
|
* hostname changed.
|
|
*/
|
|
- data->set.http_disable_hostname_check_before_authentication =
|
|
+ data->set.allow_auth_to_other_hosts =
|
|
(0 != va_arg(param, long)) ? TRUE : FALSE;
|
|
break;
|
|
|
|
--- a/lib/urldata.h
|
|
+++ b/lib/urldata.h
|
|
@@ -1675,7 +1675,7 @@ struct UserDefined {
|
|
bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
|
|
bool http_follow_location; /* follow HTTP redirects */
|
|
bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
|
|
- bool http_disable_hostname_check_before_authentication;
|
|
+ bool allow_auth_to_other_hosts;
|
|
bool include_header; /* include received protocol headers in data output */
|
|
bool http_set_referer; /* is a custom referer used */
|
|
bool http_auto_referer; /* set "correct" referer when following location: */
|