package/network/utils/curl/patches/110-CVE-2018-1000007.patch

   1 From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
   2 From: Daniel Stenberg <daniel@haxx.se>
   3 Date: Fri, 19 Jan 2018 13:19:25 +0100
   4 Subject: [PATCH] http: prevent custom Authorization headers in redirects
   5
   6 ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
   7 curl already handles Authorization headers created internally.
   8
   9 Note: this changes behavior slightly, for the sake of reducing mistakes.
  10
  11 Added test 317 and 318 to verify.
  12
  13 Reported-by: Craig de Stigter
  14 Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
  15 ---
  16  docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 +++-
  17  lib/http.c                             | 10 ++-
  18  lib/setopt.c                           |  2 +-
  19  lib/urldata.h                          |  2 +-
  20  tests/data/Makefile.inc                |  2 +-
  21  tests/data/test317                     | 94 +++++++++++++++++++++++++
  22  tests/data/test318                     | 95 ++++++++++++++++++++++++++
  23  7 files changed, 212 insertions(+), 5 deletions(-)
  24  create mode 100644 tests/data/test317
  25  create mode 100644 tests/data/test318
  26
  27 --- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
  28 +++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
  29 @@ -5,7 +5,7 @@
  30  .\" *                            | (__| |_| |  _ <| |___
  31  .\" *                             \___|\___/|_| \_\_____|
  32  .\" *
  33 -.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
  34 +.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  35  .\" *
  36  .\" * This software is licensed as described in the file COPYING, which
  37  .\" * you should have received as part of this distribution. The terms
  38 @@ -77,6 +77,16 @@ the headers. They may be private or othe
  39
  40  Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
  41  intend them to get sent.
  42 +
  43 +Custom headers are sent in all requests done by the easy handles, which
  44 +implies that if you tell libcurl to follow redirects
  45 +(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
  46 +in the subsequent request. Redirects can of course go to other hosts and thus
  47 +those servers will get all the contents of your custom headers too.
  48 +
  49 +Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
  50 +from being sent to other hosts than the first used one, unless specifically
  51 +permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
  52  .SH DEFAULT
  53  NULL
  54  .SH PROTOCOLS
  55 --- a/lib/http.c
  56 +++ b/lib/http.c
  57 @@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata
  58    if(!data->state.this_is_a_follow ||
  59       conn->bits.netrc ||
  60       !data->state.first_host ||
  61 -     data->set.http_disable_hostname_check_before_authentication ||
  62 +     data->set.allow_auth_to_other_hosts ||
  63       strcasecompare(data->state.first_host, conn->host.name)) {
  64      result = output_auth_headers(conn, authhost, request, path, FALSE);
  65    }
  66 @@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct
  67                    checkprefix("Transfer-Encoding:", headers->data))
  68              /* HTTP/2 doesn't support chunked requests */
  69              ;
  70 +          else if(checkprefix("Authorization:", headers->data) &&
  71 +                  /* be careful of sending this potentially sensitive header to
  72 +                     other hosts */
  73 +                  (data->state.this_is_a_follow &&
  74 +                   data->state.first_host &&
  75 +                   !data->set.allow_auth_to_other_hosts &&
  76 +                   !strcasecompare(data->state.first_host, conn->host.name)))
  77 +            ;
  78            else {
  79              CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
  80                                                 headers->data);
  81 --- a/lib/url.c
  82 +++ b/lib/url.c
  83 @@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d
  84       * Send authentication (user+password) when following locations, even when
  85       * hostname changed.
  86       */
  87 -    data->set.http_disable_hostname_check_before_authentication =
  88 +    data->set.allow_auth_to_other_hosts =
  89        (0 != va_arg(param, long)) ? TRUE : FALSE;
  90      break;
  91
  92 --- a/lib/urldata.h
  93 +++ b/lib/urldata.h
  94 @@ -1675,7 +1675,7 @@ struct UserDefined {
  95    bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
  96    bool http_follow_location; /* follow HTTP redirects */
  97    bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
  98 -  bool http_disable_hostname_check_before_authentication;
  99 +  bool allow_auth_to_other_hosts;
 100    bool include_header;   /* include received protocol headers in data output */
 101    bool http_set_referer; /* is a custom referer used */
 102    bool http_auto_referer; /* set "correct" referer when following location: */