diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch deleted file mode 100644 index affe9f069ce63fd7472c4eebd4fe3a1e11fa02f9..0000000000000000000000000000000000000000 --- a/0102-curl-7.36.0-debug.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 31 Oct 2012 11:38:30 +0100 -Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778) - ---- - configure | 13 +++---------- - m4/curl-compilers.m4 | 13 +++---------- - 2 files changed, 6 insertions(+), 20 deletions(-) - -diff --git a/configure b/configure -index 8f079a3..53b4774 100755 ---- a/configure -+++ b/configure -@@ -16301,18 +16301,11 @@ $as_echo "yes" >&6; } - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" -- flags_opt_yes="-O2" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - - OLDCPPFLAGS=$CPPFLAGS -diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 -index 0cbba7a..9175b5b 100644 ---- a/m4/curl-compilers.m4 -+++ b/m4/curl-compilers.m4 -@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" -- flags_opt_yes="-O2" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - CURL_CHECK_DEF([_WIN32], [], [silent]) - else --- -1.7.1 - diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch deleted file mode 100644 index efdfd35df087e62349f8abf802f001978ce3e2bd..0000000000000000000000000000000000000000 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 4 Feb 2019 17:32:56 +0100 -Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp - -... to prevent valgrind from reporting false positives on x86_64: - -Conditional jump or move depends on uninitialised value(s) - at 0x10BCAA: part2id (lib1560.c:489) - by 0x10BCAA: updateurl (lib1560.c:521) - by 0x10BCAA: set_parts (lib1560.c:630) - by 0x10BCAA: test (lib1560.c:802) - by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) - -Conditional jump or move depends on uninitialised value(s) - at 0x10BCC3: part2id (lib1560.c:491) - by 0x10BCC3: updateurl (lib1560.c:521) - by 0x10BCC3: set_parts (lib1560.c:630) - by 0x10BCC3: test (lib1560.c:802) - by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) ---- - tests/libtest/Makefile.inc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc -index 080421b..ea3b806 100644 ---- a/tests/libtest/Makefile.inc -+++ b/tests/libtest/Makefile.inc -@@ -531,6 +531,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) - lib1559_LDADD = $(TESTUTIL_LIBS) - - lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp - lib1560_LDADD = $(TESTUTIL_LIBS) - - lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) --- -2.17.2 - diff --git a/0106-curl-fix-CVE-2019-15601.patch b/0106-curl-fix-CVE-2019-15601.patch deleted file mode 100644 index fb1067f89dd685ab8ab72431e4912dfc1057950e..0000000000000000000000000000000000000000 --- a/0106-curl-fix-CVE-2019-15601.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 1b71bc532bde8621fd3260843f8197182a467ff2 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 7 Nov 2019 10:13:01 +0100 -Subject: [PATCH] file: on Windows, refuse paths that start with \\ -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -... as that might cause an unexpected SMB connection to a given host -name. - -Reported-by: Fernando Muñoz -CVE-2019-15601 -Bug: https://curl.haxx.se/docs/CVE-2019-15601.html ---- - lib/file.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/lib/file.c b/lib/file.c -index d349cd9..166931d 100644 ---- a/lib/file.c -+++ b/lib/file.c -@@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) - { - char *real_path; - struct FILEPROTO *file = data->req.p.file; -- int fd; -+ int fd = -1; - #ifdef DOS_FILESYSTEM - size_t i; - char *actual_path; -@@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) - return CURLE_URL_MALFORMAT; - } - -- fd = open_readonly(actual_path, O_RDONLY|O_BINARY); -+ if(strncmp("\\\\", actual_path, 2)) -+ /* refuse to open path that starts with two backslashes */ -+ fd = open_readonly(actual_path, O_RDONLY|O_BINARY); - file->path = actual_path; - #else - if(memchr(real_path, 0, real_path_len)) { --- -1.8.3.1 - diff --git a/backport-0001-CVE-2023-23914-CVE-2023-23915.patch b/backport-0001-CVE-2023-23914-CVE-2023-23915.patch new file mode 100644 index 0000000000000000000000000000000000000000..80bab120128745161e7341d59c14d32b5f58773d --- /dev/null +++ b/backport-0001-CVE-2023-23914-CVE-2023-23915.patch @@ -0,0 +1,311 @@ +From 076a2f629119222aeeb50f5a03bf9f9052fabb9a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:20 +0100 +Subject: [PATCH] share: add sharing of HSTS cache among handles + +Closes #10138 + +Conflict: remove docs/libcurl/opts/CURLSHOPT_SHARE.3 +Reference: https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a +--- + docs/libcurl/symbols-in-versions | 1 + + include/curl/curl.h | 1 + + lib/hsts.c | 15 ++++++++++ + lib/hsts.h | 2 ++ + lib/setopt.c | 48 +++++++++++++++++++++++++++----- + lib/share.c | 32 +++++++++++++++++++-- + lib/share.h | 6 +++- + lib/transfer.c | 3 ++ + lib/url.c | 6 +++- + lib/urldata.h | 2 ++ + 10 files changed, 105 insertions(+), 11 deletions(-) + +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 55f25b6..fcb79f4 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -943,6 +943,7 @@ CURL_LOCK_ACCESS_SINGLE 7.10.3 + CURL_LOCK_DATA_CONNECT 7.10.3 + CURL_LOCK_DATA_COOKIE 7.10.3 + CURL_LOCK_DATA_DNS 7.10.3 ++CURL_LOCK_DATA_HSTS 7.88.0 + CURL_LOCK_DATA_NONE 7.10.3 + CURL_LOCK_DATA_PSL 7.61.0 + CURL_LOCK_DATA_SHARE 7.10.4 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 835c3d8..4835003 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -2821,6 +2821,7 @@ typedef enum { + CURL_LOCK_DATA_SSL_SESSION, + CURL_LOCK_DATA_CONNECT, + CURL_LOCK_DATA_PSL, ++ CURL_LOCK_DATA_HSTS, + CURL_LOCK_DATA_LAST + } curl_lock_data; + +diff --git a/lib/hsts.c b/lib/hsts.c +index f51859a..0253049 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -37,6 +37,7 @@ + #include "parsedate.h" + #include "fopen.h" + #include "rename.h" ++#include "share.h" + #include "strtoofft.h" + + /* The last 3 #include files should be in this order */ +@@ -531,4 +532,18 @@ CURLcode Curl_hsts_loadcb(struct Curl_easy *data, struct hsts *h) + return CURLE_OK; + } + ++void Curl_hsts_loadfiles(struct Curl_easy *data) ++{ ++ struct curl_slist *l = data->set.hstslist; ++ if(l) { ++ Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE); ++ ++ while(l) { ++ (void)Curl_hsts_loadfile(data, data->hsts, l->data); ++ l = l->next; ++ } ++ Curl_share_unlock(data, CURL_LOCK_DATA_HSTS); ++ } ++} ++ + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ +diff --git a/lib/hsts.h b/lib/hsts.h +index 653c053..ab3fec2 100644 +--- a/lib/hsts.h ++++ b/lib/hsts.h +@@ -57,9 +57,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_easy *data, + struct hsts *h, const char *file); + CURLcode Curl_hsts_loadcb(struct Curl_easy *data, + struct hsts *h); ++void Curl_hsts_loadfiles(struct Curl_easy *data); + #else + #define Curl_hsts_cleanup(x) + #define Curl_hsts_loadcb(x,y) CURLE_OK + #define Curl_hsts_save(x,y,z) ++#define Curl_hsts_loadfiles(x) + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ + #endif /* HEADER_CURL_HSTS_H */ +diff --git a/lib/setopt.c b/lib/setopt.c +index a0eeac2..f6eb3bc 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2230,9 +2230,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + data->cookies = NULL; + #endif + ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts == data->hsts) ++ data->hsts = NULL; ++#endif ++#ifdef USE_SSL + if(data->share->sslsession == data->state.session) + data->state.session = NULL; +- ++#endif + #ifdef USE_LIBPSL + if(data->psl == &data->share->psl) + data->psl = data->multi? &data->multi->psl: NULL; +@@ -2266,10 +2271,19 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + data->cookies = data->share->cookies; + } + #endif /* CURL_DISABLE_HTTP */ ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts) { ++ /* first free the private one if any */ ++ Curl_hsts_cleanup(&data->hsts); ++ data->hsts = data->share->hsts; ++ } ++#endif /* CURL_DISABLE_HTTP */ ++#ifdef USE_SSL + if(data->share->sslsession) { + data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions; + data->state.session = data->share->sslsession; + } ++#endif + #ifdef USE_LIBPSL + if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL)) + data->psl = &data->share->psl; +@@ -2958,19 +2972,39 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_HSTSWRITEDATA: + data->set.hsts_write_userp = va_arg(param, void *); + break; +- case CURLOPT_HSTS: ++ case CURLOPT_HSTS: { ++ struct curl_slist *h; + if(!data->hsts) { + data->hsts = Curl_hsts_init(); + if(!data->hsts) + return CURLE_OUT_OF_MEMORY; + } + argptr = va_arg(param, char *); +- result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); +- if(result) +- return result; +- if(argptr) +- (void)Curl_hsts_loadfile(data, data->hsts, argptr); ++ if(argptr) { ++ result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); ++ if(result) ++ return result; ++ /* this needs to build a list of file names to read from, so that it can ++ read them later, as we might get a shared HSTS handle to load them ++ into */ ++ h = curl_slist_append(data->set.hstslist, argptr); ++ if(!h) { ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ return CURLE_OUT_OF_MEMORY; ++ } ++ data->set.hstslist = h; /* store the list for later use */ ++ } ++ else { ++ /* clear the list of HSTS files */ ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ if(!data->share || !data->share->hsts) ++ /* throw away the HSTS cache unless shared */ ++ Curl_hsts_cleanup(&data->hsts); ++ } + break; ++ } + case CURLOPT_HSTS_CTRL: + arg = va_arg(param, long); + if(arg & CURLHSTS_ENABLE) { +diff --git a/lib/share.c b/lib/share.c +index 9c43c8f..8681ac2 100644 +--- a/lib/share.c ++++ b/lib/share.c +@@ -27,9 +27,11 @@ + #include "share.h" + #include "psl.h" + #include "vtls/vtls.h" +-#include "curl_memory.h" ++#include "hsts.h" + +-/* The last #include file should be: */ ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" + #include "memdebug.h" + + struct Curl_share * +@@ -91,6 +93,18 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(!share->hsts) { ++ share->hsts = Curl_hsts_init(); ++ if(!share->hsts) ++ res = CURLSHE_NOMEM; ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + if(!share->sslsession) { +@@ -143,6 +157,16 @@ curl_share_setopt(struct Curl_share *share, CURLSHoption option, ...) + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(share->hsts) { ++ Curl_hsts_cleanup(&share->hsts); ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + Curl_safefree(share->sslsession); +@@ -209,6 +233,10 @@ curl_share_cleanup(struct Curl_share *share) + Curl_cookie_cleanup(share->cookies); + #endif + ++#ifndef CURL_DISABLE_HSTS ++ Curl_hsts_cleanup(&share->hsts); ++#endif ++ + #ifdef USE_SSL + if(share->sslsession) { + size_t i; +diff --git a/lib/share.h b/lib/share.h +index 222e34b..97b820b 100644 +--- a/lib/share.h ++++ b/lib/share.h +@@ -57,10 +57,14 @@ struct Curl_share { + #ifdef USE_LIBPSL + struct PslCache psl; + #endif +- ++#ifndef CURL_DISABLE_HSTS ++ struct hsts *hsts; ++#endif ++#ifdef USE_SSL + struct Curl_ssl_session *sslsession; + size_t max_ssl_sessions; + long sessionage; ++#endif + }; + + CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data, +diff --git a/lib/transfer.c b/lib/transfer.c +index 6d23eae..970ef35 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1468,6 +1468,9 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) + if(data->state.resolve) + result = Curl_loadhostpairs(data); + ++ /* If there is a list of hsts files to read */ ++ Curl_hsts_loadfiles(data); ++ + if(!result) { + /* Allow data->set.use_port to set which port to use. This needs to be + * disabled for example when we follow Location: headers to URLs using +diff --git a/lib/url.c b/lib/url.c +index 6df1de4..02c74f9 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -427,7 +427,11 @@ CURLcode Curl_close(struct Curl_easy **datap) + Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]); + Curl_altsvc_cleanup(&data->asi); + Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]); +- Curl_hsts_cleanup(&data->hsts); ++#ifndef CURL_DISABLE_HSTS ++ if(!data->share || !data->share->hsts) ++ Curl_hsts_cleanup(&data->hsts); ++ curl_slist_free_all(data->set.hstslist); /* clean up list */ ++#endif + #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) + Curl_http_auth_cleanup_digest(data); + #endif +diff --git a/lib/urldata.h b/lib/urldata.h +index 23bc588..5c178cc 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1670,6 +1670,8 @@ struct UserDefined { + /* function to convert from UTF-8 encoding: */ + curl_conv_callback convfromutf8; + #ifndef CURL_DISABLE_HSTS ++ struct curl_slist *hstslist; /* list of HSTS files set by ++ curl_easy_setopt(HSTS) calls */ + curl_hstsread_callback hsts_read; + void *hsts_read_userp; + curl_hstswrite_callback hsts_write; +-- +2.33.0 + diff --git a/backport-0001-CVE-2023-23916.patch b/backport-0001-CVE-2023-23916.patch new file mode 100644 index 0000000000000000000000000000000000000000..dce11125731fc207916bd85bfbb24a1dd0a9abb0 --- /dev/null +++ b/backport-0001-CVE-2023-23916.patch @@ -0,0 +1,259 @@ +From 2f34a7347f315513bfda9ef14770d287fb246bcd Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 1 Dec 2022 09:21:04 +0100 +Subject: [PATCH] runtests: do CRLF replacements per section only + +The `crlf="yes"` attribute and "hyper mode" are now only applied on a +subset of dedicated sections: data, datacheck, stdout and protocol. + +Updated test 2500 accordingly. + +Also made test1 use crlf="yes" for , mostly because it is +often used as a template test case. Going forward, using this attribute +we should be able to write test cases using linefeeds only and avoid +mixed line ending encodings. + +Follow-up to ca15b7512e8d11 + +Fixes #10009 +Closes #10010 + +Conflict: remove tests/data/test2500 +Reference: https://github.com/curl/curl/commit/2f34a7347f315513bfda9ef14770d287fb246bcd +--- + tests/FILEFORMAT.md | 20 +++++++++++++----- + tests/data/test1 | 14 ++++++------- + tests/runtests.pl | 49 +++++++++++++++++++++++++++++++++++++++++---- + 3 files changed, 67 insertions(+), 16 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index e17605b..c6e65a4 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -187,7 +187,7 @@ When using curl built with Hyper, the keywords must include HTTP or HTTPS for + 'hyper mode' to kick in and make line ending checks work for tests. + ## `` + +-### `` ++### `` + + data to be sent to the client on its request and later verified that it + arrived safely. Set `nocheck="yes"` to prevent the test script from verifying +@@ -213,12 +213,16 @@ much sense for other sections than "data"). + `hex=yes` means that the data is a sequence of hex pairs. It will get decoded + and used as "raw" data. + ++`crlf=yes` forces *header* newlines to become CRLF even if not written so in ++the source file. Note that this makes runtests.pl parse and "guess" what is a ++header and what is not in order to apply the CRLF line endings appropriately. ++ + For FTP file listings, the `` section will be used *only* if you make + sure that there has been a CWD done first to a directory named `test-[num]` + where [num] is the test case number. Otherwise the ftp server can't know from + which test file to load the list content. + +-### `` ++### `` + + Send back this contents instead of the one. The num is set by: + +@@ -242,7 +246,7 @@ The connect section is used instead of the 'data' for all CONNECT + requests. The remainder of the rules for the data section then apply but with + a connect prefix. + +-### `` ++### `` + if the data is sent but this is what should be checked afterwards. If + `nonewline=yes` is set, runtests will cut off the trailing newline from the + data before comparing with the one actually received by the client. +@@ -250,7 +254,7 @@ data before comparing with the one actually received by the client. + Use the `mode="text"` attribute if the output is in text mode on platforms + that have a text/binary difference. + +-### `` ++### `` + The contents of numbered datacheck sections are appended to the non-numbered + one. + +@@ -534,6 +538,9 @@ the trailing newline of this given data before comparing with the one actually + sent by the client The `` and `` rules are applied before + comparisons are made. + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy +@@ -550,7 +557,7 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + +-### `` ++### `` + This verifies that this data was passed to stdout. + + Use the mode="text" attribute if the output is in text mode on platforms that +@@ -559,6 +566,9 @@ have a text/binary difference. + If 'nonewline' is set, we will cut off the trailing newline of this given data + before comparing with the one actually received by the client + ++`crlf=yes` forces the newlines to become CRLF even if not written so in the ++test. ++ + ### `` + The file's contents must be identical to this after the test is complete. Use + the mode="text" attribute if the output is in text mode on platforms that have +diff --git a/tests/data/test1 b/tests/data/test1 +index f39a08b..700bed8 100644 +--- a/tests/data/test1 ++++ b/tests/data/test1 +@@ -9,7 +9,7 @@ HTTP GET + # + # Server-side + +- ++ + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake +@@ -42,12 +42,12 @@ http://%HOSTIP:%HTTPPORT/%TESTNUMBER + # + # Verify data after the test has been "shot" + +- +-GET /%TESTNUMBER HTTP/1.1 +-Host: %HOSTIP:%HTTPPORT +-User-Agent: curl/%VERSION +-Accept: */* +- ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ + + + +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 098b19e..fa6bcac 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -3419,7 +3419,13 @@ sub subBase64 { + + my $prevupdate; + sub subNewlines { +- my ($thing) = @_; ++ my ($force, $thing) = @_; ++ ++ if($force) { ++ # enforce CRLF newline ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; ++ return; ++ } + + # When curl is built with Hyper, it gets all response headers delivered as + # name/value pairs and curl "invents" the newlines when it saves the +@@ -3433,7 +3439,7 @@ sub subNewlines { + # skip curl error messages + ($$thing !~ /^curl: \(\d+\) /))) { + # enforce CRLF newline +- $$thing =~ s/\x0a/\x0d\x0a/; ++ $$thing =~ s/\x0d*\x0a/\x0d\x0a/; + $prevupdate = 1; + } + else { +@@ -3505,6 +3511,7 @@ sub prepro { + my (@entiretest) = @_; + my $show = 1; + my @out; ++ my $data_crlf; + for my $s (@entiretest) { + my $f = $s; + if($s =~ /^ *%if (.*)/) { +@@ -3528,10 +3535,19 @@ sub prepro { + next; + } + if($show) { ++ # The processor does CRLF replacements in the sections if ++ # necessary since those parts might be read by separate servers. ++ if($s =~ /^ */) { ++ if($1 =~ /crlf="yes"/ || $has_hyper) { ++ $data_crlf = 1; ++ } ++ } ++ elsif(($s =~ /^ *<\/data/) && $data_crlf) { ++ $data_crlf = 0; ++ } + subVariables(\$s, $testnum, "%"); + subBase64(\$s); +- subNewlines(\$s) if($has_hyper && ($keywords{"HTTP"} || +- $keywords{"HTTPS"})); ++ subNewlines(0, \$s) if($data_crlf); + push @out, $s; + } + } +@@ -3845,6 +3861,11 @@ sub singletest { + # of the datacheck + chomp($replycheckpart[$#replycheckpart]); + } ++ if($replycheckpartattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @replycheckpart; ++ } + push(@reply, @replycheckpart); + } + } +@@ -3859,6 +3880,11 @@ sub singletest { + map s/\r\n/\n/g, @reply; + map s/\n/\r\n/g, @reply; + } ++ if($replyattr{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @reply; ++ } + } + + # this is the valid protocol blurb curl should generate +@@ -4300,6 +4326,12 @@ sub singletest { + chomp($validstdout[$#validstdout]); + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @validstdout; ++ } ++ + $res = compare($testnum, $testname, "stdout", \@actual, \@validstdout); + if($res) { + return $errorreturncode; +@@ -4394,6 +4426,10 @@ sub singletest { + } + } + ++ if($hash{'crlf'}) { ++ map subNewlines(1, \$_), @protstrip; ++ } ++ + if((!$out[0] || ($out[0] eq "")) && $protstrip[0]) { + logmsg "\n $testnum: protocol FAILED!\n". + " There was no content at all in the file $SERVERIN.\n". +@@ -4530,6 +4566,11 @@ sub singletest { + map s/\r\n/\n/g, @outfile; + map s/\n/\r\n/g, @outfile; + } ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} ++ || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @outfile; ++ } + + my $strip; + for $strip (@stripfile) { +-- +2.33.0 + diff --git a/backport-0001-CVE-2023-28320.patch b/backport-0001-CVE-2023-28320.patch new file mode 100644 index 0000000000000000000000000000000000000000..58dc248c084dd7b77e5717a80798faa713b2a0e0 --- /dev/null +++ b/backport-0001-CVE-2023-28320.patch @@ -0,0 +1,327 @@ +From 23af112f5556d6a785c17e09f2422ac931405f61 Mon Sep 17 00:00:00 2001 +From: Thomas Guillem +Date: Tue, 5 Apr 2022 15:46:03 +0200 +Subject: [PATCH 1/1] lib: make curl_global_init() threadsafe when possible + +Use a posix pthread or a Windows SRWLOCK to lock curl_global_init*() and +curl_global_cleanup(). + +Closes #8680 + +Conflict:update easy_lock.h to latest +Reference:https://github.com/curl/curl/commit/23af112f5556d6a785c17e09f2422ac931405f61 +--- + configure.ac | 2 ++ + lib/Makefile.inc | 1 + + lib/easy.c | 52 +++++++++++++++++++++++++++++---- + lib/easy_lock.h | 105 ++++++++++++++++++++++++++++++++++++++++++++ + m4/curl-functions.m4 | 23 +++++++++++++++ + 5 files changed, 178 insertions(+), 5 deletions(-) + create mode 100644 lib/easy_lock.h + +diff --git a/configure.ac b/configure.ac +index 3910ec631..009f32c32 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -118,6 +118,7 @@ AC_SUBST(libext) + dnl figure out the libcurl version + CURLVERSION=`$SED -ne 's/^#define LIBCURL_VERSION "\(.*\)".*/\1/p' ${srcdir}/include/curl/curlver.h` + XC_CHECK_PROG_CC ++CURL_ATOMIC + + dnl for --enable-code-coverage + CURL_COVERAGE +@@ -3444,6 +3445,7 @@ AC_CHECK_FUNCS([fnmatch \ + if_nametoindex \ + mach_absolute_time \ + pipe \ ++ sched_yield \ + setlocale \ + setmode \ + setrlimit \ +diff --git a/lib/Makefile.inc b/lib/Makefile.inc +index 1ab007896..f756515d6 100644 +--- a/lib/Makefile.inc ++++ b/lib/Makefile.inc +@@ -262,6 +262,7 @@ LIB_HFILES = \ + doh.h \ + dotdot.h \ + dynbuf.h \ ++ easy_lock.h \ + easyif.h \ + easyoptions.h \ + escape.h \ +diff --git a/lib/easy.c b/lib/easy.c +index 336cada87..7781c8e16 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -84,11 +84,25 @@ + #include "curl_printf.h" + #include "curl_memory.h" + #include "memdebug.h" ++#include "easy_lock.h" + + /* true globals -- for curl_global_init() and curl_global_cleanup() */ + static unsigned int initialized; + static long init_flags; + ++#ifdef GLOBAL_INIT_IS_THREADSAFE ++ ++static curl_simple_lock s_lock = CURL_SIMPLE_LOCK_INIT; ++#define global_init_lock() curl_simple_lock_lock(&s_lock) ++#define global_init_unlock() curl_simple_lock_unlock(&s_lock) ++ ++#else ++ ++#define global_init_lock() ++#define global_init_unlock() ++ ++#endif ++ + /* + * strdup (and other memory functions) is redefined in complicated + * ways, but at this point it must be defined as the system-supplied strdup +@@ -207,7 +221,14 @@ static CURLcode global_init(long flags, bool memoryfuncs) + */ + CURLcode curl_global_init(long flags) + { +- return global_init(flags, TRUE); ++ CURLcode result; ++ global_init_lock(); ++ ++ result = global_init(flags, TRUE); ++ ++ global_init_unlock(); ++ ++ return result; + } + + /* +@@ -218,15 +239,20 @@ CURLcode curl_global_init_mem(long flags, curl_malloc_callback m, + curl_free_callback f, curl_realloc_callback r, + curl_strdup_callback s, curl_calloc_callback c) + { ++ CURLcode result; ++ + /* Invalid input, return immediately */ + if(!m || !f || !r || !s || !c) + return CURLE_FAILED_INIT; + ++ global_init_lock(); ++ + if(initialized) { + /* Already initialized, don't do it again, but bump the variable anyway to + work like curl_global_init() and require the same amount of cleanup + calls. */ + initialized++; ++ global_init_unlock(); + return CURLE_OK; + } + +@@ -239,7 +265,11 @@ CURLcode curl_global_init_mem(long flags, curl_malloc_callback m, + Curl_ccalloc = c; + + /* Call the actual init function, but without setting */ +- return global_init(flags, FALSE); ++ result = global_init(flags, FALSE); ++ ++ global_init_unlock(); ++ ++ return result; + } + + /** +@@ -248,11 +278,17 @@ CURLcode curl_global_init_mem(long flags, curl_malloc_callback m, + */ + void curl_global_cleanup(void) + { +- if(!initialized) ++ global_init_lock(); ++ ++ if(!initialized) { ++ global_init_unlock(); + return; ++ } + +- if(--initialized) ++ if(--initialized) { ++ global_init_unlock(); + return; ++ } + + Curl_ssl_cleanup(); + Curl_resolver_global_cleanup(); +@@ -273,6 +309,8 @@ void curl_global_cleanup(void) + #endif + + init_flags = 0; ++ ++ global_init_unlock(); + } + + /* +@@ -285,14 +323,18 @@ struct Curl_easy *curl_easy_init(void) + struct Curl_easy *data; + + /* Make sure we inited the global SSL stuff */ ++ global_init_lock(); ++ + if(!initialized) { +- result = curl_global_init(CURL_GLOBAL_DEFAULT); ++ result = global_init(CURL_GLOBAL_DEFAULT, TRUE); + if(result) { + /* something in the global init failed, return nothing */ + DEBUGF(fprintf(stderr, "Error: curl_global_init failed\n")); ++ global_init_unlock(); + return NULL; + } + } ++ global_init_unlock(); + + /* We use curl_open() with undefined URL so far */ + result = Curl_open(&data); +diff --git a/lib/easy_lock.h b/lib/easy_lock.h +new file mode 100644 +index 000000000..41627c4d4 +--- /dev/null ++++ b/lib/easy_lock.h +@@ -0,0 +1,105 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#define GLOBAL_INIT_IS_THREADSAFE ++ ++#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600 ++ ++#ifdef __MINGW32__ ++#ifndef __MINGW64_VERSION_MAJOR ++#if (__MINGW32_MAJOR_VERSION < 5) || \ ++ (__MINGW32_MAJOR_VERSION == 5 && __MINGW32_MINOR_VERSION == 0) ++/* mingw >= 5.0.1 defines SRWLOCK, and slightly different from MS define */ ++typedef PVOID SRWLOCK, *PSRWLOCK; ++#endif ++#endif ++#ifndef SRWLOCK_INIT ++#define SRWLOCK_INIT NULL ++#endif ++#endif /* __MINGW32__ */ ++ ++#define curl_simple_lock SRWLOCK ++#define CURL_SIMPLE_LOCK_INIT SRWLOCK_INIT ++ ++#define curl_simple_lock_lock(m) AcquireSRWLockExclusive(m) ++#define curl_simple_lock_unlock(m) ReleaseSRWLockExclusive(m) ++ ++#elif defined(HAVE_ATOMIC) && defined(HAVE_STDATOMIC_H) ++#include ++#if defined(HAVE_SCHED_YIELD) ++#include ++#endif ++ ++#define curl_simple_lock atomic_int ++#define CURL_SIMPLE_LOCK_INIT 0 ++ ++/* a clang-thing */ ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++#ifndef __INTEL_COMPILER ++/* The Intel compiler tries to look like GCC *and* clang *and* lies in its ++ __has_builtin() function, so override it. */ ++ ++/* if GCC on i386/x86_64 or if the built-in is present */ ++#if ( (defined(__GNUC__) && !defined(__clang__)) && \ ++ (defined(__i386__) || defined(__x86_64__))) || \ ++ __has_builtin(__builtin_ia32_pause) ++#define HAVE_BUILTIN_IA32_PAUSE ++#endif ++ ++#endif ++ ++static inline void curl_simple_lock_lock(curl_simple_lock *lock) ++{ ++ for(;;) { ++ if(!atomic_exchange_explicit(lock, true, memory_order_acquire)) ++ break; ++ /* Reduce cache coherency traffic */ ++ while(atomic_load_explicit(lock, memory_order_relaxed)) { ++ /* Reduce load (not mandatory) */ ++#ifdef HAVE_BUILTIN_IA32_PAUSE ++ __builtin_ia32_pause(); ++#elif defined(__aarch64__) ++ __asm__ volatile("yield" ::: "memory"); ++#elif defined(HAVE_SCHED_YIELD) ++ sched_yield(); ++#endif ++ } ++ } ++} ++ ++static inline void curl_simple_lock_unlock(curl_simple_lock *lock) ++{ ++ atomic_store_explicit(lock, false, memory_order_release); ++} ++ ++#else ++ ++#undef GLOBAL_INIT_IS_THREADSAFE ++ ++#endif +diff --git a/m4/curl-functions.m4 b/m4/curl-functions.m4 +index b40d42798..eb85dce4a 100644 +--- a/m4/curl-functions.m4 ++++ b/m4/curl-functions.m4 +@@ -6566,3 +6566,26 @@ AC_DEFUN([CURL_COVERAGE],[ + LIBS="$LIBS -lgcov" + fi + ]) ++ ++dnl CURL_ATOMIC ++dnl -------------------------------------------------- ++dnl Check if _Atomic works ++dnl ++AC_DEFUN([CURL_ATOMIC],[ ++ AC_MSG_CHECKING([if _Atomic is available]) ++ AC_COMPILE_IFELSE([ ++ AC_LANG_PROGRAM([[ ++ $curl_includes_unistd ++ ]],[[ ++ _Atomic int i = 0; ++ ]]) ++ ],[ ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE_UNQUOTED(HAVE_ATOMIC, 1, ++ [Define to 1 if you have _Atomic support.]) ++ tst_atomic="yes" ++ ],[ ++ AC_MSG_RESULT([no]) ++ tst_atomic="no" ++ ]) ++]) +-- +2.33.0 + diff --git a/backport-0002-CVE-2023-23914-CVE-2023-23915.patch b/backport-0002-CVE-2023-23914-CVE-2023-23915.patch new file mode 100644 index 0000000000000000000000000000000000000000..b7eeb0c6d3efb902f96223f20932b1a319c92b40 --- /dev/null +++ b/backport-0002-CVE-2023-23914-CVE-2023-23915.patch @@ -0,0 +1,23 @@ +From 0bf8b796a0ea98395b390c7807187982215f5c11 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] tool_operate: share HSTS between handles + +Conflict: NA +Reference: https://github.com/curl/curl/commit/0bf8b796a0ea98395b390c7807187982215f5c11 +--- + src/tool_operate.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/tool_operate.c b/src/tool_operate.c +index 616061ee46359..2b0cc083c0cc7 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -2721,6 +2721,7 @@ CURLcode operate(struct GlobalConfig *global, int argc, argv_item_t argv[]) + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL); ++ curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS); + + /* Get the required arguments for each operation */ + do { diff --git a/backport-0002-CVE-2023-23916.patch b/backport-0002-CVE-2023-23916.patch new file mode 100644 index 0000000000000000000000000000000000000000..5d07ea13dd1788c4bb4010a395c5b318332ba94b --- /dev/null +++ b/backport-0002-CVE-2023-23916.patch @@ -0,0 +1,230 @@ +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH] content_encoding: do not reset stage counter for each header + +Test 418 verifies + +Closes #10492 + +Conflict: remove tests/data/test387 +Reference: https://github.com/curl/curl/commit/119fb187192a9ea13dc +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 157 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test418 + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index e78cd1c..c870df2 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1034,7 +1034,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -1069,9 +1068,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +diff --git a/lib/urldata.h b/lib/urldata.h +index 5c178cc..8c270b8 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -706,6 +706,7 @@ struct SingleRequest { + struct dohdata *doh; /* DoH specific data for this request */ + #endif + unsigned char setcookies; ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 879d846..660ee28 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -66,7 +66,7 @@ test392 test393 test394 test395 test396 test397 \ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 test410 \ +-\ ++test418 \ + test430 test431 test432 test433 test434 test435 test446\ + \ + test490 test491 test492 test493 test494 \ +diff --git a/tests/data/test418 b/tests/data/test418 +new file mode 100644 +index 0000000..50e974e +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with multiple Transfer-Encoding headers ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to more than 5 content encodings ++ ++ ++ +-- +2.33.0 + diff --git a/backport-0002-CVE-2023-28320.patch b/backport-0002-CVE-2023-28320.patch new file mode 100644 index 0000000000000000000000000000000000000000..5cefb161321a3de71fcea4cd1a2356734997dbc6 --- /dev/null +++ b/backport-0002-CVE-2023-28320.patch @@ -0,0 +1,82 @@ +From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Tue, 25 Apr 2023 09:22:26 +0200 +Subject: [PATCH] hostip: add locks around use of global buffer for alarm() + +When building with the sync name resolver and timeout ability we now +require thread-safety to be present to enable it. + +Closes #11030 + +Conflict:NA +Reference:https://github.com/curl/curl/commit/13718030ad4b3209a7583b +--- + lib/hostip.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/lib/hostip.c b/lib/hostip.c +index 2381290fdd43e..e410cda69ae6e 100644 +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -70,12 +70,19 @@ + #include + #endif + +-#if defined(CURLRES_SYNCH) && \ +- defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP) ++#if defined(CURLRES_SYNCH) && \ ++ defined(HAVE_ALARM) && \ ++ defined(SIGALRM) && \ ++ defined(HAVE_SIGSETJMP) && \ ++ defined(GLOBAL_INIT_IS_THREADSAFE) + /* alarm-based timeouts can only be used with all the dependencies satisfied */ + #define USE_ALARM_TIMEOUT + #endif + ++#ifdef USE_ALARM_TIMEOUT ++#include "easy_lock.h" ++#endif ++ + #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ + + /* +@@ -254,11 +261,12 @@ void Curl_hostcache_prune(struct Curl_easy *data) + Curl_share_unlock(data, CURL_LOCK_DATA_DNS); + } + +-#ifdef HAVE_SIGSETJMP ++#ifdef USE_ALARM_TIMEOUT + /* Beware this is a global and unique instance. This is used to store the + return address that we can jump back to from inside a signal handler. This + is not thread-safe stuff. */ + sigjmp_buf curl_jmpenv; ++curl_simple_lock curl_jmpenv_lock; + #endif + + /* lookup address, returns entry if found and not stale */ +@@ -832,7 +840,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data, + static + void alarmfunc(int sig) + { +- /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ + (void)sig; + siglongjmp(curl_jmpenv, 1); + } +@@ -912,6 +919,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data, + This should be the last thing we do before calling Curl_resolv(), + as otherwise we'd have to worry about variables that get modified + before we invoke Curl_resolv() (and thus use "volatile"). */ ++ curl_simple_lock_lock(&curl_jmpenv_lock); ++ + if(sigsetjmp(curl_jmpenv, 1)) { + /* this is coming from a siglongjmp() after an alarm signal */ + failf(data, "name lookup timed out"); +@@ -980,6 +989,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data, + #endif + #endif /* HAVE_SIGACTION */ + ++ curl_simple_lock_unlock(&curl_jmpenv_lock); ++ + /* switch back the alarm() to either zero or to what it was before minus + the time we spent until now! */ + if(prev_alarm) { diff --git a/backport-0003-CVE-2023-23914-CVE-2023-23915.patch b/backport-0003-CVE-2023-23914-CVE-2023-23915.patch new file mode 100644 index 0000000000000000000000000000000000000000..ce68a77de82ae219090c72742e3b077aa3504943 --- /dev/null +++ b/backport-0003-CVE-2023-23914-CVE-2023-23915.patch @@ -0,0 +1,52 @@ +From dc0725244a3163f1e2d5f51165db3a1a430f3ba0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] runtests: support crlf="yes" for verify/proxy + +Conflict: Context adaptation +Reference: https://github.com/curl/curl/commit/dc0725244a3163f1e2d5f51165db3a1a430f3ba0 +--- + tests/FILEFORMAT.md | 4 ++-- + tests/runtests.pl | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md +index 7a9c482..e17605b 100644 +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -527,14 +527,14 @@ changing protocol data such as port numbers or user-agent strings. + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `` ++### `` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually + sent by the client The `` and `` rules are applied before + comparisons are made. + +-### `` ++### `` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy + server is used), if 'nonewline' is set, we will cut off the trailing newline +diff --git a/tests/runtests.pl b/tests/runtests.pl +index 38b76e8..098b19e 100755 +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -4486,6 +4486,11 @@ sub singletest { + } + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @protstrip; ++ } ++ + $res = compare($testnum, $testname, "proxy", \@out, \@protstrip); + if($res) { + return $errorreturncode; +-- +2.33.0 + diff --git a/backport-0003-CVE-2023-28320.patch b/backport-0003-CVE-2023-28320.patch new file mode 100644 index 0000000000000000000000000000000000000000..bff0c30db90e9d1015c1c7db4ab6294569de83ed --- /dev/null +++ b/backport-0003-CVE-2023-28320.patch @@ -0,0 +1,79 @@ +From f446258f0269a62289cca0210157cb8558d0edc3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 16 May 2023 23:40:42 +0200 +Subject: [PATCH 1/1] hostip: include easy_lock.h before using + GLOBAL_INIT_IS_THREADSAFE + +Since that header file is the only place that define can be defined. + +Reported-by: Marc Deslauriers + +Follow-up to 13718030ad4b3209 + +Closes #11121 + +Conflict:context adapt +Reference:https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3 +--- + lib/hostip.c | 10 ++++------ + lib/hostip.h | 9 --------- + 2 files changed, 4 insertions(+), 15 deletions(-) + +diff --git a/lib/hostip.c b/lib/hostip.c +index 615f36c16..4ff348436 100644 +--- a/lib/hostip.c ++++ b/lib/hostip.c +@@ -70,6 +70,8 @@ + #include + #endif + ++#include "easy_lock.h" ++ + #if defined(CURLRES_SYNCH) && \ + defined(HAVE_ALARM) && \ + defined(SIGALRM) && \ +@@ -79,10 +81,6 @@ + #define USE_ALARM_TIMEOUT + #endif + +-#ifdef USE_ALARM_TIMEOUT +-#include "easy_lock.h" +-#endif +- + #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ + + /* +@@ -289,8 +287,8 @@ void Curl_hostcache_prune(struct Curl_easy *data) + /* Beware this is a global and unique instance. This is used to store the + return address that we can jump back to from inside a signal handler. This + is not thread-safe stuff. */ +-sigjmp_buf curl_jmpenv; +-curl_simple_lock curl_jmpenv_lock; ++static sigjmp_buf curl_jmpenv; ++static curl_simple_lock curl_jmpenv_lock; + #endif + + /* lookup address, returns entry if found and not stale */ +diff --git a/lib/hostip.h b/lib/hostip.h +index 4b5481f65..0dd19e87c 100644 +--- a/lib/hostip.h ++++ b/lib/hostip.h +@@ -186,15 +186,6 @@ Curl_cache_addr(struct Curl_easy *data, struct Curl_addrinfo *addr, + #define CURL_INADDR_NONE INADDR_NONE + #endif + +-#ifdef HAVE_SIGSETJMP +-/* Forward-declaration of variable defined in hostip.c. Beware this +- * is a global and unique instance. This is used to store the return +- * address that we can jump back to from inside a signal handler. +- * This is not thread-safe stuff. +- */ +-extern sigjmp_buf curl_jmpenv; +-#endif +- + /* + * Function provided by the resolver backend to set DNS servers to use. + */ +-- +2.33.0 + diff --git a/backport-0004-CVE-2023-23914-CVE-2023-23915.patch b/backport-0004-CVE-2023-23914-CVE-2023-23915.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d46901a740775df9e2ffec4472c2739766f17ca --- /dev/null +++ b/backport-0004-CVE-2023-23914-CVE-2023-23915.patch @@ -0,0 +1,119 @@ +From ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] test446: verify hsts with two URLs + +Conflict: Context adaptation +Reference: https://github.com/curl/curl/commit/ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 +--- + tests/data/Makefile.inc | 2 +- + tests/data/test446 | 84 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test446 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index f79b63e..879d846 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -67,7 +67,7 @@ test392 test393 test394 test395 test396 test397 \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 test410 \ + \ +-test430 test431 test432 test433 test434 test435 \ ++test430 test431 test432 test433 test434 test435 test446\ + \ + test490 test491 test492 test493 test494 \ + \ +diff --git a/tests/data/test446 b/tests/data/test446 +new file mode 100644 +index 0000000..eda3022 +--- /dev/null ++++ b/tests/data/test446 +@@ -0,0 +1,84 @@ ++ ++ ++ ++ ++HTTP ++HTTP proxy ++HSTS ++trailing-dot ++ ++ ++ ++ ++ ++# we use this as response to a CONNECT ++ ++HTTP/1.1 200 OK ++ ++ ++ ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=604800 ++ ++-foo- ++ ++ ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=6048000 ++ ++-baa- ++ ++ ++ ++ ++ ++https ++http-proxy ++ ++ ++HSTS ++proxy ++https ++debug ++ ++ ++CURL_HSTS_HTTP=yes ++CURL_TIME=2000000000 ++ ++ ++ ++HSTS with two URLs ++ ++ ++-x http://%HOSTIP:%PROXYPORT --hsts log/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002 ++ ++ ++ ++ ++# we let it CONNECT to the server to confirm HSTS but deny from there ++ ++GET http://this.hsts.example./%TESTNUMBER HTTP/1.1 ++Host: this.hsts.example. ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1 ++Host: another.example.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ ++# Your HSTS cache. https://curl.se/docs/hsts.html ++# This file was generated by libcurl! Edit at your own risk. ++this.hsts.example "20330525 03:33:20" ++another.example.com "20330727 03:33:20" ++ ++ ++ ++ +-- +2.33.0 + diff --git a/backport-0005-CVE-2023-23914-CVE-2023-23915.patch b/backport-0005-CVE-2023-23914-CVE-2023-23915.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ad46f0da91a541899003f6ce838e32c0fb45124 --- /dev/null +++ b/backport-0005-CVE-2023-23914-CVE-2023-23915.patch @@ -0,0 +1,43 @@ +From ca02a77f05bd5cef20618c8f741aa48b7be0a648 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] hsts: handle adding the same host name again + +It will then use the largest expire time of the two entries. + +Conflict: NA +Reference: https://github.com/curl/curl/commit/ca02a77f05bd5cef20618c8f741aa48b7be0a648 +--- + lib/hsts.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 339237be1c621..8d6723ee587d2 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -426,14 +426,23 @@ static CURLcode hsts_add(struct hsts *h, char *line) + if(2 == rc) { + time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) : + TIME_T_MAX; +- CURLcode result; ++ CURLcode result = CURLE_OK; + char *p = host; + bool subdomain = FALSE; ++ struct stsentry *e; + if(p[0] == '.') { + p++; + subdomain = TRUE; + } +- result = hsts_create(h, p, subdomain, expires); ++ /* only add it if not already present */ ++ e = Curl_hsts(h, p, subdomain); ++ if(!e) ++ result = hsts_create(h, p, subdomain, expires); ++ else { ++ /* the same host name, use the largest expire time */ ++ if(expires > e->expires) ++ e->expires = expires; ++ } + if(result) + return result; + } diff --git a/backport-001-CVE-2022-27774.patch b/backport-001-CVE-2022-27774.patch new file mode 100644 index 0000000000000000000000000000000000000000..7c859de3249d647c8751895a8b4516449a38ce7c --- /dev/null +++ b/backport-001-CVE-2022-27774.patch @@ -0,0 +1,77 @@ +From 620ea21410030a9977396b4661806bc187231b79 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] transfer: redirects to other protocols or ports clear auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 +--- + lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 48 insertions(+), 1 deletion(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 53ef0b03b8e0..315da876c4a8 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1611,10 +1611,57 @@ CURLcode Curl_follow(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) { ++ Curl_safefree(data->state.aptr.user); ++ Curl_safefree(data->state.aptr.passwd); ++ } ++ } + } + + if(type == FOLLOW_FAKE) { diff --git a/backport-002-CVE-2022-27774.patch b/backport-002-CVE-2022-27774.patch new file mode 100644 index 0000000000000000000000000000000000000000..4021d7c22ef86c856842f80c3e3d8eedf79f23c3 --- /dev/null +++ b/backport-002-CVE-2022-27774.patch @@ -0,0 +1,80 @@ +From 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 17:59:15 +0200 +Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either + +Follow-up to 620ea21410030 + +Reported-by: Harry Sintonen +Closes #8751 +--- + lib/http.c | 10 +++++----- + lib/http.h | 6 ++++++ + lib/vtls/openssl.c | 3 ++- + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index f0476f3b9272..0d5c449bc72a 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, + } + + /* +- * allow_auth_to_host() tells if autentication, cookies or other "sensitive +- * data" can (still) be sent to this host. ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. + */ +-static bool allow_auth_to_host(struct Curl_easy *data) ++bool Curl_allow_auth_to_host(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || +@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, + + /* To prevent the user+password to get sent to other than the original host + due to a location-follow */ +- if(allow_auth_to_host(data) ++ if(Curl_allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC + || conn->bits.netrc + #endif +@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- !allow_auth_to_host(data)) ++ !Curl_allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +diff --git a/lib/http.h b/lib/http.h +index 0972261e63bd..c4ab3c22dec9 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -364,4 +364,10 @@ Curl_http_output_auth(struct Curl_easy *data, + bool proxytunnel); /* TRUE if this is the request setting + up the proxy tunnel */ + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data); ++ + #endif /* HEADER_CURL_HTTP_H */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 5d8e2d39d8e2..3722005d44e9 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2924,7 +2924,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + + #ifdef USE_OPENSSL_SRP +- if(ssl_authtype == CURL_TLSAUTH_SRP) { ++ if((ssl_authtype == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + char * const ssl_username = SSL_SET_OPTION(username); + + infof(data, "Using TLS-SRP username: %s", ssl_username); diff --git a/0101-curl-7.32.0-multilib.patch b/backport-0101-curl-7.32.0-multilib.patch similarity index 100% rename from 0101-curl-7.32.0-multilib.patch rename to backport-0101-curl-7.32.0-multilib.patch diff --git a/backport-CVE-2021-22925.patch b/backport-CVE-2021-22925.patch deleted file mode 100644 index f05caaa5a8c9ced6e80d179afd9f29958772e7a3..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-22925.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 12 Jun 2021 18:25:15 +0200 -Subject: [PATCH] telnet: fix option parser to not send uninitialized contents - -CVS-2021-22925 - -Reported-by: Red Hat Product Security -Bug: https://curl.se/docs/CVE-2021-22925.html ---- - lib/telnet.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/lib/telnet.c b/lib/telnet.c -index 1d3024ec4d3e..a81bb81c3675 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data) - size_t tmplen = (strlen(v->data) + 1); - /* Add the variable only if it fits */ - if(len + tmplen < (int)sizeof(temp)-6) { -- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { -- msnprintf((char *)&temp[len], sizeof(temp) - len, -- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, -- CURL_NEW_ENV_VALUE, varval); -- len += tmplen; -- } -+ int rv; -+ char sep[2] = ""; -+ varval[0] = 0; -+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); -+ if(rv == 1) -+ len += msnprintf((char *)&temp[len], sizeof(temp) - len, -+ "%c%s", CURL_NEW_ENV_VAR, varname); -+ else if(rv >= 2) -+ len += msnprintf((char *)&temp[len], sizeof(temp) - len, -+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, -+ CURL_NEW_ENV_VALUE, varval); - } - } - msnprintf((char *)&temp[len], sizeof(temp) - len, diff --git a/backport-CVE-2021-22926.patch b/backport-CVE-2021-22926.patch deleted file mode 100644 index 69dae750419403d7878d6c935b8f556958286271..0000000000000000000000000000000000000000 --- a/backport-CVE-2021-22926.patch +++ /dev/null @@ -1,70 +0,0 @@ -From fd9b40bf8dfd43edcbc0d254d613d95a11061c05 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 21 Jun 2021 10:35:09 +0200 -Subject: [PATCH] sectransp: check for client certs by name first, then file - -CVE-2021-22926 - -Bug: https://curl.se/docs/CVE-2021-22926.html - -Assisted-by: Daniel Gustafsson -Reported-by: Harry Sintonen ---- - lib/vtls/sectransp.c | 33 +++++++++++++++++++-------------- - 1 file changed, 19 insertions(+), 14 deletions(-) - -diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c -index 21ca0824bdf6..26b833dd2ac7 100644 ---- a/lib/vtls/sectransp.c -+++ b/lib/vtls/sectransp.c -@@ -32,6 +32,7 @@ - #include "curl_base64.h" - #include "strtok.h" - #include "multiif.h" -+#include "strcase.h" - - #ifdef USE_SECTRANSP - -@@ -1869,24 +1870,28 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, - bool is_cert_file = (!is_cert_data) && is_file(ssl_cert); - SecIdentityRef cert_and_key = NULL; - -- /* User wants to authenticate with a client cert. Look for it: -- If we detect that this is a file on disk, then let's load it. -- Otherwise, assume that the user wants to use an identity loaded -- from the Keychain. */ -- if(is_cert_file || is_cert_data) { -+ /* User wants to authenticate with a client cert. Look for it. Assume that -+ the user wants to use an identity loaded from the Keychain. If not, try -+ it as a file on disk */ -+ -+ if(!is_cert_data) -+ err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); -+ else -+ err = !noErr; -+ if((err != noErr) && (is_cert_file || is_cert_data)) { - if(!SSL_SET_OPTION(cert_type)) -- infof(data, "WARNING: SSL: Certificate type not set, assuming " -- "PKCS#12 format.\n"); -- else if(strncmp(SSL_SET_OPTION(cert_type), "P12", -- strlen(SSL_SET_OPTION(cert_type))) != 0) -- infof(data, "WARNING: SSL: The Security framework only supports " -- "loading identities that are in PKCS#12 format.\n"); -+ infof(data, "SSL: Certificate type not set, assuming " -+ "PKCS#12 format."); -+ else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) { -+ failf(data, "SSL: The Security framework only supports " -+ "loading identities that are in PKCS#12 format."); -+ return CURLE_SSL_CERTPROBLEM; -+ } - - err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob, -- SSL_SET_OPTION(key_passwd), &cert_and_key); -+ SSL_SET_OPTION(key_passwd), -+ &cert_and_key); - } -- else -- err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); - - if(err == noErr && cert_and_key) { - SecCertificateRef cert = NULL; diff --git a/backport-CVE-2022-22576.patch b/backport-CVE-2022-22576.patch new file mode 100644 index 0000000000000000000000000000000000000000..99d152574cba4fe0e39e62e49f1fc33a32e3763f --- /dev/null +++ b/backport-CVE-2022-22576.patch @@ -0,0 +1,142 @@ +From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 25 Apr 2022 11:44:05 +0200 +Subject: [PATCH] url: check sasl additional parameters for connection reuse. + +Also move static function safecmp() as non-static Curl_safecmp() since +its purpose is needed at several places. + +Bug: https://curl.se/docs/CVE-2022-22576.html + +CVE-2022-22576 + +Closes #8746 +--- + lib/strcase.c | 10 ++++++++++ + lib/strcase.h | 2 ++ + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 1 + + lib/vtls/vtls.c | 21 ++++++--------------- + 5 files changed, 31 insertions(+), 16 deletions(-) + +diff --git a/lib/strcase.c b/lib/strcase.c +index dd46ca1ba0e5..692a3f14aee7 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) + } while(*src++ && --n); + } + ++/* Compare case-sensitive NUL-terminated strings, taking care of possible ++ * null pointers. Return true if arguments match. ++ */ ++bool Curl_safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ return !a && !b; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index b234d3815220..2635f5117e99 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -49,4 +49,6 @@ char Curl_raw_toupper(char in); + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++bool Curl_safecmp(char *a, char *b); ++ + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index 9a988b4d58d8..e1647b133854 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -781,6 +781,7 @@ static void conn_free(struct connectdata *conn) + Curl_safefree(conn->passwd); + Curl_safefree(conn->sasl_authzid); + Curl_safefree(conn->options); ++ Curl_safefree(conn->oauth_bearer); + Curl_dyn_free(&conn->trailer); + Curl_safefree(conn->host.rawalloc); /* host name buffer */ + Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ +@@ -1342,7 +1343,9 @@ ConnectionExists(struct Curl_easy *data, + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ strcmp(needle->passwd, check->passwd) || ++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || ++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -3637,6 +3640,14 @@ static CURLcode create_conn(struct Curl_easy *data, + } + } + ++ if(data->set.str[STRING_BEARER]) { ++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); ++ if(!conn->oauth_bearer) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto out; ++ } ++ } ++ + #ifdef USE_UNIX_SOCKETS + if(data->set.str[STRING_UNIX_SOCKET_PATH]) { + conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); +diff --git a/lib/urldata.h b/lib/urldata.h +index 07eb19b87034..1d89b8d7fa68 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -984,6 +984,7 @@ struct connectdata { + char *passwd; /* password string, allocated */ + char *options; /* options string, allocated */ + char *sasl_authzid; /* authorisation identity string, allocated */ ++ char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 03b85ba065e5..a40ac06f684f 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + +-static bool safecmp(char *a, char *b) +-{ +- if(a && b) +- return !strcmp(a, b); +- else if(!a && !b) +- return TRUE; /* match */ +- return FALSE; /* no match */ +-} +- + + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, +@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + blobcmp(data->cert_blob, needle->cert_blob) && + blobcmp(data->ca_info_blob, needle->ca_info_blob) && + blobcmp(data->issuercert_blob, needle->issuercert_blob) && +- safecmp(data->CApath, needle->CApath) && +- safecmp(data->CAfile, needle->CAfile) && +- safecmp(data->issuercert, needle->issuercert) && +- safecmp(data->clientcert, needle->clientcert) && +- safecmp(data->random_file, needle->random_file) && +- safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->CApath, needle->CApath) && ++ Curl_safecmp(data->CAfile, needle->CAfile) && ++ Curl_safecmp(data->issuercert, needle->issuercert) && ++ Curl_safecmp(data->clientcert, needle->clientcert) && ++ Curl_safecmp(data->random_file, needle->random_file) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && diff --git a/backport-CVE-2022-27775.patch b/backport-CVE-2022-27775.patch new file mode 100644 index 0000000000000000000000000000000000000000..606ba9cae72f95e36c9eb524d9b20a00e87a71c8 --- /dev/null +++ b/backport-CVE-2022-27775.patch @@ -0,0 +1,34 @@ +From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/conncache.c b/lib/conncache.c +index ec669b971dc3..8948b53fa500 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + Curl_strntolower(buf, buf, len); + } + diff --git a/backport-CVE-2022-27776.patch b/backport-CVE-2022-27776.patch new file mode 100644 index 0000000000000000000000000000000000000000..e1f169ee35c0ab4253d954ab0162de0adb88e722 --- /dev/null +++ b/backport-CVE-2022-27776.patch @@ -0,0 +1,112 @@ +From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 13:05:40 +0200 +Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port + +CVE-2022-27776 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27776.html +Closes #8749 +--- + lib/http.c | 34 ++++++++++++++++++++++------------ + lib/urldata.h | 16 +++++++++------- + 2 files changed, 31 insertions(+), 19 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index ce79fc4e31c8..f0476f3b9272 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, + return CURLE_OK; + } + ++/* ++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive ++ * data" can (still) be sent to this host. ++ */ ++static bool allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication +@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, + with it */ + authproxy->done = TRUE; + +- /* To prevent the user+password to get sent to other than the original +- host due to a location-follow, we do some weirdo checks here */ +- if(!data->state.this_is_a_follow || ++ /* To prevent the user+password to get sent to other than the original host ++ due to a location-follow */ ++ if(allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC +- conn->bits.netrc || ++ || conn->bits.netrc + #endif +- !data->state.first_host || +- data->set.allow_auth_to_other_hosts || +- strcasecompare(data->state.first_host, conn->host.name)) { ++ ) + result = output_auth_headers(data, conn, authhost, request, path, FALSE); +- } + else + authhost->done = TRUE; + +@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- (data->state.this_is_a_follow && +- data->state.first_host && +- !data->set.allow_auth_to_other_hosts && +- !strcasecompare(data->state.first_host, conn->host.name))) ++ !allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; ++ data->state.first_remote_protocol = conn->handler->protocol; + } + Curl_safefree(data->state.aptr.host); + +diff --git a/lib/urldata.h b/lib/urldata.h +index 1d89b8d7fa68..ef2174d9e727 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1329,14 +1329,16 @@ struct UrlState { + char *ulbuf; /* allocated upload buffer or NULL */ + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ +- char *first_host; /* host name of the first (not followed) request. +- if set, this should be the host name that we will +- sent authorization to, no else. Used to make Location: +- following not keep sending user+password... This is +- strdup() data. +- */ ++ ++ /* host name, port number and protocol of the first (not followed) request. ++ if set, this should be the host name that we will sent authorization to, ++ no else. Used to make Location: following not keep sending user+password. ++ This is strdup()ed data. */ ++ char *first_host; ++ int first_remote_port; ++ unsigned int first_remote_protocol; ++ + int retrycount; /* number of retries on a new connection */ +- int first_remote_port; /* remote port of the first (not followed) request */ + struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ + long sessionage; /* number of the most recent session */ + struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ diff --git a/backport-CVE-2022-27781.patch b/backport-CVE-2022-27781.patch new file mode 100644 index 0000000000000000000000000000000000000000..a3aabe645a34ce84096e11f554d3dff910a30330 --- /dev/null +++ b/backport-CVE-2022-27781.patch @@ -0,0 +1,43 @@ +From 5c7da89d404bf59c8dd82a001119a16d18365917 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 10:07:15 +0200 +Subject: [PATCH] nss: return error if seemingly stuck in a cert loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2022-27781 + +Reported-by: Florian Kohnhäuser +Bug: https://curl.se/docs/CVE-2022-27781.html +Closes #8822 +--- + lib/vtls/nss.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 5b7de9f81895..569c0628feb5 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, + PR_Free(common_name); + } + ++/* A number of certs that will never occur in a real server handshake */ ++#define TOO_MANY_CERTS 300 ++ + static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) + { + CURLcode result = CURLE_OK; +@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) + cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); + while(cert2) { + i++; ++ if(i >= TOO_MANY_CERTS) { ++ CERT_DestroyCertificate(cert2); ++ failf(data, "certificate loop"); ++ return CURLE_SSL_CERTPROBLEM; ++ } + if(cert2->isRoot) { + CERT_DestroyCertificate(cert2); + break; diff --git a/backport-CVE-2022-27782.patch b/backport-CVE-2022-27782.patch new file mode 100644 index 0000000000000000000000000000000000000000..093cdf98826fff3c9082c7be58d98a815b8237a6 --- /dev/null +++ b/backport-CVE-2022-27782.patch @@ -0,0 +1,489 @@ +Backport of: + +From 222b896a07ed1e183e7eacd6df10fc23264bd820 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 6 May 2022 10:48:58 +0200 +Subject: [PATCH 1/2] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 23 ++++++++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/gtls.c | 32 +++++++++++++++++--------------- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 6 +++--- + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 21 +++++++++++++++++++++ + 8 files changed, 87 insertions(+), 49 deletions(-) + +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2317,6 +2317,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2330,6 +2331,7 @@ CURLcode Curl_vsetopt(struct Curl_easy * + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2766,49 +2768,52 @@ CURLcode Curl_vsetopt(struct Curl_easy * + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + #ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + #endif + break; + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + #ifndef CURL_DISABLE_PROXY + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + #endif + break; + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #endif +--- a/lib/url.c ++++ b/lib/url.c +@@ -556,7 +556,7 @@ CURLcode Curl_init_userdefined(struct Cu + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -1114,6 +1114,12 @@ static void prune_dead_connections(struc + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1372,6 +1378,11 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + ++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY + || !needle->bits.httpproxy || needle->bits.tunnel_proxy +@@ -1772,11 +1783,17 @@ static struct connectdata *allocate_conn + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #ifndef CURL_DISABLE_PROXY + conn->proxy_ssl_config.verifystatus = + data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; ++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #endif + conn->ip_version = data->set.ipver; + conn->bits.connect_only = data->set.connect_only; +@@ -3839,7 +3856,8 @@ static CURLcode create_conn(struct Curl_ + data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.primary.issuercert_blob = + data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3847,18 +3865,20 @@ static CURLcode create_conn(struct Curl_ + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; + data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + #ifndef CURL_DISABLE_PROXY +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -253,10 +253,17 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ + struct curl_blob *cert_blob; + struct curl_blob *ca_info_blob; + struct curl_blob *issuercert_blob; ++#ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++#endif + char *curves; /* list of curves to use */ ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -266,7 +273,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +@@ -274,11 +280,6 @@ struct ssl_config_data { + struct curl_blob *key_blob; + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -432,9 +432,10 @@ gtls_connect_step1(struct Curl_easy *dat + } + + #ifdef HAVE_GNUTLS_SRP +- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); ++ infof(data, "Using TLS-SRP username: %s", ++ SSL_SET_OPTION(primary.username)); + + rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -444,8 +445,8 @@ gtls_connect_step1(struct Curl_easy *dat + } + + rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, +- SSL_SET_OPTION(username), +- SSL_SET_OPTION(password)); ++ SSL_SET_OPTION(primary.username), ++ SSL_SET_OPTION(primary.password)); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_set_client_cred() failed: %s", + gnutls_strerror(rc)); +@@ -502,19 +503,19 @@ gtls_connect_step1(struct Curl_easy *dat + } + #endif + +- if(SSL_SET_OPTION(CRLfile)) { ++ if(SSL_SET_OPTION(primary.CRLfile)) { + /* set the CRL list file */ + rc = gnutls_certificate_set_x509_crl_file(backend->cred, +- SSL_SET_OPTION(CRLfile), ++ SSL_SET_OPTION(primary.CRLfile), + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + failf(data, "error reading crl file %s (%s)", +- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); ++ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); + return CURLE_SSL_CRL_BADFILE; + } + else + infof(data, "found %d CRL in %s", +- rc, SSL_SET_OPTION(CRLfile)); ++ rc, SSL_SET_OPTION(primary.CRLfile)); + } + + /* Initialize TLS session as a client */ +@@ -581,7 +582,7 @@ gtls_connect_step1(struct Curl_easy *dat + #ifdef HAVE_GNUTLS_SRP + /* Only add SRP to the cipher list if SRP is requested. Otherwise + * GnuTLS will disable TLS 1.3 support. */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + size_t len = strlen(prioritylist); + + char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); +@@ -676,7 +677,7 @@ gtls_connect_step1(struct Curl_easy *dat + + #ifdef HAVE_GNUTLS_SRP + /* put the credentials to the current session */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, + backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -855,8 +856,8 @@ Curl_gtls_verifyserver(struct Curl_easy + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) + && !SSL_CONN_CONFIG(verifypeer) + && gnutls_cipher_get(session)) { + /* no peer cert, but auth is ok if we have SRP user and cipher and no +@@ -914,7 +915,8 @@ Curl_gtls_verifyserver(struct Curl_easy + failf(data, "server certificate verification failed. CAfile: %s " + "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): + "none", +- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); ++ SSL_SET_OPTION(primary.CRLfile) ? ++ SSL_SET_OPTION(primary.CRLfile) : "none"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else +@@ -1531,8 +1533,8 @@ static int gtls_shutdown(struct Curl_eas + gnutls_certificate_free_credentials(backend->cred); + + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL) ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); + #endif + +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2653,7 +2653,7 @@ static CURLcode ossl_connect_step1(struc + #endif + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_OPENSSL_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +@@ -2664,7 +2664,7 @@ static CURLcode ossl_connect_step1(struc + (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; +@@ -2914,15 +2914,15 @@ static CURLcode ossl_connect_step1(struc + #ifdef USE_OPENSSL_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s", ssl_username); + + if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_prima + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_prima + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ Curl_safecmp(data->username, needle->username) && ++ Curl_safecmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++ dest->ssl_options = source->ssl_options; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_BLOB(cert_blob); + CLONE_BLOB(ca_info_blob); +@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); + CLONE_STRING(curves); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct + Curl_safefree(sslc->ca_info_blob); + Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -131,8 +131,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + bool acceptfail; /* used by the SFTP_QUOTE (continue if + quote command fails) */ +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1996,13 +1996,13 @@ static CURLcode nss_setup_connect(struct + } + } + +- if(SSL_SET_OPTION(CRLfile)) { +- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); ++ if(SSL_SET_OPTION(primary.CRLfile)) { ++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(rv) { + result = rv; + goto error; + } +- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); ++ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); + } + + if(SSL_SET_OPTION(primary.clientcert)) { +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index 975094f4fa795..b60b9cac50d4f 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + const char * const hostname = SSL_HOST_NAME(); + #ifndef CURL_DISABLE_VERBOSE_STRINGS + const long int port = SSL_HOST_PORT(); diff --git a/backport-CVE-2022-32205.patch b/backport-CVE-2022-32205.patch new file mode 100644 index 0000000000000000000000000000000000000000..5353162d123187a0b0176db8eb121182257b2d4a --- /dev/null +++ b/backport-CVE-2022-32205.patch @@ -0,0 +1,159 @@ +From 631f95b7013ba017692d9512093746af93b4e327 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 19 May 2022 12:12:04 +0200 +Subject: [PATCH] cookie: apply limits + +- Send no more than 150 cookies per request +- Cap the max length used for a cookie: header to 8K +- Cap the max number of received Set-Cookie: headers to 50 +diff --git a/lib/cookie.c b/lib/cookie.c +index d418efa..51b3149 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -469,6 +469,10 @@ Curl_cookie_add(struct Curl_easy *data, + (void)data; + #endif + ++ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ ++ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) ++ return NULL; ++ + /* First, alloc and init a new struct for it */ + co = calloc(1, sizeof(struct Cookie)); + if(!co) +@@ -808,7 +812,7 @@ Curl_cookie_add(struct Curl_easy *data, + freecookie(co); + return NULL; + } +- ++ data->req.setcookies++; + } + else { + /* +@@ -1346,7 +1350,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) + * + * It shall only return cookies that haven't expired. + */ +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, + const char *host, const char *path, + bool secure) + { +@@ -1401,6 +1406,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, + mainco = newco; + + matches++; ++ if(matches >= MAX_COOKIE_SEND_AMOUNT) { ++ infof(data, "Included max number of cookies (%u) in request!", ++ matches); ++ break; ++ } + } + else + goto fail; +diff --git a/lib/cookie.h b/lib/cookie.h +index 0ffe08e..7411980 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -81,10 +81,26 @@ struct CookieInfo { + */ + #define MAX_COOKIE_LINE 5000 + +-/* This is the maximum length of a cookie name or content we deal with: */ ++/* Maximum length of an incoming cookie name or content we deal with. Longer ++ cookies are ignored. */ + #define MAX_NAME 4096 + #define MAX_NAME_TXT "4095" + ++/* Maximum size for an outgoing cookie line libcurl will use in an http ++ request. This is the default maximum length used in some versions of Apache ++ httpd. */ ++#define MAX_COOKIE_HEADER_LEN 8190 ++ ++/* Maximum number of cookies libcurl will send in a single request, even if ++ there might be more cookies that match. One reason to cap the number is to ++ keep the maximum HTTP request within the maximum allowed size. */ ++#define MAX_COOKIE_SEND_AMOUNT 150 ++ ++/* Maximum number of Set-Cookie: lines accepted in a single response. If more ++ such header lines are received, they are ignored. This value must be less ++ than 256 since an unsigned char is used to count. */ ++#define MAX_SET_COOKIE_AMOUNT 50 ++ + struct Curl_easy; + /* + * Add a cookie to the internal list of cookies. The domain and path arguments +@@ -97,7 +113,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, + const char *domain, const char *path, + bool secure); + +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, const char *host, + const char *path, bool secure); + void Curl_cookie_freelist(struct Cookie *cookies); + void Curl_cookie_clearall(struct CookieInfo *cookies); +diff --git a/lib/http.c b/lib/http.c +index a07be0b..66c5645 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2706,12 +2706,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + } + + #if !defined(CURL_DISABLE_COOKIES) ++ + CURLcode Curl_http_cookies(struct Curl_easy *data, + struct connectdata *conn, + struct dynbuf *r) + { + CURLcode result = CURLE_OK; + char *addcookies = NULL; ++ bool linecap = FALSE; + if(data->set.str[STRING_COOKIE] && !Curl_checkheaders(data, "Cookie")) + addcookies = data->set.str[STRING_COOKIE]; + +@@ -2728,7 +2730,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + !strcmp(host, "127.0.0.1") || + !strcmp(host, "[::1]") ? TRUE : FALSE; + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); +- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, ++ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, + secure_context); + Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); + } +@@ -2742,6 +2744,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + if(result) + break; + } ++ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= ++ MAX_COOKIE_HEADER_LEN) { ++ infof(data, "Restricted outgoing cookies due to header size, " ++ "'%s' not sent", co->name); ++ linecap = TRUE; ++ break; ++ } + result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", + co->name, co->value); + if(result) +@@ -2752,7 +2761,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + } + Curl_cookie_freelist(store); + } +- if(addcookies && !result) { ++ if(addcookies && !result && !linecap) { + if(!count) + result = Curl_dyn_add(r, "Cookie: "); + if(!result) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 9bd31b7..7060844 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -707,6 +707,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char setcookies; + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding diff --git a/backport-CVE-2022-32206.patch b/backport-CVE-2022-32206.patch new file mode 100644 index 0000000000000000000000000000000000000000..4d8a47f4b88d4b97903d9d33d56e6aede7176c78 --- /dev/null +++ b/backport-CVE-2022-32206.patch @@ -0,0 +1,43 @@ +From 7035676c3daa4f1c3766095561f12e7a0e82c736 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH] content_encoding: return error on too many compression steps + +The max allowed steps is arbitrarily set to 5. +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +Index: curl-7.83.1/lib/content_encoding.c +=================================================================== +--- curl-7.83.1.orig/lib/content_encoding.c ++++ curl-7.83.1/lib/content_encoding.c +@@ -1026,12 +1026,16 @@ static const struct content_encoding *fi + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(str + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(data, encoding, k->writer_stack); + if(!writer) diff --git a/backport-CVE-2022-32207.patch b/backport-CVE-2022-32207.patch new file mode 100644 index 0000000000000000000000000000000000000000..836cf16d209d7eed2ba0d83f738394e9c06f37a5 --- /dev/null +++ b/backport-CVE-2022-32207.patch @@ -0,0 +1,336 @@ +From 3782dfda5fc4f45a19b1ce1b01ecf7206a3d304a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH 1/3] fopen: add Curl_fopen() for better overwriting of files + +--- + lib/Makefile.inc | 2 + + lib/cookie.c | 19 ++------- + lib/fopen.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++ + lib/fopen.h | 28 +++++++++++++ + 4 files changed, 140 insertions(+), 15 deletions(-) + create mode 100644 lib/fopen.c + create mode 100644 lib/fopen.h + +Index: curl-7.81.0/lib/Makefile.inc +=================================================================== +--- curl-7.81.0.orig/lib/Makefile.inc ++++ curl-7.81.0/lib/Makefile.inc +@@ -131,6 +131,7 @@ LIB_CFILES = \ + escape.c \ + file.c \ + fileinfo.c \ ++ fopen.c \ + formdata.c \ + ftp.c \ + ftplistparser.c \ +@@ -263,6 +264,7 @@ LIB_HFILES = \ + escape.h \ + file.h \ + fileinfo.h \ ++ fopen.h \ + formdata.h \ + ftp.h \ + ftplistparser.h \ +Index: curl-7.81.0/lib/cookie.c +=================================================================== +--- curl-7.81.0.orig/lib/cookie.c ++++ curl-7.81.0/lib/cookie.c +@@ -96,8 +96,8 @@ Example set of cookies: + #include "curl_get_line.h" + #include "curl_memrchr.h" + #include "parsedate.h" +-#include "rand.h" + #include "rename.h" ++#include "fopen.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -1612,20 +1612,9 @@ static CURLcode cookie_output(struct Cur + use_stdout = TRUE; + } + else { +- unsigned char randsuffix[9]; +- +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return 2; +- +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) { +- error = CURLE_WRITE_ERROR; ++ error = Curl_fopen(data, filename, &out, &tempstore); ++ if(error) + goto error; +- } + } + + fputs("# Netscape HTTP Cookie File\n" +@@ -1672,7 +1661,7 @@ static CURLcode cookie_output(struct Cur + if(!use_stdout) { + fclose(out); + out = NULL; +- if(Curl_rename(tempstore, filename)) { ++ if(tempstore && Curl_rename(tempstore, filename)) { + unlink(tempstore); + error = CURLE_WRITE_ERROR; + goto error; +Index: curl-7.81.0/lib/fopen.c +=================================================================== +--- /dev/null ++++ curl-7.81.0/lib/fopen.c +@@ -0,0 +1,106 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ ++ !defined(CURL_DISABLE_HSTS) ++ ++#ifdef HAVE_FCNTL_H ++#include ++#endif ++ ++#include "urldata.h" ++#include "rand.h" ++#include "fopen.h" ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" ++#include "memdebug.h" ++ ++/* ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed ++ * to the final name when completed. If there is an existing file using this ++ * name at the time of the open, this function will clone the mode from that ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is ++ * written. ++ */ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname) ++{ ++ CURLcode result = CURLE_WRITE_ERROR; ++ unsigned char randsuffix[9]; ++ char *tempstore = NULL; ++ struct_stat sb, nsb; ++ int fd = -1; ++ *tempname = NULL; ++ ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ /* a non-regular file, fallback to direct fopen() */ ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(*fh) ++ return CURLE_OK; ++ goto fail; ++ } ++ ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ if(result) ++ goto fail; ++ ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ if(!tempstore) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } ++ ++ result = CURLE_WRITE_ERROR; ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); ++ if(fd == -1) ++ goto fail; ++ ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } ++ ++ *fh = fdopen(fd, FOPEN_WRITETEXT); ++ if(!*fh) ++ goto fail; ++ ++ *tempname = tempstore; ++ return CURLE_OK; ++ ++fail: ++ if(fd != -1) { ++ close(fd); ++ unlink(tempstore); ++ } ++ ++ free(tempstore); ++ ++ *tempname = NULL; ++ return result; ++} ++ ++#endif /* ! disabled */ +Index: curl-7.81.0/lib/fopen.h +=================================================================== +--- /dev/null ++++ curl-7.81.0/lib/fopen.h +@@ -0,0 +1,28 @@ ++#ifndef HEADER_CURL_FOPEN_H ++#define HEADER_CURL_FOPEN_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname); ++ ++#endif +Index: curl-7.81.0/lib/altsvc.c +=================================================================== +--- curl-7.81.0.orig/lib/altsvc.c ++++ curl-7.81.0/lib/altsvc.c +@@ -34,7 +34,7 @@ + #include "parsedate.h" + #include "sendf.h" + #include "warnless.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + + /* The last 3 #include files should be in this order */ +@@ -329,8 +329,7 @@ CURLcode Curl_altsvc_save(struct Curl_ea + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!altsvc) + /* no cache activated */ +@@ -344,17 +343,8 @@ CURLcode Curl_altsvc_save(struct Curl_ea + /* marked as read-only, no file or zero length file name */ + return CURLE_OK; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your alt-svc cache. https://curl.se/docs/alt-svc.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -366,10 +356,10 @@ CURLcode Curl_altsvc_save(struct Curl_ea + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); +Index: curl-7.81.0/lib/hsts.c +=================================================================== +--- curl-7.81.0.orig/lib/hsts.c ++++ curl-7.81.0/lib/hsts.c +@@ -35,7 +35,7 @@ + #include "sendf.h" + #include "strtoofft.h" + #include "parsedate.h" +-#include "rand.h" ++#include "fopen.h" + #include "rename.h" + #include "strtoofft.h" + +@@ -334,8 +334,7 @@ CURLcode Curl_hsts_save(struct Curl_easy + struct Curl_llist_element *n; + CURLcode result = CURLE_OK; + FILE *out; +- char *tempstore; +- unsigned char randsuffix[9]; ++ char *tempstore = NULL; + + if(!h) + /* no cache activated */ +@@ -349,17 +348,8 @@ CURLcode Curl_hsts_save(struct Curl_easy + /* marked as read-only, no file or zero length file name */ + goto skipsave; + +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return CURLE_FAILED_INIT; +- +- tempstore = aprintf("%s.%s.tmp", file, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) +- result = CURLE_WRITE_ERROR; +- else { ++ result = Curl_fopen(data, file, &out, &tempstore); ++ if(!result) { + fputs("# Your HSTS cache. https://curl.se/docs/hsts.html\n" + "# This file was generated by libcurl! Edit at your own risk.\n", + out); +@@ -371,10 +361,10 @@ CURLcode Curl_hsts_save(struct Curl_easy + break; + } + fclose(out); +- if(!result && Curl_rename(tempstore, file)) ++ if(!result && tempstore && Curl_rename(tempstore, file)) + result = CURLE_WRITE_ERROR; + +- if(result) ++ if(result && tempstore) + unlink(tempstore); + } + free(tempstore); diff --git a/backport-CVE-2022-32208.patch b/backport-CVE-2022-32208.patch new file mode 100644 index 0000000000000000000000000000000000000000..6158851bc4207756fe41d5c5a9d2105213776ffd --- /dev/null +++ b/backport-CVE-2022-32208.patch @@ -0,0 +1,60 @@ +From 4c3f77e871820d055a5f6c4cd7a6ac47a7f3877d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +Index: curl-7.81.0/lib/krb5.c +=================================================================== +--- curl-7.81.0.orig/lib/krb5.c ++++ curl-7.81.0/lib/krb5.c +@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, i + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -512,6 +509,7 @@ static CURLcode read_data(struct connect + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -520,7 +518,10 @@ static CURLcode read_data(struct connect + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -528,8 +529,11 @@ static CURLcode read_data(struct connect + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } diff --git a/backport-CVE-2022-32221.patch b/backport-CVE-2022-32221.patch new file mode 100644 index 0000000000000000000000000000000000000000..b20637292ef449a35ed716f864b1033504be9dd7 --- /dev/null +++ b/backport-CVE-2022-32221.patch @@ -0,0 +1,28 @@ +From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:22:45 +0200 +Subject: [PATCH] setopt: when POST is set, reset the 'upload' field + +Reported-by: RobBotic1 on github +Fixes #9507 +Closes #9511 + +Conflict: NA +Reference: https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9 + +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 03c4efdbf1e58..7289a4e78bdd0 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: diff --git a/backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch b/backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch new file mode 100644 index 0000000000000000000000000000000000000000..58c4031eb2a0222385007dd8a73a1a4ed5e18789 --- /dev/null +++ b/backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch @@ -0,0 +1,68 @@ +From 8dfc93e573ca740544a2d79ebb0ed786592c65c3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH] cookie: reject cookies with "control bytes" + +Rejects 0x01 - 0x1f (except 0x09) plus 0x7f + +Reported-by: Axel Chong + +Bug: https://curl.se/docs/CVE-2022-35252.html + +CVE-2022-35252 + +Closes #9381 +--- + lib/cookie.c | 29 +++++++++++++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 5a4d9e9..ab790a1 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -442,6 +442,30 @@ static bool bad_domain(const char *domain) + } + + /* ++ RFC 6265 section 4.1.1 says a server should accept this range: ++ ++ cookie-octet = %x21 / %x23-2B / %x2D-3A / %x3C-5B / %x5D-7E ++ ++ But Firefox and Chrome as of June 2022 accept space, comma and double-quotes ++ fine. The prime reason for filtering out control bytes is that some HTTP ++ servers return 400 for requests that contain such. ++*/ ++static int invalid_octets(const char *p) ++{ ++ /* Reject all bytes \x01 - \x1f (*except* \x09, TAB) + \x7f */ ++ static const char badoctets[] = { ++ "\x01\x02\x03\x04\x05\x06\x07\x08\x0a" ++ "\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14" ++ "\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f" ++ }; ++ size_t vlen, len; ++ /* scan for all the octets that are *not* in cookie-octet */ ++ len = strcspn(p, badoctets); ++ vlen = strlen(p); ++ return (len != vlen); ++} ++ ++/* + * Curl_cookie_add + * + * Add a single cookie line to the cookie keeping object. Be aware that +@@ -595,6 +619,11 @@ Curl_cookie_add(struct Curl_easy *data, + badcookie = TRUE; + break; + } ++ if(invalid_octets(whatptr) || invalid_octets(name)) { ++ infof(data, "invalid octets in name/value, cookie dropped"); ++ badcookie = TRUE; ++ break; ++ } + } + else if(!len) { + /* +-- +1.8.3.1 + diff --git a/backport-CVE-2022-42915.patch b/backport-CVE-2022-42915.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb49b16923f18366b7228447b528bb49e52662e0 --- /dev/null +++ b/backport-CVE-2022-42915.patch @@ -0,0 +1,157 @@ +From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 14:13:36 +0200 +Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error + +Reported-by: Trail of Bits + +Closes #9790 + +Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89 +Signed-off-by: Kamil Dudka + +Conflict: context adapt +Reference:https://src.fedoraproject.org/rpms/curl/blob/f35/f/0017-curl-7.82.0-CVE-2022-42915.patch +--- + lib/http_proxy.c | 6 ++---- + lib/url.c | 9 --------- + 2 files changed, 2 insertion(+), 13 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index 1f87f6c..cc20b3a 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -207,10 +207,8 @@ static void connect_done(struct Curl_easy *data) + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); + +- /* restore the protocol pointer, if not already done */ +- if(s->prot_save) +- data->req.p.http = s->prot_save; +- s->prot_save = NULL; ++ /* restore the protocol pointer */ ++ data->req.p.http = s->prot_save; + infof(data, "CONNECT phase completed!"); + } + } +diff --git a/lib/url.c b/lib/url.c +index bfc784f..61c99d2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -735,15 +735,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) + DEBUGASSERT(data); + infof(data, "Closing connection %ld", conn->connection_id); + +-#ifndef USE_HYPER +- if(conn->connect_state && conn->connect_state->prot_save) { +- /* If this was closed with a CONNECT in progress, cleanup this temporary +- struct arrangement */ +- data->req.p.http = NULL; +- Curl_safefree(conn->connect_state->prot_save); +- } +-#endif +- + /* possible left-overs from the async name resolvers */ + Curl_resolver_cancel(data); + +-- +2.37.3 + + +From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 14:14:25 +0200 +Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and + fix + +Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8 +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.inc | 2 +- + tests/data/test445 | 61 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 62 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test445 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 1f774ce..f79b63e 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -67,7 +67,7 @@ test392 test393 test394 test395 test396 test397 \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 test410 \ + test418 \ +-test430 test431 test432 test433 test434 test435 test446\ ++test430 test431 test432 test433 test434 test435 test445 test446\ + \ + test490 test491 test492 test493 test494 \ + \ +diff --git a/tests/data/test445 b/tests/data/test445 +new file mode 100644 +index 0000000..0406c0f +--- /dev/null ++++ b/tests/data/test445 +@@ -0,0 +1,61 @@ ++ ++ ++ ++HTTP ++HTTP proxy ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 503 no just no ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Accept-Ranges: bytes ++Content-Length: 6 ++Connection: close ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++gopher ++dict ++http ++ftp ++imap ++ldap ++mqtt ++pop3 ++rtsp ++scp ++sftp ++smb ++smtp ++ ++ ++http-proxy ++ ++ ++Refuse tunneling protocols through HTTP proxy ++ ++ ++-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++# refused in the CONNECT ++ ++56 ++ ++ ++ +-- +2.33.0 + diff --git a/backport-CVE-2022-42916.patch b/backport-CVE-2022-42916.patch new file mode 100644 index 0000000000000000000000000000000000000000..2321e32a256960bb306aa1f3ccefc56bac528f36 --- /dev/null +++ b/backport-CVE-2022-42916.patch @@ -0,0 +1,135 @@ +From 53bcf55b4538067e6dc36242168866becb987bb7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 12 Oct 2022 10:47:59 +0200 +Subject: [PATCH] url: use IDN decoded names for HSTS checks + +Reported-by: Hiroki Kurosawa + +Closes #9791 + +Conflict: Context adaptation +Reference: https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7 + +--- + lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- + 1 file changed, 47 insertions(+), 44 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index a3be56bced9de..690c53c81a3c1 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2036,10 +2036,56 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + if(!strcasecompare("file", data->state.up.scheme)) + return CURLE_OUT_OF_MEMORY; + } ++ hostname = data->state.up.hostname; ++ ++ if(hostname && hostname[0] == '[') { ++ /* This looks like an IPv6 address literal. See if there is an address ++ scope. */ ++ size_t hlen; ++ conn->bits.ipv6_ip = TRUE; ++ /* cut off the brackets! */ ++ hostname++; ++ hlen = strlen(hostname); ++ hostname[hlen - 1] = 0; ++ ++ zonefrom_url(uh, data, conn); ++ } ++ ++ /* make sure the connect struct gets its own copy of the host name */ ++ conn->host.rawalloc = strdup(hostname ? hostname : ""); ++ if(!conn->host.rawalloc) ++ return CURLE_OUT_OF_MEMORY; ++ conn->host.name = conn->host.rawalloc; ++ ++ /************************************************************* ++ * IDN-convert the hostnames ++ *************************************************************/ ++ result = Curl_idnconvert_hostname(data, &conn->host); ++ if(result) ++ return result; ++ if(conn->bits.conn_to_host) { ++ result = Curl_idnconvert_hostname(data, &conn->conn_to_host); ++ if(result) ++ return result; ++ } ++#ifndef CURL_DISABLE_PROXY ++ if(conn->bits.httpproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); ++ if(result) ++ return result; ++ } ++ if(conn->bits.socksproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); ++ if(result) ++ return result; ++ } ++#endif + + #ifndef CURL_DISABLE_HSTS ++ /* HSTS upgrade */ + if(data->hsts && strcasecompare("http", data->state.up.scheme)) { +- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { ++ /* This MUST use the IDN decoded name */ ++ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { + char *url; + Curl_safefree(data->state.up.scheme); + uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); +@@ -2145,26 +2191,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + + (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); + +- hostname = data->state.up.hostname; +- if(hostname && hostname[0] == '[') { +- /* This looks like an IPv6 address literal. See if there is an address +- scope. */ +- size_t hlen; +- conn->bits.ipv6_ip = TRUE; +- /* cut off the brackets! */ +- hostname++; +- hlen = strlen(hostname); +- hostname[hlen - 1] = 0; +- +- zonefrom_url(uh, data, conn); +- } +- +- /* make sure the connect struct gets its own copy of the host name */ +- conn->host.rawalloc = strdup(hostname ? hostname : ""); +- if(!conn->host.rawalloc) +- return CURLE_OUT_OF_MEMORY; +- conn->host.name = conn->host.rawalloc; +- + if(data->set.scope_id) + /* Override any scope that was set above. */ + conn->scope_id = data->set.scope_id; +@@ -3713,29 +3739,6 @@ static CURLcode create_conn(struct Curl_easy *data, + if(result) + goto out; + +- /************************************************************* +- * IDN-convert the hostnames +- *************************************************************/ +- result = Curl_idnconvert_hostname(data, &conn->host); +- if(result) +- goto out; +- if(conn->bits.conn_to_host) { +- result = Curl_idnconvert_hostname(data, &conn->conn_to_host); +- if(result) +- goto out; +- } +-#ifndef CURL_DISABLE_PROXY +- if(conn->bits.httpproxy) { +- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); +- if(result) +- goto out; +- } +- if(conn->bits.socksproxy) { +- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); +- if(result) +- goto out; +- } +-#endif + + /************************************************************* + * Check whether the host and the "connect to host" are equal. diff --git a/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch b/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch new file mode 100644 index 0000000000000000000000000000000000000000..da5b110da4e6122fab01104130ae127a1c031ea5 --- /dev/null +++ b/backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch @@ -0,0 +1,32 @@ +From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:36:55 +0100 +Subject: [PATCH 1/2] http: use the IDN decoded name in HSTS checks + +Otherwise it stores the info HSTS into the persistent cache for the IDN +name which will not match when the HSTS status is later checked for +using the decoded name. + +Reported-by: Hiroki Kurosawa + +Closes #10111 +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 85528a221..a784745a8 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3646,7 +3646,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && + (conn->handler->flags & PROTOPT_SSL)) { + CURLcode check = +- Curl_hsts_parse(data->hsts, data->state.up.hostname, ++ Curl_hsts_parse(data->hsts, conn->host.name, + headp + strlen("Strict-Transport-Security:")); + if(check) + infof(data, "Illegal STS header skipped"); +-- +2.33.0 + diff --git a/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch b/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch new file mode 100644 index 0000000000000000000000000000000000000000..92690b06d80157a16ebf242ff1acca9b2f70008c --- /dev/null +++ b/backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch @@ -0,0 +1,78 @@ +From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH 2/2] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 2cfe041df..48d5a2fe0 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -58,8 +58,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -101,7 +99,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -936,14 +934,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 24d3f1efb..22bc81e75 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + +-- +2.33.0 + diff --git a/backport-CVE-2023-27533.patch b/backport-CVE-2023-27533.patch new file mode 100644 index 0000000000000000000000000000000000000000..cb70bcdf8df0635357a2db88c780300bb7e49db3 --- /dev/null +++ b/backport-CVE-2023-27533.patch @@ -0,0 +1,52 @@ +From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 +--- + lib/telnet.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -768,6 +768,17 @@ static void printsub(struct Curl_easy *d + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct Curl_easy *data) + { + struct curl_slist *head; +@@ -782,6 +793,8 @@ static CURLcode check_telnet_options(str + /* Add the user name as an environment variable if it + was given on the command line */ + if(conn->bits.user_passwd) { ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; + msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); + beg = curl_slist_append(tn->telnet_vars, option_arg); + if(!beg) { +@@ -797,6 +810,9 @@ static CURLcode check_telnet_options(str + if(sscanf(head->data, "%127[^= ]%*[ =]%255s", + option_keyword, option_arg) == 2) { + ++ if(str_is_nonascii(option_arg)) ++ continue; ++ + /* Terminal type */ + if(strcasecompare(option_keyword, "TTYPE")) { + strncpy(tn->subopt_ttype, option_arg, 31); diff --git a/backport-CVE-2023-27534-pre1.patch b/backport-CVE-2023-27534-pre1.patch new file mode 100644 index 0000000000000000000000000000000000000000..93fde316df6ed1b912d60d842314c44029956099 --- /dev/null +++ b/backport-CVE-2023-27534-pre1.patch @@ -0,0 +1,33 @@ +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 +From: Eric Vigeant +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 +--- + lib/curl_path.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -69,10 +69,14 @@ CURLcode Curl_getworkingpath(struct Curl + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++ real_path[homelen] = '/'; ++ homelen++; ++ real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, ++ memcpy(real_path + homelen, working_path + 3, + 1 + working_path_len -3); + } + } diff --git a/backport-CVE-2023-27534.patch b/backport-CVE-2023-27534.patch new file mode 100644 index 0000000000000000000000000000000000000000..b5d006207492103b16818bc7313c51ee57bf8c62 --- /dev/null +++ b/backport-CVE-2023-27534.patch @@ -0,0 +1,118 @@ +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH] curl_path: create the new path with dynbuf + +Closes #10729 +--- + lib/curl_path.c | 75 +++++++++++++++++++++++-------------------------- + 1 file changed, 35 insertions(+), 40 deletions(-) + +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -30,70 +30,65 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct Curl_easy *data, + char *homedir, /* when SFTP is used */ + char **path) /* returns the allocated + real path to work with */ + { +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data, data->state.up.path, 0, &working_path, + &working_path_len, REJECT_ZERO); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(data->conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- /* Only add a trailing '/' if homedir does not end with one */ +- if(homelen == 0 || real_path[homelen - 1] != '/') { +- real_path[homelen] = '/'; +- homelen++; +- real_path[homelen] = '\0'; +- } +- if(working_path_len > 3) { +- memcpy(real_path + homelen, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } diff --git a/backport-CVE-2023-27535-pre1.patch b/backport-CVE-2023-27535-pre1.patch new file mode 100644 index 0000000000000000000000000000000000000000..8852620f770ab0e6425eb0c34b87c09a091dd764 --- /dev/null +++ b/backport-CVE-2023-27535-pre1.patch @@ -0,0 +1,177 @@ +From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 6 Oct 2022 00:49:10 +0200 +Subject: [PATCH] strcase: add and use Curl_timestrcmp + +This is a strcmp() alternative function for comparing "secrets", +designed to take the same time no matter the content to not leak +match/non-match info to observers based on how fast it is. + +The time this function takes is only a function of the shortest input +string. + +Reported-by: Trail of Bits + +Closes #9658 +--- + lib/netrc.c | 6 +++--- + lib/strcase.c | 22 ++++++++++++++++++++++ + lib/strcase.h | 1 + + lib/url.c | 34 +++++++++++++--------------------- + lib/vauth/digest_sspi.c | 4 ++-- + lib/vtls/vtls.c | 4 ++-- + 6 files changed, 43 insertions(+), 28 deletions(-) + +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -140,9 +140,9 @@ static int parsenetrc(const char *host, + /* we are now parsing sub-keywords concerning "our" host */ + if(state_login) { + if(specific_login) { +- state_our_login = strcasecompare(login, tok); ++ state_our_login = !Curl_timestrcmp(login, tok); + } +- else if(!login || strcmp(login, tok)) { ++ else if(!login || Curl_timestrcmp(login, tok)) { + if(login_alloc) { + free(login); + login_alloc = FALSE; +@@ -158,7 +158,7 @@ static int parsenetrc(const char *host, + } + else if(state_password) { + if((state_our_login || !specific_login) +- && (!password || strcmp(password, tok))) { ++ && (!password || Curl_timestrcmp(password, tok))) { + if(password_alloc) { + free(password); + password_alloc = FALSE; +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -261,6 +261,28 @@ bool Curl_safecmp(char *a, char *b) + return !a && !b; + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++ while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++ break; ++ i++; ++ } ++ } ++ else ++ return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -49,5 +49,6 @@ void Curl_strntoupper(char *dest, const + void Curl_strntolower(char *dest, const char *src, size_t n); + + bool Curl_safecmp(char *a, char *b); ++int Curl_timestrcmp(const char *first, const char *second); + + #endif /* HEADER_CURL_STRCASE_H */ +--- a/lib/url.c ++++ b/lib/url.c +@@ -946,19 +946,10 @@ socks_proxy_info_matches(const struct pr + /* the user information is case-sensitive + or at least it is not defined as case-insensitive + see https://tools.ietf.org/html/rfc3986#section-3.2.1 */ +- if(!data->user != !needle->user) +- return FALSE; +- /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->user && +- needle->user && +- strcmp(data->user, needle->user) != 0) +- return FALSE; +- if(!data->passwd != !needle->passwd) +- return FALSE; ++ + /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->passwd && +- needle->passwd && +- strcmp(data->passwd, needle->passwd) != 0) ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) + return FALSE; + return TRUE; + } +@@ -1357,10 +1348,10 @@ ConnectionExists(struct Curl_easy *data, + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd) || +- !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || +- !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd) || ++ Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) || ++ Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -1436,8 +1427,8 @@ ConnectionExists(struct Curl_easy *data, + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd)) { + + /* we prefer a credential match, but this is at least a connection + that can be reused and "upgraded" to NTLM */ +@@ -1459,8 +1450,10 @@ ConnectionExists(struct Curl_easy *data, + if(!check->http_proxy.user || !check->http_proxy.passwd) + continue; + +- if(strcmp(needle->http_proxy.user, check->http_proxy.user) || +- strcmp(needle->http_proxy.passwd, check->http_proxy.passwd)) ++ if(Curl_timestrcmp(needle->http_proxy.user, ++ check->http_proxy.user) || ++ Curl_timestrcmp(needle->http_proxy.passwd, ++ check->http_proxy.passwd)) + continue; + } + else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { +--- a/lib/vauth/digest_sspi.c ++++ b/lib/vauth/digest_sspi.c +@@ -429,8 +429,8 @@ CURLcode Curl_auth_create_digest_http_me + has changed then delete that context. */ + if((userp && !digest->user) || (!userp && digest->user) || + (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || +- (userp && digest->user && strcmp(userp, digest->user)) || +- (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { ++ (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || ++ (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) { + if(digest->http_context) { + s_pSecFn->DeleteSecurityContext(digest->http_context); + Curl_safefree(digest->http_context); +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -146,8 +146,8 @@ Curl_ssl_config_matches(struct ssl_prima + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && + #ifdef USE_TLS_SRP +- Curl_safecmp(data->username, needle->username) && +- Curl_safecmp(data->password, needle->password) && ++ !Curl_timestrcmp(data->username, needle->username) && ++ !Curl_timestrcmp(data->password, needle->password) && + (data->authtype == needle->authtype) && + #endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && diff --git a/backport-CVE-2023-27535.patch b/backport-CVE-2023-27535.patch new file mode 100644 index 0000000000000000000000000000000000000000..864a8808a804d37e717ba1cd3c1d99c266c0b61c --- /dev/null +++ b/backport-CVE-2023-27535.patch @@ -0,0 +1,164 @@ +From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 +--- + lib/ftp.c | 28 ++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 17 +++++++++++++++-- + lib/urldata.h | 4 ++-- + 5 files changed, 49 insertions(+), 7 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 0b9c9b7..57c7778 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4094,6 +4094,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, + } + + freedirs(ftpc); ++ Curl_safefree(ftpc->account); ++ Curl_safefree(ftpc->alternative_to_user); + Curl_safefree(ftpc->prevpath); + Curl_safefree(ftpc->server_os); + Curl_pp_disconnect(pp); +@@ -4354,11 +4356,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + { + char *type; + struct FTP *ftp; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(NULL == ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ data->req.p.ftp = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=" that +@@ -4393,7 +4415,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + /* get some initial data into the ftp struct */ + ftp->transfer = PPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return CURLE_OK; + } +diff --git a/lib/ftp.h b/lib/ftp.h +index 1cfdac0..afca25b 100644 +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -115,6 +115,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char *file; /* url-decoded file name (or path) */ + char **dirs; /* realloc()ed array for path components */ +@@ -144,6 +146,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/lib/setopt.c b/lib/setopt.c +index f6eb3bc..e47c415 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2321,7 +2321,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/lib/url.c b/lib/url.c +index c2e1b11..7720eef 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1344,11 +1344,24 @@ ConnectionExists(struct Curl_easy *data, + (check->httpversion >= 20) && + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; +- +- if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY +diff --git a/lib/urldata.h b/lib/urldata.h +index 39605f5..7852bd3 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1747,8 +1747,6 @@ struct UserDefined { + enum CURL_NETRC_OPTION + use_netrc; /* defined in include/curl.h */ + #endif +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + long new_file_perms; /* Permissions to use when creating remote files */ + long new_directory_perms; /* Permissions to use when creating remote dirs */ + long ssh_auth_types; /* allowed SSH auth types */ +@@ -1872,6 +1870,8 @@ struct UserDefined { + BIT(http09_allowed); /* allow HTTP/0.9 responses */ + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some + recipients */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + }; + + struct Names { +-- +2.33.0 + diff --git a/backport-CVE-2023-27536.patch b/backport-CVE-2023-27536.patch new file mode 100644 index 0000000000000000000000000000000000000000..911edecd6024459c4a61c70f300fab5b48350aaa --- /dev/null +++ b/backport-CVE-2023-27536.patch @@ -0,0 +1,44 @@ +From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Reported-by: Harry Sintonen +Closes #10731 +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -1357,6 +1357,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + /* If multiplexing isn't enabled on the h2 connection and h1 is + explicitly requested, handle it: */ + if((needle->handler->protocol & PROTO_FAMILY_HTTP) && +@@ -1814,6 +1819,7 @@ static struct connectdata *allocate_conn + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1130,6 +1130,7 @@ struct connectdata { + int socks5_gssapi_enctype; + #endif + unsigned short localport; ++ long gssapi_delegation; /* inherited from set.gssapi_delegation */ + }; + + /* The end of connectdata. */ diff --git a/backport-CVE-2023-27538.patch b/backport-CVE-2023-27538.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea3bf8fa5a7daa9a6869500b02c39be7f41235b9 --- /dev/null +++ b/backport-CVE-2023-27538.patch @@ -0,0 +1,22 @@ +From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 10 Mar 2023 08:22:51 +0100 +Subject: [PATCH] url: fix the SSH connection reuse check + +Reported-by: Harry Sintonen +Closes #10735 +--- + lib/url.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/url.c ++++ b/lib/url.c +@@ -1373,7 +1373,7 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } diff --git a/backport-CVE-2023-28321.patch b/backport-CVE-2023-28321.patch new file mode 100644 index 0000000000000000000000000000000000000000..8f1b9548c826dfe5662de3baefa98845a52022c7 --- /dev/null +++ b/backport-CVE-2023-28321.patch @@ -0,0 +1,172 @@ +From 97fe40da79ac0d28d13a68f2c8181d18b8ff0ef8 Mon Sep 17 00:00:00 2001 +From: s00423892 +Date: Fri, 19 May 2023 18:02:52 +0800 +Subject: [PATCH] [Backport]curl:fix CVE-2023-28321 + +Conflict:The hostmatch function does not have the hostlen and patternlen parameters. +However, the two parameters are the lengths of the existing input parameters host and pattern, +which can be generated. +Reference:https://github.com/curl/curl/commit/199f2d440d8659b42 + +Signed-off-by: shichenchen shichenchen@huawei.com +--- + lib/hostcheck.c | 104 +++++++++++++++++++++++++----------------------- + 1 file changed, 55 insertions(+), 49 deletions(-) + +diff --git a/lib/hostcheck.c b/lib/hostcheck.c +index cf267a7..e055958 100644 +--- a/lib/hostcheck.c ++++ b/lib/hostcheck.c +@@ -33,6 +33,7 @@ + #ifdef HAVE_NETINET_IN6_H + #include + #endif ++#include "curl_memrchr.h" + + #include "hostcheck.h" + #include "strcase.h" +@@ -42,13 +43,23 @@ + /* The last #include file should be: */ + #include "memdebug.h" + ++/* check the two input strings with given length, but do not ++ assume they end in nul-bytes */ ++static bool pmatch(const char *hostname, size_t hostlen, ++ const char *pattern, size_t patternlen) ++{ ++ if(hostlen != patternlen) ++ return FALSE; ++ return strncasecompare(hostname, pattern, hostlen); ++} ++ + /* + * Match a hostname against a wildcard pattern. + * E.g. + * "foo.host.com" matches "*.host.com". + * + * We use the matching rule described in RFC6125, section 6.4.3. +- * https://tools.ietf.org/html/rfc6125#section-6.4.3 ++ * https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3 + * + * In addition: ignore trailing dots in the host names and wildcards, so that + * the names are used normalized. This is what the browsers do. +@@ -58,65 +69,58 @@ + * apparent distinction between a name and an IP. We need to detect the use of + * an IP address and not wildcard match on such names. + * +- * NOTE: hostmatch() gets called with copied buffers so that it can modify the +- * contents at will. ++ * Only match on "*" being used for the leftmost label, not "a*", "a*b" nor ++ * "*b". ++ * ++ * Return TRUE on a match. FALSE if not. ++ * ++ * @unittest: 1397 + */ + +-static int hostmatch(char *hostname, char *pattern) ++static bool hostmatch(const char *hostname, ++ size_t hostlen, ++ const char *pattern, ++ size_t patternlen) + { +- const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; +- int wildcard_enabled; +- size_t prefixlen, suffixlen; ++ const char *pattern_label_end; ++ ++ DEBUGASSERT(pattern); ++ DEBUGASSERT(patternlen); ++ DEBUGASSERT(hostname); ++ DEBUGASSERT(hostlen); + + /* normalize pattern and hostname by stripping off trailing dots */ +- size_t len = strlen(hostname); +- if(hostname[len-1]=='.') +- hostname[len-1] = 0; +- len = strlen(pattern); +- if(pattern[len-1]=='.') +- pattern[len-1] = 0; +- +- pattern_wildcard = strchr(pattern, '*'); +- if(!pattern_wildcard) +- return strcasecompare(pattern, hostname) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; ++ if(hostname[hostlen-1]=='.') ++ hostlen--; ++ if(pattern[patternlen-1]=='.') ++ patternlen--; ++ ++ if(strncmp(pattern, "*.", 2)) ++ return pmatch(hostname, hostlen, pattern, patternlen); + + /* detect IP address as hostname and fail the match if so */ +- if(Curl_host_is_ipnum(hostname)) +- return CURL_HOST_NOMATCH; ++ else if(Curl_host_is_ipnum(hostname)) ++ return FALSE; + +- /* We require at least 2 dots in pattern to avoid too wide wildcard ++ /* We require at least 2 dots in the pattern to avoid too wide wildcard + match. */ +- wildcard_enabled = 1; +- pattern_label_end = strchr(pattern, '.'); +- if(!pattern_label_end || strchr(pattern_label_end + 1, '.') == NULL || +- pattern_wildcard > pattern_label_end || +- strncasecompare(pattern, "xn--", 4)) { +- wildcard_enabled = 0; ++ pattern_label_end = memchr(pattern, '.', patternlen); ++ if(!pattern_label_end || ++ (memrchr(pattern, '.', patternlen) == pattern_label_end)) ++ return pmatch(hostname, hostlen, pattern, patternlen); ++ else { ++ const char *hostname_label_end = memchr(hostname, '.', hostlen); ++ if(hostname_label_end) { ++ size_t skiphost = hostname_label_end - hostname; ++ size_t skiplen = pattern_label_end - pattern; ++ return pmatch(hostname_label_end, hostlen - skiphost, ++ pattern_label_end, patternlen - skiplen); ++ } + } +- if(!wildcard_enabled) +- return strcasecompare(pattern, hostname) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; +- +- hostname_label_end = strchr(hostname, '.'); +- if(!hostname_label_end || +- !strcasecompare(pattern_label_end, hostname_label_end)) +- return CURL_HOST_NOMATCH; +- +- /* The wildcard must match at least one character, so the left-most +- label of the hostname is at least as large as the left-most label +- of the pattern. */ +- if(hostname_label_end - hostname < pattern_label_end - pattern) +- return CURL_HOST_NOMATCH; +- +- prefixlen = pattern_wildcard - pattern; +- suffixlen = pattern_label_end - (pattern_wildcard + 1); +- return strncasecompare(pattern, hostname, prefixlen) && +- strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen, +- suffixlen) ? +- CURL_HOST_MATCH : CURL_HOST_NOMATCH; ++ return FALSE; + } + ++ + int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) + { + int res = 0; +@@ -128,7 +132,9 @@ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) + if(matchp) { + char *hostp = strdup(hostname); + if(hostp) { +- if(hostmatch(hostp, matchp) == CURL_HOST_MATCH) ++ size_t hostlen = strlen(hostp); ++ size_t matchlen = strlen(matchp); ++ if(hostmatch(hostp, hostlen, matchp, matchlen) == TRUE) + res = 1; + free(hostp); + } +-- +2.27.0 + diff --git a/backport-CVE-2023-28322.patch b/backport-CVE-2023-28322.patch new file mode 100644 index 0000000000000000000000000000000000000000..5adf6ec34ba13b4a5c8f91698a227e74881456a7 --- /dev/null +++ b/backport-CVE-2023-28322.patch @@ -0,0 +1,428 @@ +From 7815647d6582c0a4900be2e1de6c5e61272c496b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 25 Apr 2023 08:28:01 +0200 +Subject: [PATCH] lib: unify the upload/method handling + +By making sure we set state.upload based on the set.method value and not +independently as set.upload, we reduce confusion and mixup risks, both +internally and externally. + +Closes #11017 + +Conflict:Context adaptation and delete modifications for code which not exit +Reference:https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de +--- + lib/curl_rtmp.c | 4 ++-- + lib/file.c | 4 ++-- + lib/ftp.c | 8 ++++---- + lib/http.c | 4 ++-- + lib/imap.c | 6 +++--- + lib/rtsp.c | 4 ++-- + lib/setopt.c | 6 ++---- + lib/smb.c | 4 ++-- + lib/smtp.c | 4 ++-- + lib/tftp.c | 8 ++++---- + lib/transfer.c | 4 ++-- + lib/urldata.h | 2 +- + lib/vssh/libssh.c | 6 +++--- + lib/vssh/libssh2.c | 6 +++--- + lib/vssh/wolfssh.c | 2 +- + 15 files changed, 35 insertions(+), 37 deletions(-) + +diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c +index 2fa0267..c42c07e 100644 +--- a/lib/curl_rtmp.c ++++ b/lib/curl_rtmp.c +@@ -229,7 +229,7 @@ static CURLcode rtmp_connect(struct Curl_easy *data, bool *done) + /* We have to know if it's a write before we send the + * connect request packet + */ +- if(data->set.upload) ++ if(data->state.upload) + r->Link.protocol |= RTMP_FEATURE_WRITE; + + /* For plain streams, use the buffer toggle trick to keep data flowing */ +@@ -261,7 +261,7 @@ static CURLcode rtmp_do(struct Curl_easy *data, bool *done) + if(!RTMP_ConnectStream(r, 0)) + return CURLE_FAILED_INIT; + +- if(data->set.upload) { ++ if(data->state.upload) { + Curl_pgrsSetUploadSize(data, data->state.infilesize); + Curl_setup_transfer(data, -1, -1, FALSE, FIRSTSOCKET); + } +diff --git a/lib/file.c b/lib/file.c +index 0420db3..f15fe71 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -200,7 +200,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done) + file->freepath = real_path; /* free this when done */ + + file->fd = fd; +- if(!data->set.upload && (fd == -1)) { ++ if(!data->state.upload && (fd == -1)) { + failf(data, "Couldn't open file %s", data->state.up.path); + file_done(data, CURLE_FILE_COULDNT_READ_FILE, FALSE); + return CURLE_FILE_COULDNT_READ_FILE; +@@ -382,7 +382,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) + + Curl_pgrsStartNow(data); + +- if(data->set.upload) ++ if(data->state.upload) + return file_upload(data); + + file = data->req.p.file; +diff --git a/lib/ftp.c b/lib/ftp.c +index f2f6852..6b9cd22 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -1381,7 +1381,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data) + data->set.str[STRING_CUSTOMREQUEST]? + data->set.str[STRING_CUSTOMREQUEST]: + (data->state.list_only?"NLST":"LIST")); +- else if(data->set.upload) ++ else if(data->state.upload) + result = Curl_pp_sendf(data, &ftpc->pp, "PRET STOR %s", + conn->proto.ftpc.file); + else +@@ -3371,7 +3371,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status, + /* the response code from the transfer showed an error already so no + use checking further */ + ; +- else if(data->set.upload) { ++ else if(data->state.upload) { + if((-1 != data->state.infilesize) && + (data->state.infilesize != data->req.writebytecount) && + !data->set.crlf && +@@ -3643,7 +3643,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep) + connected back to us */ + } + } +- else if(data->set.upload) { ++ else if(data->state.upload) { + result = ftp_nb_type(data, conn, data->state.prefer_ascii, + FTP_STOR_TYPE); + if(result) +@@ -4225,7 +4225,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) + ftpc->file = NULL; /* instead of point to a zero byte, + we make it a NULL pointer */ + +- if(data->set.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { ++ if(data->state.upload && !ftpc->file && (ftp->transfer == PPTRANSFER_BODY)) { + /* We need a file name when uploading. Return error! */ + failf(data, "Uploading to a URL without a file name!"); + free(rawPath); +diff --git a/lib/http.c b/lib/http.c +index 9ac77a0..e5a3eb0 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2037,7 +2037,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn, + Curl_HttpReq httpreq = data->state.httpreq; + const char *request; + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +- data->set.upload) ++ data->state.upload) + httpreq = HTTPREQ_PUT; + + /* Now set the 'request' pointer to the proper request string */ +@@ -2353,7 +2353,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn, + if((conn->handler->protocol & PROTO_FAMILY_HTTP) && + (((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) && + http->postsize < 0) || +- ((data->set.upload || httpreq == HTTPREQ_POST) && ++ ((data->state.upload || httpreq == HTTPREQ_POST) && + data->state.infilesize == -1))) { + if(conn->bits.authneg) + /* don't enable chunked during auth neg */ +diff --git a/lib/imap.c b/lib/imap.c +index 6163899..5e3bb14 100644 +--- a/lib/imap.c ++++ b/lib/imap.c +@@ -1490,11 +1490,11 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && !imap->custom && +- (imap->uid || imap->mindex || data->set.upload || ++ (imap->uid || imap->mindex || data->state.upload || + data->set.mimepost.kind != MIMEKIND_NONE)) { + /* Handle responses after FETCH or APPEND transfer has finished */ + +- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE) ++ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE) + state(data, IMAP_FETCH_FINAL); + else { + /* End the APPEND command first by sending an empty line */ +@@ -1560,7 +1560,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected, + selected = TRUE; + + /* Start the first command in the DO phase */ +- if(data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE) ++ if(data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE) + /* APPEND can be executed directly */ + result = imap_perform_append(data); + else if(imap->custom && (selected || !imap->mailbox)) +diff --git a/lib/rtsp.c b/lib/rtsp.c +index 30fefb9..fd902bf 100644 +--- a/lib/rtsp.c ++++ b/lib/rtsp.c +@@ -508,7 +508,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + rtspreq == RTSPREQ_SET_PARAMETER || + rtspreq == RTSPREQ_GET_PARAMETER) { + +- if(data->set.upload) { ++ if(data->state.upload) { + putsize = data->state.infilesize; + data->state.httpreq = HTTPREQ_PUT; + +@@ -527,7 +527,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) + result = + Curl_dyn_addf(&req_buffer, + "Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n", +- (data->set.upload ? putsize : postsize)); ++ (data->state.upload ? putsize : postsize)); + if(result) + return result; + } +diff --git a/lib/setopt.c b/lib/setopt.c +index e47c415..ebfa539 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -299,8 +299,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + * We want to sent data to the remote host. If this is HTTP, that equals + * using the PUT request. + */ +- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE; +- if(data->set.upload) { ++ arg = va_arg(param, long); ++ if(arg) { + /* If this is HTTP, PUT is what's needed to "upload" */ + data->set.method = HTTPREQ_PUT; + data->set.opt_no_body = FALSE; /* this is implied */ +@@ -630,7 +630,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: +@@ -878,7 +877,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + */ + if(va_arg(param, long)) { + data->set.method = HTTPREQ_GET; +- data->set.upload = FALSE; /* switch off upload */ + data->set.opt_no_body = FALSE; /* this is implied */ + } + break; +diff --git a/lib/smb.c b/lib/smb.c +index 1c458a3..d3b6e7c 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -534,7 +534,7 @@ static CURLcode smb_send_open(struct Curl_easy *data) + byte_count = strlen(req->path); + msg.name_length = smb_swap16((unsigned short)byte_count); + msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL); +- if(data->set.upload) { ++ if(data->state.upload) { + msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE); + msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF); + } +@@ -813,7 +813,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + smb_m = (const struct smb_nt_create_response*) msg; + req->fid = smb_swap16(smb_m->fid); + data->req.offset = 0; +- if(data->set.upload) { ++ if(data->state.upload) { + data->req.size = data->state.infilesize; + Curl_pgrsSetUploadSize(data, data->req.size); + next_state = SMB_UPLOAD; +diff --git a/lib/smtp.c b/lib/smtp.c +index 02ddaca..1ea0ab5 100644 +--- a/lib/smtp.c ++++ b/lib/smtp.c +@@ -1390,7 +1390,7 @@ static CURLcode smtp_done(struct Curl_easy *data, CURLcode status, + result = status; /* use the already set error code */ + } + else if(!data->set.connect_only && data->set.mail_rcpt && +- (data->set.upload || data->set.mimepost.kind)) { ++ (data->state.upload || data->set.mimepost.kind)) { + /* Calculate the EOB taking into account any terminating CRLF from the + previous line of the email or the CRLF of the DATA command when there + is "no mail data". RFC-5321, sect. 4.1.1.4. +@@ -1483,7 +1483,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected, + smtp->eob = 2; + + /* Start the first command in the DO phase */ +- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt) ++ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt) + /* MAIL transfer */ + result = smtp_perform_mail(data); + else +diff --git a/lib/tftp.c b/lib/tftp.c +index aae997d..cf6189a 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -367,7 +367,7 @@ static CURLcode tftp_parse_option_ack(struct tftp_state_data *state, + + /* tsize should be ignored on upload: Who cares about the size of the + remote file? */ +- if(!data->set.upload) { ++ if(!data->state.upload) { + if(!tsize) { + failf(data, "invalid tsize -:%s:- value in OACK packet", value); + return CURLE_TFTP_ILLEGAL; +@@ -448,7 +448,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + return result; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + /* If we are uploading, send an WRQ */ + setpacketevent(&state->spacket, TFTP_EVENT_WRQ); + state->data->req.upload_fromhere = +@@ -483,7 +483,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + if(!data->set.tftp_no_options) { + char buf[64]; + /* add tsize option */ +- if(data->set.upload && (data->state.infilesize != -1)) ++ if(data->state.upload && (data->state.infilesize != -1)) + msnprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T, + data->state.infilesize); + else +@@ -537,7 +537,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state, + break; + + case TFTP_EVENT_OACK: +- if(data->set.upload) { ++ if(data->state.upload) { + result = tftp_connect_for_tx(state, event); + } + else { +diff --git a/lib/transfer.c b/lib/transfer.c +index 970ef35..9b5a7ed 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1391,6 +1391,7 @@ void Curl_init_CONNECT(struct Curl_easy *data) + { + data->state.fread_func = data->set.fread_func_set; + data->state.in = data->set.in_set; ++ data->state.upload = (data->state.httpreq == HTTPREQ_PUT); + } + + /* +@@ -1814,7 +1815,6 @@ CURLcode Curl_follow(struct Curl_easy *data, + data->state.httpreq != HTTPREQ_POST_MIME) || + !(data->set.keep_post & CURL_REDIR_POST_303))) { + data->state.httpreq = HTTPREQ_GET; +- data->set.upload = false; + infof(data, "Switch to %s", + data->set.opt_no_body?"HEAD":"GET"); + } +@@ -1852,7 +1852,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url) + + /* if we're talking upload, we can't do the checks below, unless the protocol + is HTTP as when uploading over HTTP we will still get a response */ +- if(data->set.upload && ++ if(data->state.upload && + !(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP))) + return CURLE_OK; + +diff --git a/lib/urldata.h b/lib/urldata.h +index 7852bd3..8b6e87b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1485,6 +1485,7 @@ struct UrlState { + BIT(url_alloc); /* URL string is malloc()'ed */ + BIT(referer_alloc); /* referer string is malloc()ed */ + BIT(wildcard_resolve); /* Set to true if any resolve change is a wildcard */ ++ BIT(upload); /* upload request */ + }; + + /* +@@ -1827,7 +1828,6 @@ struct UserDefined { + BIT(http_auto_referer); /* set "correct" referer when following + location: */ + BIT(opt_no_body); /* as set with CURLOPT_NOBODY */ +- BIT(upload); /* upload request */ + BIT(verbose); /* output verbosity */ + BIT(krb); /* Kerberos connection requested */ + BIT(reuse_forbid); /* forbidden to be reused, close after use */ +diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c +index 3e317e8..a871134 100644 +--- a/lib/vssh/libssh.c ++++ b/lib/vssh/libssh.c +@@ -1198,7 +1198,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(protop->path[strlen(protop->path)-1] == '/') +@@ -1811,7 +1811,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + /* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */ + ssh_set_blocking(sshc->ssh_session, 1); + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -1916,7 +1916,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c +index a772f1f..c5b1bc6 100644 +--- a/lib/vssh/libssh2.c ++++ b/lib/vssh/libssh2.c +@@ -1839,7 +1839,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + } + + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sshp->path[strlen(sshp->path)-1] == '/') +@@ -2511,7 +2511,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + } + +- if(data->set.upload) { ++ if(data->state.upload) { + if(data->state.infilesize < 0) { + failf(data, "SCP requires a known file size for upload"); + sshc->actualcode = CURLE_UPLOAD_FAILED; +@@ -2651,7 +2651,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) + break; + + case SSH_SCP_DONE: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SCP_SEND_EOF); + else + state(data, SSH_SCP_CHANNEL_FREE); +diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c +index 4b1e2ec..4ab21ae 100644 +--- a/lib/vssh/wolfssh.c ++++ b/lib/vssh/wolfssh.c +@@ -553,7 +553,7 @@ static CURLcode wssh_statemach_act(struct Curl_easy *data, bool *block) + } + break; + case SSH_SFTP_TRANS_INIT: +- if(data->set.upload) ++ if(data->state.upload) + state(data, SSH_SFTP_UPLOAD_INIT); + else { + if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/') +-- +2.33.0 + diff --git a/backport-CVE-2023-32001.patch b/backport-CVE-2023-32001.patch new file mode 100644 index 0000000000000000000000000000000000000000..8827596e1ebe30f9eddf3f1e7f1bcc7b395c7896 --- /dev/null +++ b/backport-CVE-2023-32001.patch @@ -0,0 +1,37 @@ +From 0c667188e0c6cda615a036b8a2b4125f2c404dde Mon Sep 17 00:00:00 2001 +From: SaltyMilk +Date: Mon, 10 Jul 2023 21:43:28 +0200 +Subject: [PATCH] fopen: optimize + +Closes #11419 +--- + lib/fopen.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/fopen.c b/lib/fopen.c +index c9c9e3d6e..b6e3caddd 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -56,13 +56,13 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + int fd = -1; + *tempname = NULL; + +- if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { +- /* a non-regular file, fallback to direct fopen() */ +- *fh = fopen(filename, FOPEN_WRITETEXT); +- if(*fh) +- return CURLE_OK; ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(!*fh) + goto fail; +- } ++ if(fstat(fileno(*fh), &sb) == -1 || !S_ISREG(sb.st_mode)) ++ return CURLE_OK; ++ fclose(*fh); ++ *fh = NULL; + + result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); + if(result) +-- +2.33.0 + diff --git a/backport-CVE-2023-38545.patch b/backport-CVE-2023-38545.patch new file mode 100644 index 0000000000000000000000000000000000000000..76098491c93a471b3a5320170399e30f89250d43 --- /dev/null +++ b/backport-CVE-2023-38545.patch @@ -0,0 +1,137 @@ +From e478fb5f5f2e26e2b060a51939dd2746041459ab Mon Sep 17 00:00:00 2001 +From: Jay Satiro +Date: Mon, 9 Oct 2023 16:34:27 -0400 +Subject: [PATCH] socks: return error if hostname too long for remote resolve + +Prior to this change the state machine attempted to change the remote +resolve to a local resolve if the hostname was longer than 255 +characters. Unfortunately that did not work as intended and caused a +security issue. + +This patch applies to curl versions 7.78.0 - 7.80.0. Other versions +that are affected take a different patch. Refer to the CVE advisory +for more information. + +Bug: https://curl.se/docs/CVE-2023-38545.html +--- + lib/socks.c | 8 +++--- + tests/data/Makefile.inc | 2 +- + tests/data/test728 | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 72 insertions(+), 5 deletions(-) + create mode 100644 tests/data/test728 + +diff --git a/lib/socks.c b/lib/socks.c +index 91c4223..222660c 100644 +--- a/lib/socks.c ++++ b/lib/socks.c +@@ -535,9 +535,9 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, + + /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ + if(!socks5_resolve_local && hostname_len > 255) { +- infof(data, "SOCKS5: server resolving disabled for hostnames of " +- "length > 255 [actual len=%zu]", hostname_len); +- socks5_resolve_local = TRUE; ++ failf(data, "SOCKS5: the destination hostname is too long to be " ++ "resolved remotely by the proxy."); ++ return CURLPX_LONG_HOSTNAME; + } + + if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) +@@ -857,7 +857,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, + + if(!socks5_resolve_local) { + socksreq[len++] = 3; /* ATYP: domain name = 3 */ +- socksreq[len++] = (char) hostname_len; /* one byte address length */ ++ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ + memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */ + len += hostname_len; + infof(data, "SOCKS5 connect to %s:%d (remotely resolved)", +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 1636969..1067005 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -94,7 +94,7 @@ test670 test671 test672 test673 test674 test675 test676 test677 test678 \ + \ + test700 test701 test702 test703 test704 test705 test706 test707 test708 \ + test709 test710 test711 test712 test713 test714 test715 test716 test717 \ +-test718 \ ++test718 test728 \ + \ + test800 test801 test802 test803 test804 test805 test806 test807 test808 \ + test809 test810 test811 test812 test813 test814 test815 test816 test817 \ +diff --git a/tests/data/test728 b/tests/data/test728 +new file mode 100644 +index 0000000..8673613 +--- /dev/null ++++ b/tests/data/test728 +@@ -0,0 +1,67 @@ ++ ++ ++ ++HTTP ++HTTP GET ++SOCKS5 ++SOCKS5h ++followlocation ++ ++ ++ ++# ++# Server-side ++ ++# The hostname in this redirect is 256 characters and too long (> 255) for ++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. ++ ++HTTP/1.1 301 Moved Permanently ++Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ ++Content-Length: 0 ++Connection: close ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++proxy ++ ++ ++http ++socks5 ++ ++ ++SOCKS5h with HTTP redirect to hostname too long ++ ++ ++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++s/\r\n$/\n/ ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++97 ++ ++# the error message is verified because error code CURLE_PROXY (97) may be ++# returned for any number of reasons and we need to make sure it is ++# specifically for the reason below so that we know the check is working. ++ ++curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. ++ ++ ++ +-- +2.7.4 + diff --git a/backport-CVE-2023-38546.patch b/backport-CVE-2023-38546.patch new file mode 100644 index 0000000000000000000000000000000000000000..dc1501b2de5f92101bb0f890dbea19ada4b0c693 --- /dev/null +++ b/backport-CVE-2023-38546.patch @@ -0,0 +1,126 @@ +From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 14 Sep 2023 23:28:32 +0200 +Subject: [PATCH] cookie: remove unnecessary struct fields + +Plus: reduce the hash table size from 256 to 63. It seems unlikely to +make much of a speed difference for most use cases but saves 1.5KB of +data per instance. + +Closes #11862 + +Backported by: Samuel Henrique + +--- + lib/cookie.c | 13 +------------ + lib/cookie.h | 13 ++++--------- + lib/easy.c | 4 +--- + 3 files changed, 6 insertions(+), 24 deletions(-) + +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -115,7 +115,6 @@ + free(co->name); + free(co->value); + free(co->maxage); +- free(co->version); + free(co); + } + +@@ -666,11 +665,7 @@ + } + } + else if(strcasecompare("version", name)) { +- strstore(&co->version, whatptr); +- if(!co->version) { +- badcookie = TRUE; +- break; +- } ++ /* just ignore */ + } + else if(strcasecompare("max-age", name)) { + /* +@@ -1091,7 +1086,6 @@ + free(clist->path); + free(clist->spath); + free(clist->expirestr); +- free(clist->version); + free(clist->maxage); + + *clist = *co; /* then store all the new data */ +@@ -1169,9 +1163,6 @@ + c = calloc(1, sizeof(struct CookieInfo)); + if(!c) + return NULL; /* failed to get memory */ +- c->filename = strdup(file?file:"none"); /* copy the name just in case */ +- if(!c->filename) +- goto fail; /* failed to get memory */ + /* + * Initialize the next_expiration time to signal that we don't have enough + * information yet. +@@ -1322,7 +1313,6 @@ + CLONE(name); + CLONE(value); + CLONE(maxage); +- CLONE(version); + d->expires = src->expires; + d->tailmatch = src->tailmatch; + d->secure = src->secure; +@@ -1532,7 +1522,6 @@ + { + if(c) { + unsigned int i; +- free(c->filename); + for(i = 0; i < COOKIE_HASH_SIZE; i++) + Curl_cookie_freelist(c->cookies[i]); + free(c); /* free the base struct as well */ +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -34,11 +34,7 @@ + char *domain; /* domain = */ + curl_off_t expires; /* expires = */ + char *expirestr; /* the plain text version */ +- +- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ +- char *version; /* Version = */ + char *maxage; /* Max-Age = */ +- + bool tailmatch; /* whether we do tail-matching of the domain name */ + bool secure; /* whether the 'secure' keyword was used */ + bool livecookie; /* updated from a server, not a stored file */ +@@ -54,18 +50,17 @@ + #define COOKIE_PREFIX__SECURE (1<<0) + #define COOKIE_PREFIX__HOST (1<<1) + +-#define COOKIE_HASH_SIZE 256 ++#define COOKIE_HASH_SIZE 63 + + struct CookieInfo { + /* linked list of cookies we know of */ + struct Cookie *cookies[COOKIE_HASH_SIZE]; + +- char *filename; /* file we read from/write to */ +- long numcookies; /* number of cookies in the "jar" */ ++ curl_off_t next_expiration; /* the next time at which expiration happens */ ++ int numcookies; /* number of cookies in the "jar" */ ++ int lastct; /* last creation-time used in the jar */ + bool running; /* state info, for cookie adding information */ + bool newsession; /* new session, discard session cookies on load */ +- int lastct; /* last creation-time used in the jar */ +- curl_off_t next_expiration; /* the next time at which expiration happens */ + }; + + /* This is the maximum line length we accept for a cookie line. RFC 2109 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -848,9 +848,7 @@ + if(data->cookies) { + /* If cookies are enabled in the parent handle, we enable them + in the clone as well! */ +- outcurl->cookies = Curl_cookie_init(data, +- data->cookies->filename, +- outcurl->cookies, ++ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, + data->set.cookiesession); + if(!outcurl->cookies) + goto fail; diff --git a/backport-Curl_connect_done-handle-being-called-twice.patch b/backport-Curl_connect_done-handle-being-called-twice.patch new file mode 100644 index 0000000000000000000000000000000000000000..a660c3c49e7fb4873293382999842cef29f4249e --- /dev/null +++ b/backport-Curl_connect_done-handle-being-called-twice.patch @@ -0,0 +1,38 @@ +From b89a4b5191e8471acca14d7de904213b0aa20125 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 12 Nov 2021 13:34:49 +0100 +Subject: [PATCH 1/1] Curl_connect_done: handle being called twice + +Follow-up to f0b7099a10d1a7c + +When torture testing 1021, it turns out the Curl_connect_done function +might be called twice and that previously then wrongly cleared the HTTP +pointer in the second invoke. + +Closes #7999 + +Conflict:context adapt +Reference:https://github.com/curl/curl/commit/b89a4b5191e8471acca14d7de904213b0aa20125 +--- + lib/http_proxy.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index cfe616fa6..2555b401a 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -207,8 +207,9 @@ void Curl_connect_done(struct Curl_easy *data) + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); + +- /* retore the protocol pointer */ +- data->req.p.http = s->prot_save; ++ /* restore the protocol pointer, if not already done */ ++ if(s->prot_save) ++ data->req.p.http = s->prot_save; + s->prot_save = NULL; + infof(data, "CONNECT phase completed!"); + } +-- +2.33.0 + diff --git a/backport-after-CVE-2022-32207-to-fix-build-error-when-user-don-t-use-glibc.patch b/backport-after-CVE-2022-32207-to-fix-build-error-when-user-don-t-use-glibc.patch new file mode 100644 index 0000000000000000000000000000000000000000..0e46ad5e8edc3dbe2eae3df5c25902206deea883 --- /dev/null +++ b/backport-after-CVE-2022-32207-to-fix-build-error-when-user-don-t-use-glibc.patch @@ -0,0 +1,111 @@ +From 20f9dd6bae50b7223171b17ba7798946e74f877f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files + backport to fix build error when user don't use glibc +--- + CMakeLists.txt | 1 + + configure.ac | 1 + + lib/curl_config.h.cmake | 3 +++ + lib/fopen.c | 19 +++++++++++++------ + lib/fopen.h | 2 ++ + 5 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index d8084de..3a64f02 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1013,6 +1013,7 @@ elseif(HAVE_LIBSOCKET) + set(CMAKE_REQUIRED_LIBRARIES socket) + endif() + ++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) + check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) + check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) + check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) +diff --git a/configure.ac b/configure.ac +index 152b047..245a731 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3320,6 +3320,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se + + + AC_CHECK_FUNCS([fnmatch \ ++ fchmod \ + geteuid \ + getpass_r \ + getppid \ +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake +index 4ef4883..7bd563b 100644 +--- a/lib/curl_config.h.cmake ++++ b/lib/curl_config.h.cmake +@@ -157,6 +157,9 @@ + /* Define to 1 if you have the header file. */ + #cmakedefine HAVE_ASSERT_H 1 + ++/* Define to 1 if you have the `fchmod' function. */ ++#cmakedefine HAVE_FCHMOD 1 ++ + /* Define to 1 if you have the `basename' function. */ + #cmakedefine HAVE_BASENAME 1 + +diff --git a/lib/fopen.c b/lib/fopen.c +index 94b87f5..ad3691b 100644 +--- a/lib/fopen.c ++++ b/lib/fopen.c +@@ -18,6 +18,8 @@ + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * ++ * SPDX-License-Identifier: curl ++ * + ***************************************************************************/ + + #include "curl_setup.h" +@@ -50,7 +52,7 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + CURLcode result = CURLE_WRITE_ERROR; + unsigned char randsuffix[9]; + char *tempstore = NULL; +- struct_stat sb, nsb; ++ struct_stat sb; + int fd = -1; + *tempname = NULL; + +@@ -77,12 +79,17 @@ CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, + if(fd == -1) + goto fail; + +- if((fstat(fd, &nsb) != -1) && +- (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { +- /* if the user and group are the same, clone the original mode */ +- if(fchmod(fd, sb.st_mode) == -1) +- goto fail; ++#ifdef HAVE_FCHMOD ++ { ++ struct_stat nsb; ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } + } ++#endif + + *fh = fdopen(fd, FOPEN_WRITETEXT); + if(!*fh) +diff --git a/lib/fopen.h b/lib/fopen.h +index 1020f3c..289e55f 100644 +--- a/lib/fopen.h ++++ b/lib/fopen.h +@@ -20,6 +20,8 @@ + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * ++ * SPDX-License-Identifier: curl ++ * + ***************************************************************************/ + + CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, +-- +2.39.1 diff --git a/backport-curl-tool-erase-some-more-sensitive-command-line-arg.patch b/backport-curl-tool-erase-some-more-sensitive-command-line-arg.patch new file mode 100644 index 0000000000000000000000000000000000000000..b73395d1da8b1e496d0e82eadb6d23e8b72eeb72 --- /dev/null +++ b/backport-curl-tool-erase-some-more-sensitive-command-line-arg.patch @@ -0,0 +1,95 @@ +From b6acbdeb6375c9552fd4b04d5ab38422ed25fbaf Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 10 Jan 2022 11:51:16 +0100 +Subject: [PATCH] curl tool: erase some more sensitive command line arguments + +As the ps command may reveal sensitive command line info, obfuscate +options --tlsuser, --tlspasswd, --proxy-tlsuser, --proxy-tlspassword and +--oauth2-bearer arguments. + +Reported-by: Stephen Boost + +Closes #7964 +--- + src/tool_getparam.c | 35 ++++++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 7abbcc639..223214b0a 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -669,6 +669,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + case 'B': /* OAuth 2.0 bearer token */ + GetStr(&config->oauth_bearer, nextarg); ++ cleanarg(nextarg); + config->authtype |= CURLAUTH_BEARER; + break; + case 'c': /* connect-timeout */ +@@ -1617,16 +1618,20 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + GetStr(&config->crlfile, nextarg); + break; + case 'k': /* TLS username */ +- if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) +- GetStr(&config->tls_username, nextarg); +- else ++ if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { ++ cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; ++ } ++ GetStr(&config->tls_username, nextarg); ++ cleanarg(nextarg); + break; + case 'l': /* TLS password */ +- if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) +- GetStr(&config->tls_password, nextarg); +- else ++ if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { ++ cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; ++ } ++ GetStr(&config->tls_password, nextarg); ++ cleanarg(nextarg); + break; + case 'm': /* TLS authentication type */ + if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) { +@@ -1687,17 +1692,21 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + + case 'u': /* TLS username for proxy */ +- if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) +- GetStr(&config->proxy_tls_username, nextarg); +- else ++ if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { ++ cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; ++ } ++ GetStr(&config->proxy_tls_username, nextarg); ++ cleanarg(nextarg); + break; + + case 'v': /* TLS password for proxy */ +- if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) +- GetStr(&config->proxy_tls_password, nextarg); +- else ++ if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { ++ cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; ++ } ++ GetStr(&config->proxy_tls_password, nextarg); ++ cleanarg(nextarg); + break; + + case 'w': /* TLS authentication type for proxy */ +-- +2.33.0 + diff --git a/backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch b/backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch new file mode 100644 index 0000000000000000000000000000000000000000..0df8382b27b8ce8ffda29b23f72303473a0f7bcf --- /dev/null +++ b/backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch @@ -0,0 +1,36 @@ +From 11a46d6d66c32e4be7015aca92008d979f8b90a2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 10 Nov 2021 08:41:51 +0100 +Subject: [PATCH] curl_easy_cleanup.3: remove from multi handle first + +Easy handles that are used by the multi interface should be removed from +the multi handle before they are cleaned up. + +Reported-by: Stephen M. Coakley +Ref: #7982 +Closes #7983 + +Conflict:context adapt +Reference:https://github.com/curl/curl/commit/f0b7099a10d1a7cfbbe8f67b0ecdff5846f9805b +--- + docs/libcurl/curl_easy_cleanup.3 | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/docs/libcurl/curl_easy_cleanup.3 b/docs/libcurl/curl_easy_cleanup.3 +index 3c3425624..c62f4e073 100644 +--- a/docs/libcurl/curl_easy_cleanup.3 ++++ b/docs/libcurl/curl_easy_cleanup.3 +@@ -47,6 +47,10 @@ Any use of the \fBhandle\fP after this function has been called and have + returned, is illegal. \fIcurl_easy_cleanup(3)\fP kills the handle and all + memory associated with it! + ++To close an easy handle that has been used with the multi interface, make sure ++to call \fIcurl_multi_remove_handle(3)\fP first to remove it from the multi ++handle before it is closed. ++ + Passing in a NULL pointer in \fIhandle\fP will make this function return + immediately with no action. + .SH "OLD TIMES" +-- +2.33.0 + diff --git a/backport-fix-configure-disable-http-auth-build-error.patch b/backport-fix-configure-disable-http-auth-build-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..baceeaa4e3c972c491d75c0f274134ae9894149d --- /dev/null +++ b/backport-fix-configure-disable-http-auth-build-error.patch @@ -0,0 +1,62 @@ +From d7b970e46ba29a7e558e21d19f485977ffed6266 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 29 Apr 2022 22:56:47 +0200 +Subject: [PATCH] http: move Curl_allow_auth_to_host() + +It was mistakenly put within the CURL_DISABLE_HTTP_AUTH #ifdef + +Reported-by: Michael Olbrich +Fixes #8772 +Closes #8775 +--- + lib/http.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 0d5c449bc72a2..b215307dcaaa0 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data) + return result; + } + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + #ifndef CURL_DISABLE_HTTP_AUTH + /* + * Output the correct authentication header depending on the auth type +@@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data, + return CURLE_OK; + } + +-/* +- * Curl_allow_auth_to_host() tells if authentication, cookies or other +- * "sensitive data" can (still) be sent to this host. +- */ +-bool Curl_allow_auth_to_host(struct Curl_easy *data) +-{ +- struct connectdata *conn = data->conn; +- return (!data->state.this_is_a_follow || +- data->set.allow_auth_to_other_hosts || +- (data->state.first_host && +- strcasecompare(data->state.first_host, conn->host.name) && +- (data->state.first_remote_port == conn->remote_port) && +- (data->state.first_remote_protocol == conn->handler->protocol))); +-} +- + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication diff --git a/backport-getparam-correctly-clean-args.patch b/backport-getparam-correctly-clean-args.patch new file mode 100644 index 0000000000000000000000000000000000000000..2f9c0b7015af3263538200529b18cf96c8f243a2 --- /dev/null +++ b/backport-getparam-correctly-clean-args.patch @@ -0,0 +1,107 @@ +From 5b059ba8954c6dcf305ff4def77fe394c7b57401 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 30 Aug 2022 23:40:19 +0200 +Subject: [PATCH] getparam: correctly clean args + +Follow-up to bf7e887b2442783ab52 + +The previous fix for #9128 was incomplete and caused #9397. + +Fixes #9397 +Closes #9399 +--- + src/tool_getparam.c | 15 ++++++++------- + src/tool_getparam.h | 1 - + src/tool_parsecfg.c | 2 +- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index f2ad91c19..e6c6a273d 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -558,7 +558,6 @@ static void cleanarg(argv_item_t str) + + ParameterError getparameter(const char *flag, /* f or -long-flag */ + char *nextarg, /* NULL if unset */ +- argv_item_t clearthis, + bool *usedarg, /* set to TRUE if the arg + has been used */ + struct GlobalConfig *global, +@@ -576,7 +575,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + ParameterError err; + bool toggle = TRUE; /* how to switch boolean options, on or off. Controlled + by using --OPTION or --no-OPTION */ +- (void)clearthis; /* for !HAVE_WRITABLE_ARGV builds */ ++#ifdef HAVE_WRITABLE_ARGV ++ argv_item_t clearthis = NULL; ++#endif + *usedarg = FALSE; /* default is that we don't use the arg */ + + if(('-' != flag[0]) || ('-' == flag[1])) { +@@ -652,6 +653,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + /* this option requires an extra parameter */ + if(!longopt && parse[1]) { + nextarg = (char *)&parse[1]; /* this is the actual extra parameter */ ++#ifdef HAVE_WRITABLE_ARGV ++ clearthis = nextarg; ++#endif + singleopt = TRUE; /* don't loop anymore after this */ + } + else if(!nextarg) +@@ -2443,17 +2447,15 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + stillflags = FALSE; + else { + char *nextarg = NULL; +- argv_item_t clear = NULL; + if(i < (argc - 1)) { + nextarg = curlx_convert_tchar_to_UTF8(argv[i + 1]); + if(!nextarg) { + curlx_unicodefree(orig_opt); + return PARAM_NO_MEM; + } +- clear = argv[i + 1]; + } + +- result = getparameter(orig_opt, nextarg, clear, &passarg, ++ result = getparameter(orig_opt, nextarg, &passarg, + global, config); + curlx_unicodefree(nextarg); + config = global->last; +@@ -2492,8 +2494,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + bool used; + + /* Just add the URL please */ +- result = getparameter("--url", orig_opt, NULL, &used, global, +- config); ++ result = getparameter("--url", orig_opt, &used, global, config); + } + + if(!result) +diff --git a/src/tool_getparam.h b/src/tool_getparam.h +index 0564518a6..3eb177391 100644 +--- a/src/tool_getparam.h ++++ b/src/tool_getparam.h +@@ -55,7 +55,6 @@ struct GlobalConfig; + struct OperationConfig; + + ParameterError getparameter(const char *flag, char *nextarg, +- argv_item_t clearthis, + bool *usedarg, + struct GlobalConfig *global, + struct OperationConfig *operation); +diff --git a/src/tool_parsecfg.c b/src/tool_parsecfg.c +index 34eb5daa9..a166757f8 100644 +--- a/src/tool_parsecfg.c ++++ b/src/tool_parsecfg.c +@@ -223,7 +223,7 @@ int parseconfig(const char *filename, struct GlobalConfig *global) + #ifdef DEBUG_CONFIG + fprintf(stderr, "PARAM: \"%s\"\n",(param ? param : "(null)")); + #endif +- res = getparameter(option, param, NULL, &usedarg, global, operation); ++ res = getparameter(option, param, &usedarg, global, operation); + operation = global->last; + + if(!res && param && *param && !usedarg) +-- +2.33.0 + diff --git a/backport-hostcheck-fix-host-name-wildcard-checking.patch b/backport-hostcheck-fix-host-name-wildcard-checking.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea928289caa40184b88610b967a31e13c1e12986 --- /dev/null +++ b/backport-hostcheck-fix-host-name-wildcard-checking.patch @@ -0,0 +1,192 @@ +From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 24 Apr 2023 21:07:02 +0200 +Subject: [PATCH] hostcheck: fix host name wildcard checking + +The leftmost "label" of the host name can now only match against single +'*'. Like the browsers have worked for a long time. + +- extended unit test 1397 for this +- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc + +Reported-by: Hiroki Kurosawa +Closes #11018 +--- + tests/data/test1397 | 10 ++-- + tests/unit/unit1397.c | 120 +++++++++++++++++++++++++++------------- + 2 files changed, 85 insertions(+), 45 deletions(-) + +diff --git a/tests/data/test1397 b/tests/data/test1397 +index 84f962a..f31b2c2 100644 +--- a/tests/data/test1397 ++++ b/tests/data/test1397 +@@ -2,8 +2,7 @@ + + + unittest +-ssl +-wildcard ++Curl_cert_hostcheck + + + +@@ -16,9 +15,8 @@ none + + unittest + +- +-Check wildcard certificate matching function Curl_cert_hostcheck +- ++ ++Curl_cert_hostcheck unit tests ++ + +- + +diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c +index 508f41a..89ff957 100644 +--- a/tests/unit/unit1397.c ++++ b/tests/unit/unit1397.c +@@ -21,8 +21,6 @@ + ***************************************************************************/ + #include "curlcheck.h" + +-#include "hostcheck.h" /* from the lib dir */ +- + static CURLcode unit_setup(void) + { + return CURLE_OK; +@@ -30,50 +28,92 @@ static CURLcode unit_setup(void) + + static void unit_stop(void) + { +- /* done before shutting down and exiting */ + } + +-UNITTEST_START +- + /* only these backends define the tested functions */ +-#if defined(USE_OPENSSL) || defined(USE_GSKIT) +- +- /* here you start doing things and checking that the results are good */ ++#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL) ++#include "hostcheck.h" ++struct testcase { ++ const char *host; ++ const char *pattern; ++ bool match; ++}; + +-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"), +- "good 1"); +-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"), +- "good 2"); +-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"), +- "good 3"); +-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"), +- "good 4"); +-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"), +- "good 5"); ++static struct testcase tests[] = { ++ {"", "", FALSE}, ++ {"a", "", FALSE}, ++ {"", "b", FALSE}, ++ {"a", "b", FALSE}, ++ {"aa", "bb", FALSE}, ++ {"\xff", "\xff", TRUE}, ++ {"aa.aa.aa", "aa.aa.bb", FALSE}, ++ {"aa.aa.aa", "aa.aa.aa", TRUE}, ++ {"aa.aa.aa", "*.aa.bb", FALSE}, ++ {"aa.aa.aa", "*.aa.aa", TRUE}, ++ {"192.168.0.1", "192.168.0.1", TRUE}, ++ {"192.168.0.1", "*.168.0.1", FALSE}, ++ {"192.168.0.1", "*.0.1", FALSE}, ++ {"h.ello", "*.ello", FALSE}, ++ {"h.ello.", "*.ello", FALSE}, ++ {"h.ello", "*.ello.", FALSE}, ++ {"h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo", " *.e.llo", FALSE}, ++ {" h.e.llo", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo", TRUE}, ++ {"*.e.llo.", "*.e.llo", TRUE}, ++ {"************.e.llo.", "*.e.llo", TRUE}, ++ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ++ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" ++ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" ++ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD" ++ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" ++ ".e.llo.", "*.e.llo", TRUE}, ++ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE}, ++ {"h.e.llo.", "*.e.llo.", TRUE}, ++ {"h.e.llo", "*.e.llo.", TRUE}, ++ {".h.e.llo", "*.e.llo.", FALSE}, ++ {"h.e.llo", "*.*.llo.", FALSE}, ++ {"h.e.llo", "h.*.llo", FALSE}, ++ {"h.e.llo", "h.e.*", FALSE}, ++ {"hello", "*.ello", FALSE}, ++ {"hello", "**llo", FALSE}, ++ {"bar.foo.example.com", "*.example.com", FALSE}, ++ {"foo.example.com", "*.example.com", TRUE}, ++ {"baz.example.net", "b*z.example.net", FALSE}, ++ {"foobaz.example.net", "*baz.example.net", FALSE}, ++ {"xn--l8j.example.local", "x*.example.local", FALSE}, ++ {"xn--l8j.example.net", "*.example.net", TRUE}, ++ {"xn--l8j.example.net", "*j.example.net", FALSE}, ++ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE}, ++ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE}, ++ {"xl8j.example.net", "*.example.net", TRUE}, ++ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE}, ++ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE}, ++ {NULL, NULL, FALSE} ++}; + +-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1"); +-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2"); +-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3"); +-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4"); +-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5"); +-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6"); +-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7"); +-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8"); +-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9"); +-fail_if(Curl_cert_hostcheck("", "www"), "bad 10"); +-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11"); +-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12"); +-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13"); +- +-#ifdef ENABLE_IPV6 +-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619", +- "fe80::3285:a9ff:fe46:b619"), "bad 14"); +-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619", +- "fe80::3285:a9ff:fe46:b619"), "good 6"); +-#endif ++UNITTEST_START ++{ ++ int i; ++ for(i = 0; tests[i].host; i++) { ++ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern, ++ tests[i].host)) { ++ fprintf(stderr, ++ "HOST: %s\n" ++ "PTRN: %s\n" ++ "did %sMATCH\n", ++ tests[i].host, ++ tests[i].pattern, ++ tests[i].match ? "NOT ": ""); ++ unitfail++; ++ } ++ } ++} + +-#endif ++UNITTEST_STOP ++#else + +- /* you end the test code like this: */ ++UNITTEST_START + + UNITTEST_STOP ++#endif +-- +2.33.0 + diff --git a/backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch b/backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch new file mode 100644 index 0000000000000000000000000000000000000000..1f1207801df6bb86a0307db01301b22047ab3f57 --- /dev/null +++ b/backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch @@ -0,0 +1,46 @@ +From 2989b11377c215884ae5a50c07607f75a31dc2ff Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 12 Nov 2021 08:08:34 +0100 +Subject: [PATCH] http_proxy: make Curl_connect_done() work for proxy disabled + builds + +... by making it an empty macro then. + +Follow-up to f0b7099a10d1a +Reported-by: Vincent Grande +Fixes #7995 +Closes #7996 + +Conflict:NA +Reference:https://github.com/curl/curl/commit/2989b11377c215884ae5a50c07607f75a31dc2ff +--- + lib/http_proxy.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/http_proxy.h b/lib/http_proxy.h +index cdf8de4fb..2820e1184 100644 +--- a/lib/http_proxy.h ++++ b/lib/http_proxy.h +@@ -39,6 +39,7 @@ CURLcode Curl_proxy_connect(struct Curl_easy *data, int sockindex); + bool Curl_connect_complete(struct connectdata *conn); + bool Curl_connect_ongoing(struct connectdata *conn); + int Curl_connect_getsock(struct connectdata *conn); ++void Curl_connect_done(struct Curl_easy *data); + + #else + #define Curl_proxyCONNECT(x,y,z,w) CURLE_NOT_BUILT_IN +@@ -46,10 +47,10 @@ int Curl_connect_getsock(struct connectdata *conn); + #define Curl_connect_complete(x) CURLE_OK + #define Curl_connect_ongoing(x) FALSE + #define Curl_connect_getsock(x) 0 ++#define Curl_connect_done(x) + #endif + + void Curl_connect_free(struct Curl_easy *data); +-void Curl_connect_done(struct Curl_easy *data); + + /* struct for HTTP CONNECT state data */ + struct http_connect_state { +-- +2.33.0 + diff --git a/backport-lib1939-make-it-endure-torture-tests.patch b/backport-lib1939-make-it-endure-torture-tests.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea2570661ceecd1849c38f7186651f7e16ff93ea --- /dev/null +++ b/backport-lib1939-make-it-endure-torture-tests.patch @@ -0,0 +1,90 @@ +From 26247a0d7e24c06d5b250f044a951441674a4484 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 13 Nov 2021 14:13:20 +0100 +Subject: [PATCH 1/1] lib1939: make it endure torture tests + +Follow-up to f0b7099a10d1a + +Closes #8007 + +Conflict:NA +Reference:https://github.com/curl/curl/commit/26247a0d7e24c06d5b250f044a951441674a4484 +--- + tests/libtest/lib1939.c | 55 +++++++++++++++++++---------------------- + 1 file changed, 26 insertions(+), 29 deletions(-) + +diff --git a/tests/libtest/lib1939.c b/tests/libtest/lib1939.c +index 644617712..510215dbd 100644 +--- a/tests/libtest/lib1939.c ++++ b/tests/libtest/lib1939.c +@@ -33,41 +33,38 @@ int test(char *URL) + curl_global_init(CURL_GLOBAL_DEFAULT); + + multi = curl_multi_init(); +- if(!multi) +- return 1; ++ if(multi) { ++ easy = curl_easy_init(); ++ if(easy) { ++ CURLcode c; ++ CURLMcode m; + +- easy = curl_easy_init(); +- if(easy) { +- CURLcode c; +- CURLMcode m; ++ /* Crash only happens when using HTTPS */ ++ c = curl_easy_setopt(easy, CURLOPT_URL, URL); ++ if(!c) ++ /* Any old HTTP tunneling proxy will do here */ ++ c = curl_easy_setopt(easy, CURLOPT_PROXY, libtest_arg2); + +- /* Crash only happens when using HTTPS */ +- c = curl_easy_setopt(easy, CURLOPT_URL, URL); +- if(!c) +- /* Any old HTTP tunneling proxy will do here */ +- c = curl_easy_setopt(easy, CURLOPT_PROXY, libtest_arg2); ++ if(!c) { + +- if(c) +- return 2; ++ /* We're going to drive the transfer using multi interface here, ++ because we want to stop during the middle. */ ++ m = curl_multi_add_handle(multi, easy); + +- /* We're going to drive the transfer using multi interface here, because we +- want to stop during the middle. */ +- m = curl_multi_add_handle(multi, easy); ++ if(!m) ++ /* Run the multi handle once, just enough to start establishing an ++ HTTPS connection. */ ++ m = curl_multi_perform(multi, &running_handles); + +- if(!m) +- /* Run the multi handle once, just enough to start establishing an HTTPS +- connection. */ +- m = curl_multi_perform(multi, &running_handles); +- +- if(m) +- return 3; +- +- /* Close the easy handle *before* the multi handle. Doing it the other way +- around avoids the issue. */ +- curl_easy_cleanup(easy); ++ if(m) ++ fprintf(stderr, "curl_multi_perform failed\n"); ++ } ++ /* Close the easy handle *before* the multi handle. Doing it the other ++ way around avoids the issue. */ ++ curl_easy_cleanup(easy); ++ } ++ curl_multi_cleanup(multi); /* double-free happens here */ + } +- curl_multi_cleanup(multi); /* double-free happens here */ +- + curl_global_cleanup(); + return CURLE_OK; + } +-- +2.33.0 + diff --git a/backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch b/backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch new file mode 100644 index 0000000000000000000000000000000000000000..042b4dcb60b303dca4ddb651fa51c39902aba508 --- /dev/null +++ b/backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch @@ -0,0 +1,259 @@ +From f0b7099a10d1a7cfbbe8f67b0ecdff5846f9805b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 10 Nov 2021 14:42:04 +0100 +Subject: [PATCH 1/1] multi: shut down CONNECT in Curl_detach_connnection + +... to prevent a lingering pointer that would lead to a double-free. + +Added test 1939 to verify. + +Reported-by: Stephen M. Coakley +Fixes #7982 +Closes #7986 + +Conflict:context adapt of test makefile +Reference:https://github.com/curl/curl/commit/f0b7099a10d1a7cfbbe8f67b0ecdff5846f9805b +--- + lib/http_proxy.c | 10 +++--- + lib/multi.c | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test1939 | 52 +++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 +++- + tests/libtest/lib1939.c | 73 ++++++++++++++++++++++++++++++++++++++ + 6 files changed, 137 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test1939 + create mode 100644 tests/libtest/lib1939.c + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index fc050a07d..cfe616fa6 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -198,11 +198,11 @@ static CURLcode connect_init(struct Curl_easy *data, bool reinit) + return CURLE_OK; + } + +-static void connect_done(struct Curl_easy *data) ++void Curl_connect_done(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + struct http_connect_state *s = conn->connect_state; +- if(s->tunnel_state != TUNNEL_EXIT) { ++ if(s && (s->tunnel_state != TUNNEL_EXIT)) { + s->tunnel_state = TUNNEL_EXIT; + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); +@@ -662,7 +662,7 @@ static CURLcode CONNECT(struct Curl_easy *data, + if(s->close_connection && data->req.newurl) { + conn->bits.proxy_connect_closed = TRUE; + infof(data, "Connect me again please"); +- connect_done(data); ++ Curl_connect_done(data); + } + else { + free(data->req.newurl); +@@ -974,7 +974,7 @@ static CURLcode CONNECT(struct Curl_easy *data, + if(conn->bits.close && data->req.newurl) { + conn->bits.proxy_connect_closed = TRUE; + infof(data, "Connect me again please"); +- connect_done(data); ++ Curl_connect_done(data); + } + else { + free(data->req.newurl); +@@ -1048,7 +1048,7 @@ CURLcode Curl_proxyCONNECT(struct Curl_easy *data, + result = CONNECT(data, sockindex, hostname, remote_port); + + if(result || Curl_connect_complete(conn)) +- connect_done(data); ++ Curl_connect_done(data); + + return result; + } +diff --git a/lib/multi.c b/lib/multi.c +index f307d63b9..ce634fcac 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -878,6 +878,7 @@ void Curl_detach_connnection(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + if(conn) { ++ Curl_connect_done(data); /* if mid-CONNECT, shut it down */ + Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL); + Curl_ssl_detach_conn(data, conn); + } +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 9a8b64bed..b6a503e72 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -216,7 +216,7 @@ test1800 test1801 \ + test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \ + test1916 test1917 test1918 \ + \ +-test1933 test1934 test1935 test1936 \ ++test1933 test1934 test1935 test1936 test1939 \ + \ + test2000 test2001 test2002 test2003 test2004 \ + \ +diff --git a/tests/data/test1939 b/tests/data/test1939 +new file mode 100644 +index 000000000..0b9987b5b +--- /dev/null ++++ b/tests/data/test1939 +@@ -0,0 +1,52 @@ ++ ++ ++ ++CONNECT ++curl_easy_cleanup ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 302 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Type: text/html ++Content-Length: 0 ++Location: /%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Type: text/html ++Content-Length: 0 ++ ++ ++ ++ ++# Client-side ++ ++ ++https ++http-proxy ++ ++ ++ ++curl_easy_cleanup without curl_multi_remove_handle - in CONNECT ++ ++ ++lib%TESTNUMBER ++ ++ ++ ++https://%HOSTIP:%HTTPPORT/%TESTNUMBER http://%HOSTIP:%PROXYPORT ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 8cea7c014..62a7675b1 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -61,6 +61,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib1591 lib1592 lib1593 lib1594 lib1596 \ + lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ + lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \ ++ lib1939 \ + lib3010 + + chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ +@@ -715,6 +716,10 @@ lib1938_SOURCES = lib1938.c $(SUPPORTFILES) + lib1936_LDADD = $(TESTUTIL_LIBS) + lib1936_CPPFLAGS = $(AM_CPPFLAGS) + ++lib1939_SOURCES = lib1939.c $(SUPPORTFILES) ++lib1939_LDADD = $(TESTUTIL_LIBS) ++lib1939_CPPFLAGS = $(AM_CPPFLAGS) ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + lib3010_CPPFLAGS = $(AM_CPPFLAGS) +diff --git a/tests/libtest/lib1939.c b/tests/libtest/lib1939.c +new file mode 100644 +index 000000000..644617712 +--- /dev/null ++++ b/tests/libtest/lib1939.c +@@ -0,0 +1,73 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++ ++#include "test.h" ++ ++#include "memdebug.h" ++ ++int test(char *URL) ++{ ++ CURLM *multi; ++ CURL *easy; ++ int running_handles; ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ ++ multi = curl_multi_init(); ++ if(!multi) ++ return 1; ++ ++ easy = curl_easy_init(); ++ if(easy) { ++ CURLcode c; ++ CURLMcode m; ++ ++ /* Crash only happens when using HTTPS */ ++ c = curl_easy_setopt(easy, CURLOPT_URL, URL); ++ if(!c) ++ /* Any old HTTP tunneling proxy will do here */ ++ c = curl_easy_setopt(easy, CURLOPT_PROXY, libtest_arg2); ++ ++ if(c) ++ return 2; ++ ++ /* We're going to drive the transfer using multi interface here, because we ++ want to stop during the middle. */ ++ m = curl_multi_add_handle(multi, easy); ++ ++ if(!m) ++ /* Run the multi handle once, just enough to start establishing an HTTPS ++ connection. */ ++ m = curl_multi_perform(multi, &running_handles); ++ ++ if(m) ++ return 3; ++ ++ /* Close the easy handle *before* the multi handle. Doing it the other way ++ around avoids the issue. */ ++ curl_easy_cleanup(easy); ++ } ++ curl_multi_cleanup(multi); /* double-free happens here */ ++ ++ curl_global_cleanup(); ++ return CURLE_OK; ++} +-- +2.33.0 + diff --git a/backport-pre-CVE-2022-27774.patch b/backport-pre-CVE-2022-27774.patch new file mode 100644 index 0000000000000000000000000000000000000000..cee2c24ac4f965f4ff89f57984888aa7c9c3eedc --- /dev/null +++ b/backport-pre-CVE-2022-27774.patch @@ -0,0 +1,40 @@ +From 08b8ef4e726ba10f45081ecda5b3cea788d3c839 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/connect.c b/lib/connect.c +index e0b740147157..9bcf525ebb39 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, + data->info.conn_scheme = conn->handler->scheme; + data->info.conn_protocol = conn->handler->protocol; + data->info.conn_primary_port = conn->port; ++ data->info.conn_remote_port = conn->remote_port; + data->info.conn_local_port = local_port; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index ef2174d9e727..9c34ec444c08 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1160,7 +1160,11 @@ struct PureInfo { + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- int conn_primary_port; ++ int conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ int conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + int conn_local_port; + const char *conn_scheme; diff --git a/backport-pre-CVE-2022-27782.patch b/backport-pre-CVE-2022-27782.patch new file mode 100644 index 0000000000000000000000000000000000000000..95cafbe865f9a9d951cacbfeae42d0ad081733c3 --- /dev/null +++ b/backport-pre-CVE-2022-27782.patch @@ -0,0 +1,32 @@ +From 093531556203decd92d92bccd431edbe5561781c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 26 Apr 2022 07:46:19 +0200 +Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects + +Follow-up to 620ea21410030 and 139a54ed0a172a + +Reported-by: Harry Sintonen +Closes #8752 +--- + lib/vtls/gtls.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 9c3a68f0ac6b..0535011911d5 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -445,11 +445,11 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); + +- rc = gnutls_srp_allocate_client_credentials( +- &backend->srp_client_cred); ++ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_allocate_client_cred() failed: %s", + gnutls_strerror(rc)); diff --git a/backport-test1939-require-proxy-support-to-run.patch b/backport-test1939-require-proxy-support-to-run.patch new file mode 100644 index 0000000000000000000000000000000000000000..3787b66941f724b1b7f885f724030c2f057936da --- /dev/null +++ b/backport-test1939-require-proxy-support-to-run.patch @@ -0,0 +1,32 @@ +From b7e1443a1d59feea9fc63e5b78276153ac635438 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 13 Nov 2021 23:43:24 +0100 +Subject: [PATCH 1/1] test1939: require proxy support to run + +Follow-up to f0b7099a10d1a + +Closes #8011 + +Conflict:NA +Reference:https://github.com/curl/curl/commit/b7e1443a1d59feea9fc63e5b78276153ac635438 +--- + tests/data/test1939 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/data/test1939 b/tests/data/test1939 +index 0b9987b5b..19dc74d2b 100644 +--- a/tests/data/test1939 ++++ b/tests/data/test1939 +@@ -29,6 +29,9 @@ Content-Length: 0 + + # Client-side + ++ ++proxy ++ + + https + http-proxy +-- +2.33.0 + diff --git a/backport-test1948-verify-PUT-POST-reusing-the-same-handle.patch b/backport-test1948-verify-PUT-POST-reusing-the-same-handle.patch new file mode 100644 index 0000000000000000000000000000000000000000..b36ab70ea5870e28a774479fb117c2dd06a714c4 --- /dev/null +++ b/backport-test1948-verify-PUT-POST-reusing-the-same-handle.patch @@ -0,0 +1,217 @@ +From 1edb15925e350be3b891f8a8de86600b22c0bb20 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 15 Sep 2022 09:23:33 +0200 +Subject: [PATCH] test1948: verify PUT + POST reusing the same handle + +Reproduced #9507, verifies the fix +--- + tests/data/Makefile.inc | 1 + + tests/data/test1948 | 73 +++++++++++++++++++++++++++++++++++ + tests/libtest/Makefile.inc | 5 ++- + tests/libtest/lib1948.c | 79 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 158 insertions(+) + create mode 100644 tests/data/test1948 + create mode 100644 tests/libtest/lib1948.c + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index a060a803a..20cdb9c8e 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -224,6 +224,7 @@ test1908 test1909 test1910 test1911 test1912 test1913 test1914 test1915 \ + test1916 test1917 test1918 \ + \ + test1933 test1934 test1935 test1936 test1939 \ ++test1948 \ + \ + test2000 test2001 test2002 test2003 test2004 \ + \ +diff --git a/tests/data/test1948 b/tests/data/test1948 +new file mode 100644 +index 000000000..639523d99 +--- /dev/null ++++ b/tests/data/test1948 +@@ -0,0 +1,73 @@ ++ ++ ++ ++HTTP ++HTTP POST ++HTTP PUT ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++HTTP/1.1 200 OK ++Date: Thu, 01 Nov 2001 14:49:00 GMT ++Content-Type: text/html ++Content-Length: 6 ++ ++hello ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++ ++CURLOPT_POST after CURLOPT_UPLOAD reusing handle ++ ++ ++lib%TESTNUMBER ++ ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++PUT /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Expect: 100-continue ++ ++This is test PUT data ++POST /1948 HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Accept: */* ++Content-Length: 22 ++Content-Type: application/x-www-form-urlencoded ++ ++This is test PUT data ++ ++ ++ +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index d6b3ab37c..3b9cdd006 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -64,6 +64,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ + lib1915 lib1916 lib1917 lib1918 lib1933 lib1934 lib1935 lib1936 \ + lib1939 \ ++ lib1948 \ + lib3010 + + chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ +@@ -753,6 +753,10 @@ lib1939_SOURCES = lib1939.c $(SUPPORTFILES) + lib1939_LDADD = $(TESTUTIL_LIBS) + lib1939_CPPFLAGS = $(AM_CPPFLAGS) + ++lib1948_SOURCES = lib1948.c $(SUPPORTFILES) ++lib1948_LDADD = $(TESTUTIL_LIBS) ++lib1948_CPPFLAGS = $(AM_CPPFLAGS) ++ + lib3010_SOURCES = lib3010.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib3010_LDADD = $(TESTUTIL_LIBS) + lib3010_CPPFLAGS = $(AM_CPPFLAGS) +diff --git a/tests/libtest/lib1948.c b/tests/libtest/lib1948.c +new file mode 100644 +index 000000000..7c891a2ca +--- /dev/null ++++ b/tests/libtest/lib1948.c +@@ -0,0 +1,79 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "test.h" ++ ++typedef struct ++{ ++ char *buf; ++ size_t len; ++} put_buffer; ++ ++static size_t put_callback(char *ptr, size_t size, size_t nmemb, void *stream) ++{ ++ put_buffer *putdata = (put_buffer *)stream; ++ size_t totalsize = size * nmemb; ++ size_t tocopy = (putdata->len < totalsize) ? putdata->len : totalsize; ++ memcpy(ptr, putdata->buf, tocopy); ++ putdata->len -= tocopy; ++ putdata->buf += tocopy; ++ return tocopy; ++} ++ ++int test(char *URL) ++{ ++ CURL *curl; ++ CURLcode res = CURLE_OUT_OF_MEMORY; ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ ++ curl = curl_easy_init(); ++ if(curl) { ++ const char *testput = "This is test PUT data\n"; ++ put_buffer pbuf; ++ ++ /* PUT */ ++ curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L); ++ curl_easy_setopt(curl, CURLOPT_HEADER, 1L); ++ curl_easy_setopt(curl, CURLOPT_READFUNCTION, put_callback); ++ pbuf.buf = (char *)testput; ++ pbuf.len = strlen(testput); ++ curl_easy_setopt(curl, CURLOPT_READDATA, &pbuf); ++ curl_easy_setopt(curl, CURLOPT_INFILESIZE, (long)strlen(testput)); ++ res = curl_easy_setopt(curl, CURLOPT_URL, URL); ++ if(!res) ++ res = curl_easy_perform(curl); ++ if(!res) { ++ /* POST */ ++ curl_easy_setopt(curl, CURLOPT_POST, 1L); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDS, testput); ++ curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(testput)); ++ res = curl_easy_perform(curl); ++ } ++ curl_easy_cleanup(curl); ++ } ++ ++ curl_global_cleanup(); ++ return (int)res; ++} +-- +2.33.0 + diff --git a/backport-test387-verify-rejection-of-compression-chain-attack.patch b/backport-test387-verify-rejection-of-compression-chain-attack.patch new file mode 100644 index 0000000000000000000000000000000000000000..ee3bbfb660df1e8c35019fc71bca0b049f25c46f --- /dev/null +++ b/backport-test387-verify-rejection-of-compression-chain-attack.patch @@ -0,0 +1,85 @@ +From 7230b19a2e17a164f61f82e4e409a9777ea2421a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:29:07 +0200 +Subject: [PATCH] test387: verify rejection of compression chain attack + +--- + tests/data/Makefile.inc | 1 + + tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+) + create mode 100644 tests/data/test387 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 8b7cc46a3..370727eec 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -64,6 +64,7 @@ test343 test344 test345 test346 test347 test348 test349 test350 test351 \ + test343 test344 test345 test346 test347 test348 test349 test350 test351 \ + test352 test353 test354 test355 test356 test357 test358 test359 test360 \ + test361 test362 test363 test364 test365 test366 \ ++test387 \ + \ + test392 test393 test394 test395 test396 test397 \ + \ +diff --git a/tests/data/test387 b/tests/data/test387 +new file mode 100644 +index 000000000..015ec25f1 +--- /dev/null ++++ b/tests/data/test387 +@@ -0,0 +1,53 @@ ++ ++ ++ ++HTTP ++gzip ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Response with overly long compression chain ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++ ++61 ++ ++ ++curl: (61) Reject response due to more than 5 content encodings ++ ++ ++ +-- +2.33.0 + diff --git a/backport-test442-443-test-cookie-caps.patch b/backport-test442-443-test-cookie-caps.patch new file mode 100644 index 0000000000000000000000000000000000000000..6e689ddf6b924fc8d7d1e26f950a3ca2cb47d544 --- /dev/null +++ b/backport-test442-443-test-cookie-caps.patch @@ -0,0 +1,331 @@ +From ff2b2bcf687572d173688832f0913a43de1a2bf8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 26 Jun 2022 11:01:01 +0200 +Subject: [PATCH] test442/443: test cookie caps + +442 - verify that only 150 cookies are sent +443 - verify that the cookie: header remains less than 8K in size +--- + tests/data/Makefile.inc | 2 +- + tests/data/test442 | 210 ++++++++++++++++++++++++++++++++++++++++ + tests/data/test443 | 79 +++++++++++++++ + 3 files changed, 290 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test442 + create mode 100644 tests/data/test443 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 370727eec..a17618ac7 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -73,6 +73,7 @@ test409 test410 test411 test412 test413 test414 \ + test418 \ + test430 test431 test432 test433 test434 test435 test445 test446\ + \ ++test442 test443 \ + test490 test491 test492 test493 test494 \ + \ + test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +diff --git a/tests/data/test442 b/tests/data/test442 +new file mode 100644 +index 000000000..1b00d2061 +--- /dev/null ++++ b/tests/data/test442 +@@ -0,0 +1,210 @@ ++ ++# perl: ++# ++# for(1 .. 151) { ++# print join("\t", ++# "attack.invalid", "TRUE", "/", "FALSE", "0", ++# "name$_", "could-be-large-$_")."\n"; ++# } ++# ++ ++ ++HTTP ++cookies ++--resolve ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Send capped huge number of matching cookies ++ ++ ++http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L ++ ++ ++attack.invalid TRUE / FALSE 0 name1 could-be-large-1 ++attack.invalid TRUE / FALSE 0 name2 could-be-large-2 ++attack.invalid TRUE / FALSE 0 name3 could-be-large-3 ++attack.invalid TRUE / FALSE 0 name4 could-be-large-4 ++attack.invalid TRUE / FALSE 0 name5 could-be-large-5 ++attack.invalid TRUE / FALSE 0 name6 could-be-large-6 ++attack.invalid TRUE / FALSE 0 name7 could-be-large-7 ++attack.invalid TRUE / FALSE 0 name8 could-be-large-8 ++attack.invalid TRUE / FALSE 0 name9 could-be-large-9 ++attack.invalid TRUE / FALSE 0 name10 could-be-large-10 ++attack.invalid TRUE / FALSE 0 name11 could-be-large-11 ++attack.invalid TRUE / FALSE 0 name12 could-be-large-12 ++attack.invalid TRUE / FALSE 0 name13 could-be-large-13 ++attack.invalid TRUE / FALSE 0 name14 could-be-large-14 ++attack.invalid TRUE / FALSE 0 name15 could-be-large-15 ++attack.invalid TRUE / FALSE 0 name16 could-be-large-16 ++attack.invalid TRUE / FALSE 0 name17 could-be-large-17 ++attack.invalid TRUE / FALSE 0 name18 could-be-large-18 ++attack.invalid TRUE / FALSE 0 name19 could-be-large-19 ++attack.invalid TRUE / FALSE 0 name20 could-be-large-20 ++attack.invalid TRUE / FALSE 0 name21 could-be-large-21 ++attack.invalid TRUE / FALSE 0 name22 could-be-large-22 ++attack.invalid TRUE / FALSE 0 name23 could-be-large-23 ++attack.invalid TRUE / FALSE 0 name24 could-be-large-24 ++attack.invalid TRUE / FALSE 0 name25 could-be-large-25 ++attack.invalid TRUE / FALSE 0 name26 could-be-large-26 ++attack.invalid TRUE / FALSE 0 name27 could-be-large-27 ++attack.invalid TRUE / FALSE 0 name28 could-be-large-28 ++attack.invalid TRUE / FALSE 0 name29 could-be-large-29 ++attack.invalid TRUE / FALSE 0 name30 could-be-large-30 ++attack.invalid TRUE / FALSE 0 name31 could-be-large-31 ++attack.invalid TRUE / FALSE 0 name32 could-be-large-32 ++attack.invalid TRUE / FALSE 0 name33 could-be-large-33 ++attack.invalid TRUE / FALSE 0 name34 could-be-large-34 ++attack.invalid TRUE / FALSE 0 name35 could-be-large-35 ++attack.invalid TRUE / FALSE 0 name36 could-be-large-36 ++attack.invalid TRUE / FALSE 0 name37 could-be-large-37 ++attack.invalid TRUE / FALSE 0 name38 could-be-large-38 ++attack.invalid TRUE / FALSE 0 name39 could-be-large-39 ++attack.invalid TRUE / FALSE 0 name40 could-be-large-40 ++attack.invalid TRUE / FALSE 0 name41 could-be-large-41 ++attack.invalid TRUE / FALSE 0 name42 could-be-large-42 ++attack.invalid TRUE / FALSE 0 name43 could-be-large-43 ++attack.invalid TRUE / FALSE 0 name44 could-be-large-44 ++attack.invalid TRUE / FALSE 0 name45 could-be-large-45 ++attack.invalid TRUE / FALSE 0 name46 could-be-large-46 ++attack.invalid TRUE / FALSE 0 name47 could-be-large-47 ++attack.invalid TRUE / FALSE 0 name48 could-be-large-48 ++attack.invalid TRUE / FALSE 0 name49 could-be-large-49 ++attack.invalid TRUE / FALSE 0 name50 could-be-large-50 ++attack.invalid TRUE / FALSE 0 name51 could-be-large-51 ++attack.invalid TRUE / FALSE 0 name52 could-be-large-52 ++attack.invalid TRUE / FALSE 0 name53 could-be-large-53 ++attack.invalid TRUE / FALSE 0 name54 could-be-large-54 ++attack.invalid TRUE / FALSE 0 name55 could-be-large-55 ++attack.invalid TRUE / FALSE 0 name56 could-be-large-56 ++attack.invalid TRUE / FALSE 0 name57 could-be-large-57 ++attack.invalid TRUE / FALSE 0 name58 could-be-large-58 ++attack.invalid TRUE / FALSE 0 name59 could-be-large-59 ++attack.invalid TRUE / FALSE 0 name60 could-be-large-60 ++attack.invalid TRUE / FALSE 0 name61 could-be-large-61 ++attack.invalid TRUE / FALSE 0 name62 could-be-large-62 ++attack.invalid TRUE / FALSE 0 name63 could-be-large-63 ++attack.invalid TRUE / FALSE 0 name64 could-be-large-64 ++attack.invalid TRUE / FALSE 0 name65 could-be-large-65 ++attack.invalid TRUE / FALSE 0 name66 could-be-large-66 ++attack.invalid TRUE / FALSE 0 name67 could-be-large-67 ++attack.invalid TRUE / FALSE 0 name68 could-be-large-68 ++attack.invalid TRUE / FALSE 0 name69 could-be-large-69 ++attack.invalid TRUE / FALSE 0 name70 could-be-large-70 ++attack.invalid TRUE / FALSE 0 name71 could-be-large-71 ++attack.invalid TRUE / FALSE 0 name72 could-be-large-72 ++attack.invalid TRUE / FALSE 0 name73 could-be-large-73 ++attack.invalid TRUE / FALSE 0 name74 could-be-large-74 ++attack.invalid TRUE / FALSE 0 name75 could-be-large-75 ++attack.invalid TRUE / FALSE 0 name76 could-be-large-76 ++attack.invalid TRUE / FALSE 0 name77 could-be-large-77 ++attack.invalid TRUE / FALSE 0 name78 could-be-large-78 ++attack.invalid TRUE / FALSE 0 name79 could-be-large-79 ++attack.invalid TRUE / FALSE 0 name80 could-be-large-80 ++attack.invalid TRUE / FALSE 0 name81 could-be-large-81 ++attack.invalid TRUE / FALSE 0 name82 could-be-large-82 ++attack.invalid TRUE / FALSE 0 name83 could-be-large-83 ++attack.invalid TRUE / FALSE 0 name84 could-be-large-84 ++attack.invalid TRUE / FALSE 0 name85 could-be-large-85 ++attack.invalid TRUE / FALSE 0 name86 could-be-large-86 ++attack.invalid TRUE / FALSE 0 name87 could-be-large-87 ++attack.invalid TRUE / FALSE 0 name88 could-be-large-88 ++attack.invalid TRUE / FALSE 0 name89 could-be-large-89 ++attack.invalid TRUE / FALSE 0 name90 could-be-large-90 ++attack.invalid TRUE / FALSE 0 name91 could-be-large-91 ++attack.invalid TRUE / FALSE 0 name92 could-be-large-92 ++attack.invalid TRUE / FALSE 0 name93 could-be-large-93 ++attack.invalid TRUE / FALSE 0 name94 could-be-large-94 ++attack.invalid TRUE / FALSE 0 name95 could-be-large-95 ++attack.invalid TRUE / FALSE 0 name96 could-be-large-96 ++attack.invalid TRUE / FALSE 0 name97 could-be-large-97 ++attack.invalid TRUE / FALSE 0 name98 could-be-large-98 ++attack.invalid TRUE / FALSE 0 name99 could-be-large-99 ++attack.invalid TRUE / FALSE 0 name100 could-be-large-100 ++attack.invalid TRUE / FALSE 0 name101 could-be-large-101 ++attack.invalid TRUE / FALSE 0 name102 could-be-large-102 ++attack.invalid TRUE / FALSE 0 name103 could-be-large-103 ++attack.invalid TRUE / FALSE 0 name104 could-be-large-104 ++attack.invalid TRUE / FALSE 0 name105 could-be-large-105 ++attack.invalid TRUE / FALSE 0 name106 could-be-large-106 ++attack.invalid TRUE / FALSE 0 name107 could-be-large-107 ++attack.invalid TRUE / FALSE 0 name108 could-be-large-108 ++attack.invalid TRUE / FALSE 0 name109 could-be-large-109 ++attack.invalid TRUE / FALSE 0 name110 could-be-large-110 ++attack.invalid TRUE / FALSE 0 name111 could-be-large-111 ++attack.invalid TRUE / FALSE 0 name112 could-be-large-112 ++attack.invalid TRUE / FALSE 0 name113 could-be-large-113 ++attack.invalid TRUE / FALSE 0 name114 could-be-large-114 ++attack.invalid TRUE / FALSE 0 name115 could-be-large-115 ++attack.invalid TRUE / FALSE 0 name116 could-be-large-116 ++attack.invalid TRUE / FALSE 0 name117 could-be-large-117 ++attack.invalid TRUE / FALSE 0 name118 could-be-large-118 ++attack.invalid TRUE / FALSE 0 name119 could-be-large-119 ++attack.invalid TRUE / FALSE 0 name120 could-be-large-120 ++attack.invalid TRUE / FALSE 0 name121 could-be-large-121 ++attack.invalid TRUE / FALSE 0 name122 could-be-large-122 ++attack.invalid TRUE / FALSE 0 name123 could-be-large-123 ++attack.invalid TRUE / FALSE 0 name124 could-be-large-124 ++attack.invalid TRUE / FALSE 0 name125 could-be-large-125 ++attack.invalid TRUE / FALSE 0 name126 could-be-large-126 ++attack.invalid TRUE / FALSE 0 name127 could-be-large-127 ++attack.invalid TRUE / FALSE 0 name128 could-be-large-128 ++attack.invalid TRUE / FALSE 0 name129 could-be-large-129 ++attack.invalid TRUE / FALSE 0 name130 could-be-large-130 ++attack.invalid TRUE / FALSE 0 name131 could-be-large-131 ++attack.invalid TRUE / FALSE 0 name132 could-be-large-132 ++attack.invalid TRUE / FALSE 0 name133 could-be-large-133 ++attack.invalid TRUE / FALSE 0 name134 could-be-large-134 ++attack.invalid TRUE / FALSE 0 name135 could-be-large-135 ++attack.invalid TRUE / FALSE 0 name136 could-be-large-136 ++attack.invalid TRUE / FALSE 0 name137 could-be-large-137 ++attack.invalid TRUE / FALSE 0 name138 could-be-large-138 ++attack.invalid TRUE / FALSE 0 name139 could-be-large-139 ++attack.invalid TRUE / FALSE 0 name140 could-be-large-140 ++attack.invalid TRUE / FALSE 0 name141 could-be-large-141 ++attack.invalid TRUE / FALSE 0 name142 could-be-large-142 ++attack.invalid TRUE / FALSE 0 name143 could-be-large-143 ++attack.invalid TRUE / FALSE 0 name144 could-be-large-144 ++attack.invalid TRUE / FALSE 0 name145 could-be-large-145 ++attack.invalid TRUE / FALSE 0 name146 could-be-large-146 ++attack.invalid TRUE / FALSE 0 name147 could-be-large-147 ++attack.invalid TRUE / FALSE 0 name148 could-be-large-148 ++attack.invalid TRUE / FALSE 0 name149 could-be-large-149 ++attack.invalid TRUE / FALSE 0 name150 could-be-large-150 ++attack.invalid TRUE / FALSE 0 name151 could-be-large-151 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /a/b/%TESTNUMBER HTTP/1.1 ++Host: attack.invalid:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++Cookie: name150=could-be-large-150; name149=could-be-large-149; name148=could-be-large-148; name147=could-be-large-147; name146=could-be-large-146; name145=could-be-large-145; name144=could-be-large-144; name143=could-be-large-143; name142=could-be-large-142; name141=could-be-large-141; name140=could-be-large-140; name139=could-be-large-139; name138=could-be-large-138; name137=could-be-large-137; name136=could-be-large-136; name135=could-be-large-135; name134=could-be-large-134; name133=could-be-large-133; name132=could-be-large-132; name131=could-be-large-131; name130=could-be-large-130; name129=could-be-large-129; name128=could-be-large-128; name127=could-be-large-127; name126=could-be-large-126; name125=could-be-large-125; name124=could-be-large-124; name123=could-be-large-123; name122=could-be-large-122; name121=could-be-large-121; name120=could-be-large-120; name119=could-be-large-119; name118=could-be-large-118; name117=could-be-large-117; name116=could-be-large-116; name115=could-be-large-115; name114=could-be-large-114; name113=could-be-large-113; name112=could-be-large-112; name111=could-be-large-111; name110=could-be-large-110; name109=could-be-large-109; name108=could-be-large-108; name107=could-be-large-107; name106=could-be-large-106; name105=could-be-large-105; name104=could-be-large-104; name103=could-be-large-103; name102=could-be-large-102; name101=could-be-large-101; name100=could-be-large-100; name99=could-be-large-99; name98=could-be-large-98; name97=could-be-large-97; name96=could-be-large-96; name95=could-be-large-95; name94=could-be-large-94; name93=could-be-large-93; name92=could-be-large-92; name91=could-be-large-91; name90=could-be-large-90; name89=could-be-large-89; name88=could-be-large-88; name87=could-be-large-87; name86=could-be-large-86; name85=could-be-large-85; name84=could-be-large-84; name83=could-be-large-83; name82=could-be-large-82; name81=could-be-large-81; name80=could-be-large-80; name79=could-be-large-79; name78=could-be-large-78; name77=could-be-large-77; name76=could-be-large-76; name75=could-be-large-75; name74=could-be-large-74; name73=could-be-large-73; name72=could-be-large-72; name71=could-be-large-71; name70=could-be-large-70; name69=could-be-large-69; name68=could-be-large-68; name67=could-be-large-67; name66=could-be-large-66; name65=could-be-large-65; name64=could-be-large-64; name63=could-be-large-63; name62=could-be-large-62; name61=could-be-large-61; name60=could-be-large-60; name59=could-be-large-59; name58=could-be-large-58; name57=could-be-large-57; name56=could-be-large-56; name55=could-be-large-55; name54=could-be-large-54; name53=could-be-large-53; name52=could-be-large-52; name51=could-be-large-51; name50=could-be-large-50; name49=could-be-large-49; name48=could-be-large-48; name47=could-be-large-47; name46=could-be-large-46; name45=could-be-large-45; name44=could-be-large-44; name43=could-be-large-43; name42=could-be-large-42; name41=could-be-large-41; name40=could-be-large-40; name39=could-be-large-39; name38=could-be-large-38; name37=could-be-large-37; name36=could-be-large-36; name35=could-be-large-35; name34=could-be-large-34; name33=could-be-large-33; name32=could-be-large-32; name31=could-be-large-31; name30=could-be-large-30; name29=could-be-large-29; name28=could-be-large-28; name27=could-be-large-27; name26=could-be-large-26; name25=could-be-large-25; name24=could-be-large-24; name23=could-be-large-23; name22=could-be-large-22; name21=could-be-large-21; name20=could-be-large-20; name19=could-be-large-19; name18=could-be-large-18; name17=could-be-large-17; name16=could-be-large-16; name15=could-be-large-15; name14=could-be-large-14; name13=could-be-large-13; name12=could-be-large-12; name11=could-be-large-11; name10=could-be-large-10; name9=could-be-large-9; name8=could-be-large-8; name7=could-be-large-7; name6=could-be-large-6; name5=could-be-large-5; name4=could-be-large-4; name3=could-be-large-3; name2=could-be-large-2; name1=could-be-large-1 ++ ++ ++ ++ +diff --git a/tests/data/test443 b/tests/data/test443 +new file mode 100644 +index 000000000..996b1d304 +--- /dev/null ++++ b/tests/data/test443 +@@ -0,0 +1,79 @@ ++ ++# perl: ++# ++#for(1 .. 20) { ++# print join("\t", ++# "attack.invalid", "TRUE", "/", "FALSE", "0", ++# "huge-$_", ('a' x 500)."-$_")."\n"; ++#} ++# ++ ++ ++HTTP ++cookies ++--resolve ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Cookie header in request no longer than 8K ++ ++ ++http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -b log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP -L ++ ++ ++attack.invalid TRUE / FALSE 0 huge-1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-1 ++attack.invalid TRUE / FALSE 0 huge-2 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-2 ++attack.invalid TRUE / FALSE 0 huge-3 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-3 ++attack.invalid TRUE / FALSE 0 huge-4 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-4 ++attack.invalid TRUE / FALSE 0 huge-5 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-5 ++attack.invalid TRUE / FALSE 0 huge-6 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6 ++attack.invalid TRUE / FALSE 0 huge-7 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7 ++attack.invalid TRUE / FALSE 0 huge-8 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8 ++attack.invalid TRUE / FALSE 0 huge-9 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9 ++attack.invalid TRUE / FALSE 0 huge-10 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10 ++attack.invalid TRUE / FALSE 0 huge-11 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11 ++attack.invalid TRUE / FALSE 0 huge-12 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12 ++attack.invalid TRUE / FALSE 0 huge-13 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13 ++attack.invalid TRUE / FALSE 0 huge-14 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14 ++attack.invalid TRUE / FALSE 0 huge-15 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15 ++attack.invalid TRUE / FALSE 0 huge-16 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16 ++attack.invalid TRUE / FALSE 0 huge-17 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17 ++attack.invalid TRUE / FALSE 0 huge-18 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18 ++attack.invalid TRUE / FALSE 0 huge-19 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19 ++attack.invalid TRUE / FALSE 0 huge-20 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20 ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /a/b/%TESTNUMBER HTTP/1.1 ++Host: attack.invalid:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++Cookie: huge-20=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-20; huge-19=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-19; huge-18=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-18; huge-17=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-17; huge-16=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-16; huge-15=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-15; huge-14=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-14; huge-13=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-13; huge-12=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-12; huge-11=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-11; huge-10=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-10; huge-9=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-9; huge-8=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-8; huge-7=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-7; huge-6=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-6 ++ ++ ++ ++ +-- +2.33.0 + diff --git a/backport-test444-test-many-received-Set-Cookie.patch b/backport-test444-test-many-received-Set-Cookie.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a503ffb0a9f216192ced5d12b4192b0e1216a0e --- /dev/null +++ b/backport-test444-test-many-received-Set-Cookie.patch @@ -0,0 +1,226 @@ +From 46f8911d3942dc06fdd67e9f6f3908982e5d2fb4 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 26 Jun 2022 11:01:01 +0200 +Subject: [PATCH] test444: test many received Set-Cookie: + +The amount of sent cookies in the test is limited to 80 because hyper +has its own strict limits in how many headers it allows to be received +which triggers at some point beyond this number. +--- + tests/data/Makefile.inc | 2 +- + tests/data/test444 | 189 ++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 190 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test444 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index a17618ac7..96f1428d6 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -73,7 +73,7 @@ test409 test410 test411 test412 test413 test414 \ + test418 \ + test430 test431 test432 test433 test434 test435 test445 test446\ + \ +-test442 test443 \ ++test442 test443 test444 \ + test490 test491 test492 test493 test494 \ + \ + test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +diff --git a/tests/data/test444 b/tests/data/test444 +new file mode 100644 +index 000000000..9bdd4a7fe +--- /dev/null ++++ b/tests/data/test444 +@@ -0,0 +1,189 @@ ++ ++# perl: ++# ++#for(1 .. 200) { ++# ++#} ++# ++ ++ ++HTTP ++cookies ++--resolve ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 6 ++Set-Cookie: cookie-1=yes; ++Set-Cookie: cookie-2=yes; ++Set-Cookie: cookie-3=yes; ++Set-Cookie: cookie-4=yes; ++Set-Cookie: cookie-5=yes; ++Set-Cookie: cookie-6=yes; ++Set-Cookie: cookie-7=yes; ++Set-Cookie: cookie-8=yes; ++Set-Cookie: cookie-9=yes; ++Set-Cookie: cookie-10=yes; ++Set-Cookie: cookie-11=yes; ++Set-Cookie: cookie-12=yes; ++Set-Cookie: cookie-13=yes; ++Set-Cookie: cookie-14=yes; ++Set-Cookie: cookie-15=yes; ++Set-Cookie: cookie-16=yes; ++Set-Cookie: cookie-17=yes; ++Set-Cookie: cookie-18=yes; ++Set-Cookie: cookie-19=yes; ++Set-Cookie: cookie-20=yes; ++Set-Cookie: cookie-21=yes; ++Set-Cookie: cookie-22=yes; ++Set-Cookie: cookie-23=yes; ++Set-Cookie: cookie-24=yes; ++Set-Cookie: cookie-25=yes; ++Set-Cookie: cookie-26=yes; ++Set-Cookie: cookie-27=yes; ++Set-Cookie: cookie-28=yes; ++Set-Cookie: cookie-29=yes; ++Set-Cookie: cookie-30=yes; ++Set-Cookie: cookie-31=yes; ++Set-Cookie: cookie-32=yes; ++Set-Cookie: cookie-33=yes; ++Set-Cookie: cookie-34=yes; ++Set-Cookie: cookie-35=yes; ++Set-Cookie: cookie-36=yes; ++Set-Cookie: cookie-37=yes; ++Set-Cookie: cookie-38=yes; ++Set-Cookie: cookie-39=yes; ++Set-Cookie: cookie-40=yes; ++Set-Cookie: cookie-41=yes; ++Set-Cookie: cookie-42=yes; ++Set-Cookie: cookie-43=yes; ++Set-Cookie: cookie-44=yes; ++Set-Cookie: cookie-45=yes; ++Set-Cookie: cookie-46=yes; ++Set-Cookie: cookie-47=yes; ++Set-Cookie: cookie-48=yes; ++Set-Cookie: cookie-49=yes; ++Set-Cookie: cookie-50=yes; ++Set-Cookie: cookie-51=yes; ++Set-Cookie: cookie-52=yes; ++Set-Cookie: cookie-53=yes; ++Set-Cookie: cookie-54=yes; ++Set-Cookie: cookie-55=yes; ++Set-Cookie: cookie-56=yes; ++Set-Cookie: cookie-57=yes; ++Set-Cookie: cookie-58=yes; ++Set-Cookie: cookie-59=yes; ++Set-Cookie: cookie-60=yes; ++Set-Cookie: cookie-61=yes; ++Set-Cookie: cookie-62=yes; ++Set-Cookie: cookie-63=yes; ++Set-Cookie: cookie-64=yes; ++Set-Cookie: cookie-65=yes; ++Set-Cookie: cookie-66=yes; ++Set-Cookie: cookie-67=yes; ++Set-Cookie: cookie-68=yes; ++Set-Cookie: cookie-69=yes; ++Set-Cookie: cookie-70=yes; ++Set-Cookie: cookie-71=yes; ++Set-Cookie: cookie-72=yes; ++Set-Cookie: cookie-73=yes; ++Set-Cookie: cookie-74=yes; ++Set-Cookie: cookie-75=yes; ++Set-Cookie: cookie-76=yes; ++Set-Cookie: cookie-77=yes; ++Set-Cookie: cookie-78=yes; ++Set-Cookie: cookie-79=yes; ++Set-Cookie: cookie-80=yes; ++ ++-foo- ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++Many Set-Cookie response headers ++ ++ ++http://attack.invalid:%HTTPPORT/a/b/%TESTNUMBER -c log/cookie%TESTNUMBER --resolve attack.invalid:%HTTPPORT:%HOSTIP ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /a/b/%TESTNUMBER HTTP/1.1 ++Host: attack.invalid:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++ ++ ++# Netscape HTTP Cookie File ++# https://curl.se/docs/http-cookies.html ++# This file was generated by libcurl! Edit at your own risk. ++ ++attack.invalid FALSE /a/b/ FALSE 0 cookie-50 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-49 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-48 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-47 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-46 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-45 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-44 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-43 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-42 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-41 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-40 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-39 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-38 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-37 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-36 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-35 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-34 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-33 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-32 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-31 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-30 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-29 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-28 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-27 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-26 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-25 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-24 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-23 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-22 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-21 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-20 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-19 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-18 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-17 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-16 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-15 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-14 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-13 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-12 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-11 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-10 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-9 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-8 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-7 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-6 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-5 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-4 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-3 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-2 yes ++attack.invalid FALSE /a/b/ FALSE 0 cookie-1 yes ++ ++ ++ +-- +2.33.0 + diff --git a/backport-test8-verify-that-ctrl-byte-cookies-are-ignored.patch b/backport-test8-verify-that-ctrl-byte-cookies-are-ignored.patch new file mode 100644 index 0000000000000000000000000000000000000000..4319e6e08be99bbb7714f82eca6511708e235a6e --- /dev/null +++ b/backport-test8-verify-that-ctrl-byte-cookies-are-ignored.patch @@ -0,0 +1,62 @@ +From 2fc031d834d488854ffc58bf7dbcef7fa7c1fc28 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 29 Aug 2022 00:09:17 +0200 +Subject: [PATCH] test8: verify that "ctrl-byte cookies" are ignored + +--- + tests/data/test8 | 32 +++++++++++++++++++++++++++++++- + 1 file changed, 31 insertions(+), 1 deletion(-) + +diff --git a/tests/data/test8 b/tests/data/test8 +index a8548e6c2..858761159 100644 +--- a/tests/data/test8 ++++ b/tests/data/test8 +@@ -46,6 +46,36 @@ Set-Cookie: trailingspace = removed; path=/we/want; + Set-Cookie: nocookie=yes; path=/WE; + Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad; + Set-Cookie: partialip=nono; domain=.0.0.1; ++Set-Cookie: cookie1=%hex[%01-junk]hex% ++Set-Cookie: cookie2=%hex[%02-junk]hex% ++Set-Cookie: cookie3=%hex[%03-junk]hex% ++Set-Cookie: cookie4=%hex[%04-junk]hex% ++Set-Cookie: cookie5=%hex[%05-junk]hex% ++Set-Cookie: cookie6=%hex[%06-junk]hex% ++Set-Cookie: cookie7=%hex[%07-junk]hex% ++Set-Cookie: cookie8=%hex[%08-junk]hex% ++Set-Cookie: cookie9=%hex[junk-%09-]hex% ++Set-Cookie: cookie11=%hex[%0b-junk]hex% ++Set-Cookie: cookie12=%hex[%0c-junk]hex% ++Set-Cookie: cookie14=%hex[%0e-junk]hex% ++Set-Cookie: cookie15=%hex[%0f-junk]hex% ++Set-Cookie: cookie16=%hex[%10-junk]hex% ++Set-Cookie: cookie17=%hex[%11-junk]hex% ++Set-Cookie: cookie18=%hex[%12-junk]hex% ++Set-Cookie: cookie19=%hex[%13-junk]hex% ++Set-Cookie: cookie20=%hex[%14-junk]hex% ++Set-Cookie: cookie21=%hex[%15-junk]hex% ++Set-Cookie: cookie22=%hex[%16-junk]hex% ++Set-Cookie: cookie23=%hex[%17-junk]hex% ++Set-Cookie: cookie24=%hex[%18-junk]hex% ++Set-Cookie: cookie25=%hex[%19-junk]hex% ++Set-Cookie: cookie26=%hex[%1a-junk]hex% ++Set-Cookie: cookie27=%hex[%1b-junk]hex% ++Set-Cookie: cookie28=%hex[%1c-junk]hex% ++Set-Cookie: cookie29=%hex[%1d-junk]hex% ++Set-Cookie: cookie30=%hex[%1e-junk]hex% ++Set-Cookie: cookie31=%hex[%1f-junk]hex% ++Set-Cookie: cookie31=%hex[%7f-junk]hex% + + + +@@ -60,7 +90,7 @@ GET /we/want/%TESTNUMBER HTTP/1.1 + Host: %HOSTIP:%HTTPPORT + User-Agent: curl/%VERSION + Accept: */* +-Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes ++Cookie: name with space=is weird but; trailingspace=removed; cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes; cookie9=junk- - + + + +-- +2.33.0 + diff --git a/backport-tests-verify-the-fix-for-CVE-2022-27774.patch b/backport-tests-verify-the-fix-for-CVE-2022-27774.patch new file mode 100644 index 0000000000000000000000000000000000000000..027285ca1eef2a328edde137b6c57949b3c8f87e --- /dev/null +++ b/backport-tests-verify-the-fix-for-CVE-2022-27774.patch @@ -0,0 +1,413 @@ +From 5295e8d64ac6949ecb3f9e564317a608f51b90d8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] tests: verify the fix for CVE-2022-27774 + + - Test 973 redirects from HTTP to FTP, clear auth + - Test 974 redirects from HTTP to HTTP different port, clear auth + - Test 975 redirects from HTTP to FTP, permitted to keep auth + - Test 976 redirects from HTTP to HTTP different port, permitted to keep + auth +--- + tests/data/Makefile.inc | 2 +- + tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++ + tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++ + tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 352 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test973 + create mode 100644 tests/data/test974 + create mode 100644 tests/data/test975 + create mode 100644 tests/data/test976 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 0e44679b3..6ec78c6e9 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -119,7 +119,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ + test945 test946 test947 test948 test949 test950 test951 test952 test953 \ + test954 test955 test956 test957 test958 test959 test960 test961 test962 \ + test963 test964 test965 test966 test967 test968 test969 test970 test971 \ +-test972 \ ++test972 test973 test974 test975 test976 \ + \ + test980 test981 test982 test983 test984 test985 test986 \ + \ +diff --git a/tests/data/test973 b/tests/data/test973 +new file mode 100644 +index 000000000..6ced10789 +--- /dev/null ++++ b/tests/data/test973 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP w/o auth ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE %TESTNUMBER0002 ++RETR %TESTNUMBER0002 ++QUIT ++ ++ ++ +diff --git a/tests/data/test974 b/tests/data/test974 +new file mode 100644 +index 000000000..ac4e6415d +--- /dev/null ++++ b/tests/data/test974 +@@ -0,0 +1,87 @@ ++ ++ ++ ++HTTP ++--location ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port w/o auth ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +diff --git a/tests/data/test975 b/tests/data/test975 +new file mode 100644 +index 000000000..85e03e4f2 +--- /dev/null ++++ b/tests/data/test975 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++FTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++ ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002 ++ ++data ++ to ++ see ++that FTP ++works ++ so does it? ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ftp ++ ++ ++HTTP with auth redirected to FTP allowing auth to continue ++ ++ ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++ ++USER joe ++PASS secret ++PWD ++CWD a ++CWD path ++EPSV ++TYPE I ++SIZE %TESTNUMBER0002 ++RETR %TESTNUMBER0002 ++QUIT ++ ++ ++ +diff --git a/tests/data/test976 b/tests/data/test976 +new file mode 100644 +index 000000000..c4dd61e70 +--- /dev/null ++++ b/tests/data/test976 +@@ -0,0 +1,88 @@ ++ ++ ++ ++HTTP ++--location-trusted ++ ++ ++ ++# ++# Server-side ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++HTTP/1.1 301 redirect ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 0 ++Connection: close ++Content-Type: text/html ++Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002 ++ ++HTTP/1.1 200 OK ++Date: Tue, 09 Nov 2010 14:49:00 GMT ++Server: test-server/fake ++Content-Length: 4 ++Connection: close ++Content-Type: text/html ++ ++hey ++ ++ ++ ++ ++# ++# Client-side ++ ++ ++http ++ ++ ++HTTP with auth redirected to HTTP on a diff port --location-trusted ++ ++ ++-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++GET http://firsthost.com/ HTTP/1.1 ++Host: firsthost.com ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1 ++Host: firsthost.com:9999 ++Authorization: Basic am9lOnNlY3JldA== ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +2.33.0 + diff --git a/backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch b/backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch new file mode 100644 index 0000000000000000000000000000000000000000..185e4d7851ffc43f339f8ea7a5a9b4e92288e1e5 --- /dev/null +++ b/backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch @@ -0,0 +1,63 @@ +From 4d97fe547322c4ad0868e2282476b1a7d2027f86 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 15 Nov 2021 16:51:32 +0100 +Subject: [PATCH 1/1] tftp: mark protocol as not possible to do over CONNECT + +... and make connect_init() refusing trying to tunnel protocols marked +as not working. Avoids a double-free. + +Reported-by: Even Rouault +Fixes #8018 +Closes #8020 + +Conflict:remove a chunk because the change exists +Reference:https://github.com/curl/curl/commit/4d97fe547322c4ad0868e2282476b1a7d2027f86 +--- + lib/http_proxy.c | 4 ++++ + lib/tftp.c | 2 +- + lib/urldata.h | 1 + + 3 files changed, 6 insertions(+), 1 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index 2555b401a..e788babed 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -158,6 +158,10 @@ static CURLcode connect_init(struct Curl_easy *data, bool reinit) + { + struct http_connect_state *s; + struct connectdata *conn = data->conn; ++ if(conn->handler->flags & PROTOPT_NOTCPPROXY) { ++ failf(data, "%s cannot be done over CONNECT", conn->handler->scheme); ++ return CURLE_UNSUPPORTED_PROTOCOL; ++ } + if(!reinit) { + CURLcode result; + DEBUGASSERT(!conn->connect_state); +diff --git a/lib/tftp.c b/lib/tftp.c +index 7e5246f01..f8c68441c 100644 +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -186,7 +186,7 @@ const struct Curl_handler Curl_handler_tftp = { + PORT_TFTP, /* defport */ + CURLPROTO_TFTP, /* protocol */ + CURLPROTO_TFTP, /* family */ +- PROTOPT_NONE | PROTOPT_NOURLQUERY /* flags */ ++ PROTOPT_NOTCPPROXY | PROTOPT_NOURLQUERY /* flags */ + }; + + /********************************************************** +diff --git a/lib/urldata.h b/lib/urldata.h +index f12e99b8d..22c66cd44 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -835,6 +835,7 @@ struct Curl_handler { + #define PROTOPT_WILDCARD (1<<12) /* protocol supports wildcard matching */ + #define PROTOPT_USERPWDCTRL (1<<13) /* Allow "control bytes" (< 32 ascii) in + user name and password */ ++#define PROTOPT_NOTCPPROXY (1<<14) /* this protocol can't proxy over TCP */ + + #define CONNCHECK_NONE 0 /* No checks */ + #define CONNCHECK_ISDEAD (1<<0) /* Check if the connection is dead. */ +-- +2.33.0 + diff --git a/backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch b/backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch new file mode 100644 index 0000000000000000000000000000000000000000..a30d0a6c809c9c19ed16a74b31c88ad6391ea004 --- /dev/null +++ b/backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch @@ -0,0 +1,87 @@ +From 206550a9c25e2084012f616dcce90142a30a8f80 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 23 Jul 2022 13:33:57 +0200 +Subject: [PATCH] tool_getparam: fix cleanarg() for unicode builds + +Use the correct type, and make cleanarg an empty macro if the cleaning +ability is absent. + +Fixes #9195 +Closes #9196 + +Reviewed-by: Jay Satiro +Reviewed-by: Marcel Raad +--- + src/tool_getparam.c | 14 +++++++------- + src/tool_getparam.h | 3 ++- + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 6423c8fe1..9bbd51d34 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -541,9 +541,9 @@ static ParameterError GetSizeParameter(struct GlobalConfig *global, + return PARAM_OK; + } + +-static void cleanarg(char *str) +-{ + #ifdef HAVE_WRITABLE_ARGV ++static void cleanarg(argv_item_t str) ++{ + /* now that GetStr has copied the contents of nextarg, wipe the next + * argument out so that the username:password isn't displayed in the + * system process list */ +@@ -551,14 +551,14 @@ static void cleanarg(char *str) + size_t len = strlen(str); + memset(str, ' ', len); + } ++} + #else +- (void)str; ++#define cleanarg(x) + #endif +-} + + ParameterError getparameter(const char *flag, /* f or -long-flag */ + char *nextarg, /* NULL if unset */ +- char *clearthis, ++ argv_item_t clearthis, + bool *usedarg, /* set to TRUE if the arg + has been used */ + struct GlobalConfig *global, +@@ -576,7 +576,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + ParameterError err; + bool toggle = TRUE; /* how to switch boolean options, on or off. Controlled + by using --OPTION or --no-OPTION */ +- ++ (void)clearthis; /* for !HAVE_WRITABLE_ARGV builds */ + *usedarg = FALSE; /* default is that we don't use the arg */ + + if(('-' != flag[0]) || ('-' == flag[1])) { +@@ -2440,7 +2440,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + stillflags = FALSE; + else { + char *nextarg = NULL; +- char *clear = NULL; ++ argv_item_t clear = NULL; + if(i < (argc - 1)) { + nextarg = curlx_convert_tchar_to_UTF8(argv[i + 1]); + if(!nextarg) { +diff --git a/src/tool_getparam.h b/src/tool_getparam.h +index e35136123..0564518a6 100644 +--- a/src/tool_getparam.h ++++ b/src/tool_getparam.h +@@ -54,7 +54,8 @@ typedef enum { + struct GlobalConfig; + struct OperationConfig; + +-ParameterError getparameter(const char *flag, char *nextarg, char *clearthis, ++ParameterError getparameter(const char *flag, char *nextarg, ++ argv_item_t clearthis, + bool *usedarg, + struct GlobalConfig *global, + struct OperationConfig *operation); +-- +2.33.0 + diff --git a/backport-tool_getparam-fix-hiding-of-command-line-secrets.patch b/backport-tool_getparam-fix-hiding-of-command-line-secrets.patch new file mode 100644 index 0000000000000000000000000000000000000000..bbe406bd08c996f1ed539e268a122001294bed56 --- /dev/null +++ b/backport-tool_getparam-fix-hiding-of-command-line-secrets.patch @@ -0,0 +1,91 @@ +From 2ed0e1f70ee176edf3d2292ab01201eb6baf86b3 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Wed, 11 Jan 2023 11:39:33 +0100 +Subject: [PATCH] tool_getparam: fix hiding of command line secrets + +Closes #10276 +--- + src/tool_getparam.c | 14 ++++++++------ + src/tool_getparam.h | 1 + + src/tool_parsecfg.c | 2 +- + 3 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 68bc83223..bb4303a8c 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -660,6 +660,7 @@ static ParameterError data_urlencode(struct GlobalConfig *global, + + ParameterError getparameter(const char *flag, /* f or -long-flag */ + char *nextarg, /* NULL if unset */ ++ argv_item_t cleararg, + bool *usedarg, /* set to TRUE if the arg + has been used */ + struct GlobalConfig *global, +@@ -764,15 +765,16 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + /* this option requires an extra parameter */ + if(!longopt && parse[1]) { + nextarg = (char *)&parse[1]; /* this is the actual extra parameter */ +-#ifdef HAVE_WRITABLE_ARGV +- clearthis = nextarg; +-#endif + singleopt = TRUE; /* don't loop anymore after this */ + } + else if(!nextarg) + return PARAM_REQUIRES_PARAMETER; +- else ++ else { ++#ifdef HAVE_WRITABLE_ARGV ++ clearthis = cleararg; ++#endif + *usedarg = TRUE; /* mark it as used */ ++ } + + if((aliases[hit].desc == ARG_FILENAME) && + (nextarg[0] == '-') && nextarg[1]) { +@@ -2494,7 +2496,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + } + } + +- result = getparameter(orig_opt, nextarg, &passarg, ++ result = getparameter(orig_opt, nextarg, argv[i + 1], &passarg, + global, config); + curlx_unicodefree(nextarg); + config = global->last; +@@ -2533,7 +2535,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + bool used; + + /* Just add the URL please */ +- result = getparameter("--url", orig_opt, &used, global, config); ++ result = getparameter("--url", orig_opt, argv[i], &used, global, config); + } + + if(!result) +diff --git a/src/tool_getparam.h b/src/tool_getparam.h +index 677ce8e5f..827a04e81 100644 +--- a/src/tool_getparam.h ++++ b/src/tool_getparam.h +@@ -55,6 +55,7 @@ struct GlobalConfig; + struct OperationConfig; + + ParameterError getparameter(const char *flag, char *nextarg, ++ argv_item_t cleararg, + bool *usedarg, + struct GlobalConfig *global, + struct OperationConfig *operation); +diff --git a/src/tool_parsecfg.c b/src/tool_parsecfg.c +index ffc19fdf0..50d03f666 100644 +--- a/src/tool_parsecfg.c ++++ b/src/tool_parsecfg.c +@@ -223,7 +223,7 @@ int parseconfig(const char *filename, struct GlobalConfig *global) + #ifdef DEBUG_CONFIG + fprintf(stderr, "PARAM: \"%s\"\n",(param ? param : "(null)")); + #endif +- res = getparameter(option, param, &usedarg, global, operation); ++ res = getparameter(option, param, NULL, &usedarg, global, operation); + operation = global->last; + + if(!res && param && *param && !usedarg) +-- +2.33.0 + diff --git a/backport-tool_getparam-repair-cleanarg.patch b/backport-tool_getparam-repair-cleanarg.patch new file mode 100644 index 0000000000000000000000000000000000000000..6d2ce2a5ab5536e4973b55be954b05bc59d2d5b9 --- /dev/null +++ b/backport-tool_getparam-repair-cleanarg.patch @@ -0,0 +1,267 @@ +From bf7e887b2442783ab52ddf9d1348c52344fc96f1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 10 Jul 2022 15:22:13 +0200 +Subject: [PATCH] tool_getparam: repair cleanarg + +Regression since 9e5669f. + +Make sure the "cleaning" of command line arguments is done on the +original argv[] pointers. As a bonus, it also exits better on out of +memory error. + +Reported-by: Litter White +Fixes #9128 +Closes #9130 +--- + src/tool_getparam.c | 61 +++++++++++++++++++++++++++++++-------------- + src/tool_getparam.h | 3 ++- + src/tool_paramhlp.c | 15 ----------- + src/tool_paramhlp.h | 2 -- + src/tool_parsecfg.c | 2 +- + 5 files changed, 45 insertions(+), 38 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 9d425c846..6423c8fe1 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -487,7 +487,6 @@ GetFileAndPassword(char *nextarg, char **file, char **password) + Curl_safefree(*password); + *password = passphrase; + } +- cleanarg(nextarg); + } + + /* Get a size parameter for '--limit-rate' or '--max-filesize'. +@@ -542,8 +541,24 @@ static ParameterError GetSizeParameter(struct GlobalConfig *global, + return PARAM_OK; + } + ++static void cleanarg(char *str) ++{ ++#ifdef HAVE_WRITABLE_ARGV ++ /* now that GetStr has copied the contents of nextarg, wipe the next ++ * argument out so that the username:password isn't displayed in the ++ * system process list */ ++ if(str) { ++ size_t len = strlen(str); ++ memset(str, ' ', len); ++ } ++#else ++ (void)str; ++#endif ++} ++ + ParameterError getparameter(const char *flag, /* f or -long-flag */ + char *nextarg, /* NULL if unset */ ++ char *clearthis, + bool *usedarg, /* set to TRUE if the arg + has been used */ + struct GlobalConfig *global, +@@ -675,7 +690,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + case 'B': /* OAuth 2.0 bearer token */ + GetStr(&config->oauth_bearer, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + config->authtype |= CURLAUTH_BEARER; + break; + case 'c': /* connect-timeout */ +@@ -1637,6 +1652,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + case 'E': + switch(subletter) { + case '\0': /* certificate file */ ++ cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); + break; + case 'a': /* CA info PEM file */ +@@ -1653,7 +1669,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + case 'e': /* private key passphrase */ + GetStr(&config->key_passwd, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'f': /* crypto engine */ + GetStr(&config->engine, nextarg); +@@ -1679,19 +1695,19 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + case 'k': /* TLS username */ + if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { +- cleanarg(nextarg); ++ cleanarg(clearthis); + return PARAM_LIBCURL_DOESNT_SUPPORT; + } + GetStr(&config->tls_username, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'l': /* TLS password */ + if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { +- cleanarg(nextarg); ++ cleanarg(clearthis); + return PARAM_LIBCURL_DOESNT_SUPPORT; + } + GetStr(&config->tls_password, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'm': /* TLS authentication type */ + if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) { +@@ -1752,21 +1768,19 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + + case 'u': /* TLS username for proxy */ ++ cleanarg(clearthis); + if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { +- cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; + } + GetStr(&config->proxy_tls_username, nextarg); +- cleanarg(nextarg); + break; + + case 'v': /* TLS password for proxy */ ++ cleanarg(clearthis); + if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { +- cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; + } + GetStr(&config->proxy_tls_password, nextarg); +- cleanarg(nextarg); + break; + + case 'w': /* TLS authentication type for proxy */ +@@ -1780,6 +1794,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + + case 'x': /* certificate file for proxy */ ++ cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->proxy_cert, + &config->proxy_key_passwd); + break; +@@ -1798,7 +1813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + + case '1': /* private key passphrase for proxy */ + GetStr(&config->proxy_key_passwd, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + + case '2': /* ciphers for proxy */ +@@ -2246,12 +2261,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + case 'u': + /* user:password */ + GetStr(&config->userpwd, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'U': + /* Proxy user:password */ + GetStr(&config->proxyuserpwd, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'v': + if(toggle) { +@@ -2424,11 +2439,19 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + following (URL) argument to start with -. */ + stillflags = FALSE; + else { +- char *nextarg = (i < (argc - 1)) +- ? curlx_convert_tchar_to_UTF8(argv[i + 1]) +- : NULL; ++ char *nextarg = NULL; ++ char *clear = NULL; ++ if(i < (argc - 1)) { ++ nextarg = curlx_convert_tchar_to_UTF8(argv[i + 1]); ++ if(!nextarg) { ++ curlx_unicodefree(orig_opt); ++ return PARAM_NO_MEM; ++ } ++ clear = argv[i + 1]; ++ } + +- result = getparameter(orig_opt, nextarg, &passarg, global, config); ++ result = getparameter(orig_opt, nextarg, clear, &passarg, ++ global, config); + curlx_unicodefree(nextarg); + config = global->last; + if(result == PARAM_NEXT_OPERATION) { +@@ -2466,7 +2489,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + bool used; + + /* Just add the URL please */ +- result = getparameter("--url", orig_opt, &used, global, ++ result = getparameter("--url", orig_opt, NULL, &used, global, + config); + } + +diff --git a/src/tool_getparam.h b/src/tool_getparam.h +index ef9833575..e35136123 100644 +--- a/src/tool_getparam.h ++++ b/src/tool_getparam.h +@@ -54,7 +54,8 @@ typedef enum { + struct GlobalConfig; + struct OperationConfig; + +-ParameterError getparameter(const char *flag, char *nextarg, bool *usedarg, ++ParameterError getparameter(const char *flag, char *nextarg, char *clearthis, ++ bool *usedarg, + struct GlobalConfig *global, + struct OperationConfig *operation); + +diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c +index 71c738594..db0d0fb00 100644 +--- a/src/tool_paramhlp.c ++++ b/src/tool_paramhlp.c +@@ -116,21 +116,6 @@ ParameterError file2memory(char **bufp, size_t *size, FILE *file) + return PARAM_OK; + } + +-void cleanarg(char *str) +-{ +-#ifdef HAVE_WRITABLE_ARGV +- /* now that GetStr has copied the contents of nextarg, wipe the next +- * argument out so that the username:password isn't displayed in the +- * system process list */ +- if(str) { +- size_t len = strlen(str); +- memset(str, ' ', len); +- } +-#else +- (void)str; +-#endif +-} +- + /* + * Parse the string and write the long in the given address. Return PARAM_OK + * on success, otherwise a parameter specific error enum. +diff --git a/src/tool_paramhlp.h b/src/tool_paramhlp.h +index 297490b57..ec44e2df4 100644 +--- a/src/tool_paramhlp.h ++++ b/src/tool_paramhlp.h +@@ -31,8 +31,6 @@ ParameterError file2string(char **bufp, FILE *file); + + ParameterError file2memory(char **bufp, size_t *size, FILE *file); + +-void cleanarg(char *str); +- + ParameterError str2num(long *val, const char *str); + ParameterError str2unum(long *val, const char *str); + ParameterError oct2nummax(long *val, const char *str, long max); +diff --git a/src/tool_parsecfg.c b/src/tool_parsecfg.c +index a166757f8..34eb5daa9 100644 +--- a/src/tool_parsecfg.c ++++ b/src/tool_parsecfg.c +@@ -223,7 +223,7 @@ int parseconfig(const char *filename, struct GlobalConfig *global) + #ifdef DEBUG_CONFIG + fprintf(stderr, "PARAM: \"%s\"\n",(param ? param : "(null)")); + #endif +- res = getparameter(option, param, &usedarg, global, operation); ++ res = getparameter(option, param, NULL, &usedarg, global, operation); + operation = global->last; + + if(!res && param && *param && !usedarg) +-- +2.33.0 + diff --git a/curl-7.77.0.tar.xz b/curl-7.77.0.tar.xz deleted file mode 100644 index 2fb0baf0cc906c83b233e27f5afc616c1310f2d2..0000000000000000000000000000000000000000 Binary files a/curl-7.77.0.tar.xz and /dev/null differ diff --git a/curl-7.79.1.tar.xz b/curl-7.79.1.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..bb9d086ae4968527fb5df92fbdd6cdb15393f013 Binary files /dev/null and b/curl-7.79.1.tar.xz differ diff --git a/curl.spec b/curl.spec index 8d0781de96e82a6054df5285b94c3e6ef4d351aa..6ca5ffdbb101b6440f53d3282e52fced60e065cd 100644 --- a/curl.spec +++ b/curl.spec @@ -1,26 +1,83 @@ #Global macro or variable %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) -%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0) +%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|') %global _configure ../configure Name: curl -Version: 7.77.0 -Release: 2 +Version: 7.79.1 +Release: 24 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ Source: https://curl.haxx.se/download/curl-%{version}.tar.xz -Patch101: 0101-curl-7.32.0-multilib.patch -Patch102: 0102-curl-7.36.0-debug.patch -Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch -Patch106: 0106-curl-fix-CVE-2019-15601.patch -Patch107: backport-CVE-2021-22925.patch -Patch108: backport-CVE-2021-22926.patch +Patch1: backport-0101-curl-7.32.0-multilib.patch +Patch2: backport-CVE-2022-22576.patch +Patch3: backport-CVE-2022-27775.patch +Patch4: backport-CVE-2022-27776.patch +Patch5: backport-pre-CVE-2022-27774.patch +Patch6: backport-001-CVE-2022-27774.patch +Patch7: backport-002-CVE-2022-27774.patch +Patch8: backport-CVE-2022-27781.patch +Patch9: backport-pre-CVE-2022-27782.patch +Patch10: backport-CVE-2022-27782.patch +Patch11: backport-CVE-2022-32205.patch +Patch12: backport-CVE-2022-32206.patch +Patch13: backport-CVE-2022-32207.patch +Patch14: backport-CVE-2022-32208.patch +Patch15: backport-fix-configure-disable-http-auth-build-error.patch +Patch16: backport-CVE-2022-35252-cookie-reject-cookies-with-control-bytes.patch +Patch17: backport-CVE-2022-32221.patch +Patch18: backport-CVE-2022-42916.patch +Patch20: backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch +Patch21: backport-CVE-2022-43552-smb-telnet-do-not-free-the-protocol-struct-in-_done.patch +Patch22: backport-0001-CVE-2023-23914-CVE-2023-23915.patch +Patch23: backport-0002-CVE-2023-23914-CVE-2023-23915.patch +Patch24: backport-0003-CVE-2023-23914-CVE-2023-23915.patch +Patch25: backport-0004-CVE-2023-23914-CVE-2023-23915.patch +Patch26: backport-0005-CVE-2023-23914-CVE-2023-23915.patch +Patch27: backport-0001-CVE-2023-23916.patch +Patch28: backport-0002-CVE-2023-23916.patch +Patch29: backport-CVE-2023-27533.patch +Patch30: backport-CVE-2023-27534-pre1.patch +Patch31: backport-CVE-2023-27534.patch +Patch32: backport-CVE-2023-27538.patch +Patch33: backport-CVE-2023-27535-pre1.patch +Patch34: backport-CVE-2023-27536.patch +Patch35: backport-CVE-2023-27535.patch +Patch36: backport-after-CVE-2022-32207-to-fix-build-error-when-user-don-t-use-glibc.patch +Patch37: backport-CVE-2023-28321.patch +Patch38: backport-CVE-2023-28322.patch +Patch39: backport-0001-CVE-2023-28320.patch +Patch40: backport-0002-CVE-2023-28320.patch +Patch41: backport-0003-CVE-2023-28320.patch +Patch42: backport-curl-tool-erase-some-more-sensitive-command-line-arg.patch +Patch43: backport-tool_getparam-repair-cleanarg.patch +Patch44: backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch +Patch45: backport-getparam-correctly-clean-args.patch +Patch46: backport-tool_getparam-fix-hiding-of-command-line-secrets.patch +Patch47: backport-multi-shut-down-CONNECT-in-Curl_detach_connnection.patch +Patch48: backport-curl_easy_cleanup.3-remove-from-multi-handle-first.patch +Patch49: backport-http_proxy-make-Curl_connect_done-work-for-proxy-dis.patch +Patch50: backport-Curl_connect_done-handle-being-called-twice.patch +Patch51: backport-tftp-mark-protocol-as-not-possible-to-do-over-CONNEC.patch +Patch52: backport-test1939-require-proxy-support-to-run.patch +Patch53: backport-lib1939-make-it-endure-torture-tests.patch +Patch54: backport-CVE-2022-42915.patch +Patch55: backport-tests-verify-the-fix-for-CVE-2022-27774.patch +Patch56: backport-test442-443-test-cookie-caps.patch +Patch57: backport-test444-test-many-received-Set-Cookie.patch +Patch58: backport-test8-verify-that-ctrl-byte-cookies-are-ignored.patch +Patch59: backport-test1948-verify-PUT-POST-reusing-the-same-handle.patch +Patch60: backport-test387-verify-rejection-of-compression-chain-attack.patch +Patch61: backport-hostcheck-fix-host-name-wildcard-checking.patch +Patch62: backport-CVE-2023-32001.patch +Patch63: backport-CVE-2023-38545.patch +Patch64: backport-CVE-2023-38546.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel -BuildRequires: libidn2-devel libmetalink-devel libnghttp2-devel libpsl-devel +BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel BuildRequires: libssh-devel make openldap-devel openssh-clients openssh-server BuildRequires: openssl-devel perl-interpreter pkgconfig python3-devel sed BuildRequires: stunnel zlib-devel gnutls-utils nghttp2 perl(IO::Compress::Gzip) @@ -28,9 +85,6 @@ BuildRequires: perl(Getopt::Long) perl(Pod::Usage) perl(strict) perl(warnings) BuildRequires: perl(Cwd) perl(Digest::MD5) perl(Exporter) perl(File::Basename) BuildRequires: perl(File::Copy) perl(File::Spec) perl(IPC::Open2) perl(MIME::Base64) BuildRequires: perl(Time::Local) perl(Time::HiRes) perl(vars) -%ifarch x86_64 -BuildRequires: valgrind -%endif Requires: libcurl = %{version}-%{release} Provides: curl-full = %{version}-%{release} webclient @@ -63,10 +117,7 @@ Header files for libcurl. %prep %autosetup -n %{name}-%{version} -p1 -# make tests/*.py use Python 3 -sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py - -printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED +printf "1112\n1455\n1184\n1801\n1592\n" >> tests/data/DISABLED # adapt test 323 for updated OpenSSL sed -e 's/^35$/35,52/' -i tests/data/test323 @@ -79,11 +130,11 @@ sed -e 's/^35$/35,52/' -i tests/data/test323 eval "$cmd" ) +%build # regenerate Makefile.in files aclocal -I m4 automake -%build install -d build-full export common_configure_opts="--cache-file=../config.cache \ --enable-symbol-hiding --enable-ipv6 --enable-threaded-resolver \ @@ -101,7 +152,6 @@ export common_configure_opts="--cache-file=../config.cache \ --enable-manual \ --with-brotli \ --with-libidn2 \ - --with-libmetalink \ --with-libpsl \ --with-libssh ) @@ -112,6 +162,32 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \ %make_build V=1 -C build-full +%check +# compile upstream test-cases +%make_build V=1 -C build-full/tests + +# relax crypto policy for the test-suite to make it pass again (#1610888) +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX +export OPENSSL_CONF= + +# make runtests.pl work for out-of-tree builds +export srcdir=../../tests + +# prevent valgrind from being extremely slow (#1662656) +unset DEBUGINFOD_URLS + +# run the upstream test-suite for curl-full +for size in full; do ( + cd build-${size} + + # we have to override LD_LIBRARY_PATH because we eliminated rpath + export LD_LIBRARY_PATH="${PWD}/lib/.libs" + + cd tests + perl -I../../tests ../../tests/runtests.pl -a -n -p -v '!flaky' +) +done + %install rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so} @@ -167,6 +243,156 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Wed Oct 11 2023 Funda Wang - 7.79.1-24 +- Type:CVE +- CVE:CVE-2023-38545, CVE-2023-38546 +- SUG:NA +- DESC:fix CVE-2023-38545, CVE-2023-38546 + +* Thu Jul 20 2023 zhouyihang - 7.79.1-23 +- Type:CVE +- CVE:CVE-2023-32001 +- SUG:NA +- DESC:fix CVE-2023-32001 + +* Mon Jul 10 2023 zhouyihang - 7.79.1-22 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport some testcases + +* Mon Jul 03 2023 zhouyihang - 7.79.1-21 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix double-free when using https with tunneling proxy + +* Mon Jun 19 2023 zhouyihang - 7.79.1-20 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:hide sensitive info in cmdline when ps + +* Sat Jun 10 2023 zhouyihang - 7.79.1-19 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:disable valgrind in tests + +* Thu Jun 08 2023 xingwei - 7.79.1-18 +- Type:CVE +- CVE:CVE-2023-28320 +- SUG:NA +- DESC:fix CVE-2023-28320 + +* Wed May 24 2023 xingwei - 7.79.1-17 +- Type:CVE +- CVE:CVE-2023-28321,CVE-2023-28322 +- SUG:NA +- DESC:fix CVE-2023-28321,CVE-2023-28322 + +* Wed Apr 19 2023 gaihuiying - 7.79.1-16 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport to fix build error when user don't use glibc + +* Wed Mar 22 2023 xingwei - 7.79.1-15 +- Type:cves +- CVE:CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 +- SUG:NA +- DESC:fix CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 + +* Sat Feb 18 2023 xinghe - 7.79.1-14 +- Type:cves +- CVE:CVE-2023-23914 CVE-2023-23915 CVE-2023-23916 +- SUG:NA +- DESC:fix CVE-2023-23914 CVE-2023-23915 CVE-2023-23916 + +* Thu Dec 22 2022 zhouyihang - 7.79.1-13 +- Type:cves +- CVE:CVE-2022-43551 CVE-2022-43552 +- SUG:NA +- DESC:fix CVE-2022-43551 CVE-2022-43552 + +* Thu Oct 27 2022 yanglu - 7.79.1-12 +- Type:cves +- CVE:CVE-2022-32221 CVE-2022-42915 CVE-2022-42916 +- SUG:NA +- DESC:fix CVE-2022-32221 CVE-2022-42915 CVE-2022-42916 + +* Tue Oct 11 2022 huangduirong - 7.79.1-11 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Move autoreconf to build + +* Thu Sep 01 2022 zhouyihang - 7.79.1-10 +- Type:cves +- CVE:CVE-2022-35252 +- SUG:NA +- DESC:fix CVE-2022-35252 + +* Mon Jul 25 2022 gaihuiying - 7.79.1-9 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix build error when add --disable-http-auth configure option + +* Tue Jul 05 2022 gaihuiying - 7.79.1-8 +- Type:cves +- CVE:CVE-2022-32207 +- SUG:NA +- DESC:fix CVE-2022-32207 better + +* Wed Jun 29 2022 gaihuiying - 7.79.1-7 +- Type:cves +- CVE:CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 +- SUG:NA +- DESC:fix CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 + +* Tue May 17 2022 gaihuiying - 7.79.1-6 +- Type:cves +- CVE:CVE-2022-27781 CVE-2022-27782 +- SUG:NA +- DESC:fix CVE-2022-27781 CVE-2022-27782 + +* Fri May 06 2022 gaihuiying - 7.79.1-5 +- Type:cves +- CVE:CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776 +- SUG:NA +- DESC:fix CVE-2022-22576 CVE-2022-27774 CVE-2022-27775 CVE-2022-27776 + +* Tue Feb 22 2022 gaoxingwang - 7.79.1-4 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix dict and neg telnet server start fail in upstream testcase + +* Mon Jan 24 2022 gaoxingwang - 7.79.1-3 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:enable check in spec + +* Thu Jan 20 2022 yanglu - 7.79.1-2 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:delete useless patch + +* Tue Dec 14 2021 yanglu - 7.79.1-1 +- Type:requirement +- CVE:NA +- SUG:NA +- DESC:update curl to 7.79.1 + +* Wed Sep 29 2021 yanglu - 7.77.0-3 +- Type:CVE +- CVE:CVE-2021-22945 CVE-2021-22946 CVE-2021-22947 +- SUG:NA +- DESC:fix CVE-2021-22945 CVE-2021-22946CVE-2021-22947 + * Fri Aug 13 2021 gaihuiying - 7.77.0-2 - Type:CVE - CVE:CVE-2021-22925 CVE-2021-22926