From a4499aea1f0dd69f4f6e0720594f16f668f53895 Mon Sep 17 00:00:00 2001
From: roy <yupeng@kylinos.cn>
Date: Mon, 18 Aug 2025 18:00:02 +0800
Subject: [PATCH] tool_getparam: clear argument only when needed

---
 ...aram-clear-argument-only-when-needed.patch | 122 ++++++++++++++++++
 curl.spec                                     |   9 +-
 2 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 backport-tool_getparam-clear-argument-only-when-needed.patch

diff --git a/backport-tool_getparam-clear-argument-only-when-needed.patch b/backport-tool_getparam-clear-argument-only-when-needed.patch
new file mode 100644
index 0000000..7602786
--- /dev/null
+++ b/backport-tool_getparam-clear-argument-only-when-needed.patch
@@ -0,0 +1,122 @@
+From da9494eef043aca89ebdb5e4e14fcceef52c98e7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 15 Apr 2025 17:27:47 +0200
+Subject: [PATCH] tool_getparam: clear argument only when needed
+
+Test 699 verifies
+
+Reported-by: bsr13 on hackerone
+Closes #17112
+
+Conflict:tests/data/Makefile.am => tests/data/Makefile.inc
+context adapt
+Reference:https://github.com/curl/curl/commit/da9494eef043aca89ebdb5e4e14fcceef52c98e7
+---
+ src/tool_getparam.c    |  6 +++--
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test699     | 57 ++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 62 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test699
+
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index a55973a60..e64239e5f 100644
+--- a/src/tool_getparam.c
++++ b/src/tool_getparam.c
+@@ -1785,7 +1785,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+         nextarg = (char *)&parse[1]; /* this is the actual extra parameter */
+         singleopt = TRUE;   /* don't loop anymore after this */
+ #ifdef HAVE_WRITABLE_ARGV
+-        clearthis = &cleararg1[parse + 2 - flag];
++        if(cleararg1)
++          clearthis = &cleararg1[parse + 2 - flag];
+ #endif
+       }
+       else if(!nextarg) {
+@@ -1794,7 +1795,8 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
+       }
+       else {
+ #ifdef HAVE_WRITABLE_ARGV
+-        clearthis = cleararg2;
++        if(cleararg2)
++          clearthis = cleararg2;
+ #endif
+         *usedarg = TRUE; /* mark it as used */
+       }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 8d83f11ed..5936494fa 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -101,7 +101,7 @@ test654 test655 test656 test658 test659 test660 test661 test662 test663 \
+ test663 test664 test665 test666 test667 test668 test669 test670 test671 \
+ test672 test673 test674 test675 test676 test677 test678 test679 test680 \
+ test681 test682 test683 test684 test685 test686 test687 test688 \
+-\
++test699 \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+ test718 test719 test720 test721 test722 test723 test724 test725 test726 \
+diff --git a/tests/data/test699 b/tests/data/test699
+new file mode 100644
+index 000000000..4d1a2d9dd
+--- /dev/null
++++ b/tests/data/test699
+@@ -0,0 +1,57 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++--config
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data crlf="yes">
++HTTP/1.1 200 OK
++Date: Tue, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Content-Type: text/html
++Funny-head: yesyes
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++<name>
++--config with single-letter options plus one that is cleared
++</name>
++<file name="%LOGDIR/cmd">
++-Lfuhej:you
++</file>
++<command>
++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -K %LOGDIR/cmd
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<protocol crlf="yes">
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++Authorization: Basic aGVqOnlvdQ==
++User-Agent: curl/%VERSION
++Accept: */*
++
++</protocol>
++</verify>
++</testcase>
+-- 
+2.43.0
diff --git a/curl.spec b/curl.spec
index 50a9333..db6081b 100644
--- a/curl.spec
+++ b/curl.spec
@@ -7,7 +7,7 @@
 
 Name:           curl
 Version:        8.4.0
-Release:        20
+Release:        21
 Summary:        Curl is used in command lines or scripts to transfer data
 License:        curl
 URL:            https://curl.se/
@@ -54,6 +54,7 @@ Patch45:        backport-tool_getparam-clear-sensitive-arguments-better.patch
 Patch46:        backport-libssh-fix-freeing-of-resources-in-disconnect.patch
 Patch47:        backport-openssl-fix-crash-on-missing-cert-password.patch
 Patch48:        backport-curl_path-make-SFTP-handle-a-path-like-properly.patch
+Patch49:        backport-tool_getparam-clear-argument-only-when-needed.patch
 
 BuildRequires:  automake brotli-devel coreutils gcc groff krb5-devel
 BuildRequires:  libidn2-devel libnghttp2-devel libpsl-devel
@@ -241,6 +242,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_mandir}/man3/*
 
 %changelog
+* Mon Aug 18 2025 Yu Peng <yupeng@kylinos.cn> - 8.4.0-21
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:tool_getparam: clear argument only when needed
+
 * Mon Aug 04 2025 xingwei <xingwei14@h-partners.com> - 8.4.0-20
 - Type:bugfix
 - CVE:NA
-- 
Gitee