gbuild: ExternalProject: improve NMAKE handling
[LibreOffice.git] / external / curl / CVE-2018-1000007.patch
blobc474370c78ada97c7371f1fe13a8010665eebb01
1 From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001
2 From: Daniel Stenberg <daniel@haxx.se>
3 Date: Fri, 19 Jan 2018 13:19:25 +0100
4 Subject: [PATCH] http: prevent custom Authorization headers in redirects
6 ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
7 curl already handles Authorization headers created internally.
9 Note: this changes behavior slightly, for the sake of reducing mistakes.
11 Added test 317 and 318 to verify.
13 Reported-by: Craig de Stigter
14 Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
15 ---
16 docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 ++++-
17 lib/http.c | 10 +++-
18 lib/setopt.c | 2 +-
19 lib/urldata.h | 2 +-
20 tests/data/Makefile.inc | 2 +-
21 tests/data/test317 | 94 +++++++++++++++++++++++++++++++++
22 tests/data/test318 | 95 ++++++++++++++++++++++++++++++++++
23 7 files changed, 212 insertions(+), 5 deletions(-)
24 create mode 100644 tests/data/test317
25 create mode 100644 tests/data/test318
27 diff --git a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
28 index c5ccb1a53d..c9f29e393e 100644
29 --- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
30 +++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3
31 @@ -5,7 +5,7 @@
32 .\" * | (__| |_| | _ <| |___
33 .\" * \___|\___/|_| \_\_____|
34 .\" *
35 -.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
36 +.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
37 .\" *
38 .\" * This software is licensed as described in the file COPYING, which
39 .\" * you should have received as part of this distribution. The terms
40 @@ -77,6 +77,16 @@ the headers. They may be private or otherwise sensitive to leak.
42 Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you
43 intend them to get sent.
45 +Custom headers are sent in all requests done by the easy handles, which
46 +implies that if you tell libcurl to follow redirects
47 +(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
48 +in the subsequent request. Redirects can of course go to other hosts and thus
49 +those servers will get all the contents of your custom headers too.
51 +Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
52 +from being sent to other hosts than the first used one, unless specifically
53 +permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option.
54 .SH DEFAULT
55 NULL
56 .SH PROTOCOLS
57 diff --git a/lib/http.c b/lib/http.c
58 index c1cdf2da02..a5007670d7 100644
59 --- a/lib/http.c
60 +++ b/lib/http.c
61 @@ -714,7 +714,7 @@ Curl_http_output_auth(struct connectdata *conn,
62 if(!data->state.this_is_a_follow ||
63 conn->bits.netrc ||
64 !data->state.first_host ||
65 - data->set.http_disable_hostname_check_before_authentication ||
66 + data->set.allow_auth_to_other_hosts ||
67 strcasecompare(data->state.first_host, conn->host.name)) {
68 result = output_auth_headers(conn, authhost, request, path, FALSE);
70 @@ -1636,6 +1636,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
71 checkprefix("Transfer-Encoding:", headers->data))
72 /* HTTP/2 doesn't support chunked requests */
74 + else if(checkprefix("Authorization:", headers->data) &&
75 + /* be careful of sending this potentially sensitive header to
76 + other hosts */
77 + (data->state.this_is_a_follow &&
78 + data->state.first_host &&
79 + !data->set.allow_auth_to_other_hosts &&
80 + !strcasecompare(data->state.first_host, conn->host.name)))
81 + ;
82 else {
83 CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
84 headers->data);
85 diff --git a/lib/setopt.c b/lib/setopt.c
86 index 66f30ea653..a5ef75c722 100644
87 --- a/lib/url.c
88 +++ b/lib/url.c
89 @@ -976,7 +976,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
90 * Send authentication (user+password) when following locations, even when
91 * hostname changed.
93 - data->set.http_disable_hostname_check_before_authentication =
94 + data->set.allow_auth_to_other_hosts =
95 (0 != va_arg(param, long)) ? TRUE : FALSE;
96 break;
98 diff --git a/lib/urldata.h b/lib/urldata.h
99 index 4dcd1a322c..5c04ad1720 100644
100 --- a/lib/urldata.h
101 +++ b/lib/urldata.h
102 @@ -1599,7 +1599,7 @@ struct UserDefined {
103 bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
104 bool http_follow_location; /* follow HTTP redirects */
105 bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
106 - bool http_disable_hostname_check_before_authentication;
107 + bool allow_auth_to_other_hosts;
108 bool include_header; /* include received protocol headers in data output */
109 bool http_set_referer; /* is a custom referer used */
110 bool http_auto_referer; /* set "correct" referer when following location: */