author | Yiteng Zhang <yiteng.zhang@oracle.com> |
Tue, 07 Feb 2017 17:11:12 -0800 | |
branch | s11u3-sru |
changeset 7654 | 61774c5d9189 |
permissions | -rw-r--r-- |
7654
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
1 |
From 6604d4df30aec66db6f5bd51ee3c341dd7329fcf Mon Sep 17 00:00:00 2001 |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
2 |
From: Daniel Stenberg <[email protected]> |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
3 |
Date: Tue, 11 Oct 2016 00:48:35 +0200 |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
4 |
Subject: [PATCH] urlparse: accept '#' as end of host name |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
5 |
MIME-Version: 1.0 |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
6 |
Content-Type: text/plain; charset=UTF-8 |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
7 |
Content-Transfer-Encoding: 8bit |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
8 |
|
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
9 |
'http://example.com#@127.0.0.1/x.txt' equals a request to example.com |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
10 |
for the '/' document with the rest of the URL being a fragment. |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
11 |
|
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
12 |
CVE-2016-8624 |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
13 |
|
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
14 |
Bug: https://curl.haxx.se/docs/adv_20161102J.html |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
15 |
Reported-by: Fernando Muñoz |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
16 |
--- |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
17 |
lib/url.c | 10 +++++----- |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
18 |
1 file changed, 5 insertions(+), 5 deletions(-) |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
19 |
|
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
20 |
--- lib/url.c |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
21 |
+++ lib/url.c |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
22 |
@@ -4162,8 +4162,8 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
23 |
/* clear path */ |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
24 |
path[0]=0; |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
25 |
|
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
26 |
if(2 > sscanf(data->change.url, |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
27 |
- "%15[^\n:]://%[^\n/?]%[^\n]", |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
28 |
+ "%15[^\n:]://%[^\n/?#]%[^\n]", |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
29 |
protobuf, |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
30 |
conn->host.name, path)) { |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
31 |
|
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
32 |
@@ -4174,11 +4174,11 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
33 |
|
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
34 |
/* |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
35 |
* The URL was badly formatted, let's try the browser-style _without_ |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
36 |
* protocol specified like 'http://'. |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
37 |
*/ |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
38 |
- rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path); |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
39 |
+ rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path); |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
40 |
if(1 > rc) { |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
41 |
/* |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
42 |
* We couldn't even get this format. |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
43 |
* djgpp 2.04 has a sscanf() bug where 'conn->host.name' is |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
44 |
* assigned, but the return value is EOF! |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
45 |
@@ -4279,14 +4279,14 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
46 |
strcpy(path, "/"); |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
47 |
rebuild_url = TRUE; |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
48 |
} |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
49 |
|
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
50 |
/* If the URL is malformatted (missing a '/' after hostname before path) we |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
51 |
- * insert a slash here. The only letter except '/' we accept to start a path |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
52 |
- * is '?'. |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
53 |
+ * insert a slash here. The only letters except '/' that can start a path is |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
54 |
+ * '?' and '#' - as controlled by the two sscanf() patterns above. |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
55 |
*/ |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
56 |
- if(path[0] == '?') { |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
57 |
+ if(path[0] != '/') { |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
58 |
/* We need this function to deal with overlapping memory areas. We know |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
59 |
that the memory area 'path' points to is 'urllen' bytes big and that |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
60 |
is bigger than the path. Use +1 to move the zero byte too. */ |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
61 |
memmove(&path[1], path, strlen(path)+1); |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
62 |
path[0] = '/'; |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
63 |
-- |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
64 |
2.9.3 |
61774c5d9189
25241371 problem in LIBRARY/CURL
Yiteng Zhang <yiteng.zhang@oracle.com>
parents:
diff
changeset
|
65 |