Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/curl/patches/014-CVE-2014-3613-part1.patch
author Rich Burridge <rich.burridge@oracle.com>
Wed, 10 Sep 2014 08:54:16 -0700
changeset 2077 6efd64347fb0
permissions -rw-r--r--
19548009 problem in LIBRARY/CURL

From eac573ea9c368f5e3c07de4d5ec5c5d0f84a021a Mon Sep 17 00:00:00 2001
From: Tim Ruehsen <[email protected]>
Date: Tue, 19 Aug 2014 21:01:28 +0200
Subject: [PATCH 1/2] cookies: only use full host matches for hosts used as IP
 address

By not detecting and rejecting domain names for partial literal IP
addresses properly when parsing received HTTP cookies, libcurl can be
fooled to both send cookies to wrong sites and to allow arbitrary sites
to set cookies for others.

Bug: http://curl.haxx.se/docs/adv_20140910.html
---
 lib/cookie.c        | 50 ++++++++++++++++++++++++++++++++++++++----------
 tests/data/test1105 |  3 +--
 tests/data/test31   | 55 +++++++++++++++++++++++++++--------------------------
 tests/data/test8    |  3 ++-
 4 files changed, 71 insertions(+), 40 deletions(-)

This problem has been fixed upstream in curl version 7.38.0

--- lib/cookie.c.orig	2014-09-02 16:10:55.940825864 -0700
+++ lib/cookie.c	2014-09-02 16:32:39.899617696 -0700
@@ -94,6 +94,7 @@
 #include "strtoofft.h"
 #include "rawstr.h"
 #include "curl_memrchr.h"
+#include "inet_pton.h"
 
 /* The last #include file should be: */
 #include "memdebug.h"
@@ -178,6 +179,28 @@
 }
 
 
+/*
+ * Return true if the given string is an IP(v4|v6) address.
+ */
+static bool isip(const char *domain)
+{
+  struct in_addr addr;
+#ifdef ENABLE_IPV6
+  struct in6_addr addr6;
+#endif
+
+  if(Curl_inet_pton(AF_INET, domain, &addr)
+#ifdef ENABLE_IPV6
+     || Curl_inet_pton(AF_INET6, domain, &addr6)
+#endif
+    ) {
+    /* domain name given as IP address */
+    return TRUE;
+  }
+
+  return FALSE;
+}
+
 /****************************************************************************
  *
  * Curl_cookie_add()
@@ -290,6 +313,8 @@
           }
         }
         else if(Curl_raw_equal("domain", name)) {
+          bool is_ip;
+
           /* note that this name may or may not have a preceding dot, but
              we don't care about that, we treat the names the same anyway */
 
@@ -333,18 +358,19 @@
             if('.' == whatptr[0])
               whatptr++; /* ignore preceding dot */
 
-            if(!domain || tailmatch(whatptr, domain)) {
-              const char *tailptr=whatptr;
-              if(tailptr[0] == '.')
-                tailptr++;
-              strstore(&co->domain, tailptr); /* don't prefix w/dots
-                                                 internally */
+            is_ip = isip(domain ? domain : whatptr);
+
+            if(!domain
+               || (is_ip && !strcmp(whatptr, domain))
+               || (!is_ip && tailmatch(whatptr, domain))) {
+              strstore(&co->domain, whatptr);
               if(!co->domain) {
                 badcookie = TRUE;
                 break;
               }
-              co->tailmatch=TRUE; /* we always do that if the domain name was
-                                     given */
+              if(!is_ip)
+                co->tailmatch=TRUE; /* we always do that if the domain name was
+                                       given */
             }
             else {
               /* we did not get a tailmatch and then the attempted set domain
@@ -819,10 +845,14 @@
   time_t now = time(NULL);
   struct Cookie *mainco=NULL;
   size_t matches = 0;
+  bool is_ip;
 
   if(!c || !c->cookies)
     return NULL; /* no cookie struct or no cookies in the struct */
 
+  /* check if host is an IP(v4|v6) address */
+  is_ip = isip(host);
+
   co = c->cookies;
 
   while(co) {
@@ -834,8 +864,8 @@
 
       /* now check if the domain is correct */
       if(!co->domain ||
-         (co->tailmatch && tailmatch(co->domain, host)) ||
-         (!co->tailmatch && Curl_raw_equal(host, co->domain)) ) {
+         (co->tailmatch && !is_ip && tailmatch(co->domain, host)) ||
+         ((!co->tailmatch || is_ip) && Curl_raw_equal(host, co->domain)) ) {
         /* the right part of the host matches the domain stuff in the
            cookie data */
 
--- tests/data/test1105.orig	2014-09-02 16:11:45.732615643 -0700
+++ tests/data/test1105	2014-09-02 16:33:42.523906352 -0700
@@ -56,8 +56,7 @@
 # This file was generated by libcurl! Edit at your own risk.
 
 127.0.0.1	FALSE	/we/want/	FALSE	0	foobar	name
-.127.0.0.1	TRUE	"/silly/"	FALSE	0	mismatch	this
-.0.0.1	TRUE	/	FALSE	0	partmatch	present
+127.0.0.1	FALSE	"/silly/"	FALSE	0	mismatch	this
 </file>
 </verify>
 </testcase>
--- tests/data/test31.orig	2014-09-02 16:11:56.912528200 -0700
+++ tests/data/test31	2014-09-04 06:13:16.741533782 -0700
@@ -18,27 +18,29 @@
 Funny-head: yesyes
 Set-Cookie: foobar=name; domain=anything.com; path=/ ; secure
 Set-Cookie:ismatch=this  ; domain=127.0.0.1; path=/silly/
+Set-Cookie: overwrite=this  ; domain=127.0.0.1; path=/overwrite/
+Set-Cookie: overwrite=this2  ; domain=127.0.0.1; path=/overwrite
 Set-Cookie: sec1value=secure1  ; domain=127.0.0.1; path=/secure1/ ; secure
 Set-Cookie: sec2value=secure2  ; domain=127.0.0.1; path=/secure2/ ; secure=
 Set-Cookie: sec3value=secure3  ; domain=127.0.0.1; path=/secure3/ ; secure=
-Set-Cookie: sec4value=secure4  ; secure=; domain=127.0.0.1; path=/secure4/ ; 
-Set-Cookie: sec5value=secure5  ; secure; domain=127.0.0.1; path=/secure5/ ; 
-Set-Cookie: sec6value=secure6  ; secure ; domain=127.0.0.1; path=/secure6/ ; 
-Set-Cookie: sec7value=secure7  ; secure   ; domain=127.0.0.1; path=/secure7/ ; 
-Set-Cookie: sec8value=secure8  ; secure= ; domain=127.0.0.1; path=/secure8/ ; 
-Set-Cookie: secure=very1  ; secure=; domain=127.0.0.1; path=/secure9/; 
-Set-Cookie: httpo1=value1  ; domain=127.0.0.1; path=/p1/; httponly
-Set-Cookie: httpo2=value2  ; domain=127.0.0.1; path=/p2/; httponly=
-Set-Cookie: httpo3=value3  ; httponly; domain=127.0.0.1; path=/p3/;
-Set-Cookie: httpo4=value4  ; httponly=; domain=127.0.0.1; path=/p4/; 
-Set-Cookie: httponly=myvalue1  ; domain=127.0.0.1; path=/p4/; httponly
-Set-Cookie: httpandsec=myvalue2  ; domain=127.0.0.1; path=/p4/; httponly; secure
-Set-Cookie: httpandsec2=myvalue3; domain=127.0.0.1; path=/p4/; httponly=; secure
-Set-Cookie: httpandsec3=myvalue4  ; domain=127.0.0.1; path=/p4/; httponly; secure=
-Set-Cookie: httpandsec4=myvalue5  ; domain=127.0.0.1; path=/p4/; httponly=; secure=
-Set-Cookie: httpandsec5=myvalue6  ; domain=127.0.0.1; path=/p4/; secure; httponly=
-Set-Cookie: httpandsec6=myvalue7  ; domain=127.0.0.1; path=/p4/; secure=; httponly=
-Set-Cookie: httpandsec7=myvalue8  ; domain=127.0.0.1; path=/p4/; secure; httponly
+Set-Cookie: sec4value=secure4  ; secure=; domain=127.0.0.1; path=/secure4/ ; 
+Set-Cookie: sec5value=secure5  ; secure; domain=127.0.0.1; path=/secure5/ ; 
+Set-Cookie: sec6value=secure6  ; secure ; domain=127.0.0.1; path=/secure6/ ; 
+Set-Cookie: sec7value=secure7  ; secure   ; domain=127.0.0.1; path=/secure7/ ; 
+Set-Cookie: sec8value=secure8  ; secure= ; domain=127.0.0.1; path=/secure8/ ; 
+Set-Cookie: secure=very1  ; secure=; domain=127.0.0.1; path=/secure9/; 
+Set-Cookie: httpo1=value1  ; domain=127.0.0.1; path=/p1/; httponly
+Set-Cookie: httpo2=value2  ; domain=127.0.0.1; path=/p2/; httponly=
+Set-Cookie: httpo3=value3  ; httponly; domain=127.0.0.1; path=/p3/;
+Set-Cookie: httpo4=value4  ; httponly=; domain=127.0.0.1; path=/p4/; 
+Set-Cookie: httponly=myvalue1  ; domain=127.0.0.1; path=/p4/; httponly
+Set-Cookie: httpandsec=myvalue2  ; domain=127.0.0.1; path=/p4/; httponly; secure
+Set-Cookie: httpandsec2=myvalue3; domain=127.0.0.1; path=/p4/; httponly=; secure
+Set-Cookie: httpandsec3=myvalue4  ; domain=127.0.0.1; path=/p4/; httponly; secure=
+Set-Cookie: httpandsec4=myvalue5  ; domain=127.0.0.1; path=/p4/; httponly=; secure=
+Set-Cookie: httpandsec5=myvalue6  ; domain=127.0.0.1; path=/p4/; secure; httponly=
+Set-Cookie: httpandsec6=myvalue7  ; domain=127.0.0.1; path=/p4/; secure=; httponly=
+Set-Cookie: httpandsec7=myvalue8  ; domain=127.0.0.1; path=/p4/; secure; httponly
 Set-Cookie: httpandsec8=myvalue9; domain=127.0.0.1; path=/p4/; secure=; httponly
 Set-Cookie: partmatch=present; domain=127.0.0.1 ; path=/;
 Set-Cookie:eat=this; domain=moo.foo.moo;
@@ -49,7 +51,8 @@
 Set-Cookie: test=yes; domain=foo.com; expires=Sat Feb 2 11:56:27 GMT 2030
 Set-Cookie: test2=yes; domain=se; expires=Sat Feb 2 11:56:27 GMT 2030
 Set-Cookie: magic=yessir; path=/silly/; HttpOnly
-Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad;
+Set-Cookie: blexp=yesyes; domain=127.0.0.1; domain=127.0.0.1; expiry=totally bad;
+Set-Cookie: partialip=nono; domain=.0.0.1;
 
 boo
 </data>
@@ -72,6 +75,9 @@
  <command>
 http://%HOSTIP:%HTTPPORT/we/want/31 -b none -c log/jar31.txt
 </command>
+<precheck>
+perl -e 'if ("%HOSTIP" !~ /127\.0\.0\.1$/) {print "Test only works for HOSTIP 127.0.0.1"; exit(1)}'
+</precheck>
 </client>
 
 # Verify data after the test has been "shot"
@@ -90,33 +96,35 @@
 # http://curl.haxx.se/rfc/cookie_spec.html
 # This file was generated by libcurl! Edit at your own risk.
 
-.127.0.0.1	TRUE	/silly/	FALSE	0	ismatch	this
-.127.0.0.1	TRUE	/secure1/	TRUE	0	sec1value	secure1
-.127.0.0.1	TRUE	/secure2/	TRUE	0	sec2value	secure2
-.127.0.0.1	TRUE	/secure3/	TRUE	0	sec3value	secure3
-.127.0.0.1	TRUE	/secure4/	TRUE	0	sec4value	secure4
-.127.0.0.1	TRUE	/secure5/	TRUE	0	sec5value	secure5
-.127.0.0.1	TRUE	/secure6/	TRUE	0	sec6value	secure6
-.127.0.0.1	TRUE	/secure7/	TRUE	0	sec7value	secure7
-.127.0.0.1	TRUE	/secure8/	TRUE	0	sec8value	secure8
-.127.0.0.1	TRUE	/secure9/	TRUE	0	secure	very1
-#HttpOnly_.127.0.0.1	TRUE	/p1/	FALSE	0	httpo1	value1
-#HttpOnly_.127.0.0.1	TRUE	/p2/	FALSE	0	httpo2	value2
-#HttpOnly_.127.0.0.1	TRUE	/p3/	FALSE	0	httpo3	value3
-#HttpOnly_.127.0.0.1	TRUE	/p4/	FALSE	0	httpo4	value4
-#HttpOnly_.127.0.0.1	TRUE	/p4/	FALSE	0	httponly	myvalue1
-#HttpOnly_.127.0.0.1	TRUE	/p4/	TRUE	0	httpandsec	myvalue2
-#HttpOnly_.127.0.0.1	TRUE	/p4/	TRUE	0	httpandsec2	myvalue3
-#HttpOnly_.127.0.0.1	TRUE	/p4/	TRUE	0	httpandsec3	myvalue4
-#HttpOnly_.127.0.0.1	TRUE	/p4/	TRUE	0	httpandsec4	myvalue5
-#HttpOnly_.127.0.0.1	TRUE	/p4/	TRUE	0	httpandsec5	myvalue6
-#HttpOnly_.127.0.0.1	TRUE	/p4/	TRUE	0	httpandsec6	myvalue7
-#HttpOnly_.127.0.0.1	TRUE	/p4/	TRUE	0	httpandsec7	myvalue8
-#HttpOnly_.127.0.0.1	TRUE	/p4/	TRUE	0	httpandsec8	myvalue9
-.127.0.0.1	TRUE	/	FALSE	0	partmatch	present
+127.0.0.1	FALSE	/silly/	FALSE	0	ismatch	this
+127.0.0.1	FALSE	/overwrite/	FALSE	0	overwrite	this
+127.0.0.1	FALSE	/overwrite	FALSE	0	overwrite	this2
+127.0.0.1	FALSE	/secure1/	TRUE	0	sec1value	secure1
+127.0.0.1	FALSE	/secure2/	TRUE	0	sec2value	secure2
+127.0.0.1	FALSE	/secure3/	TRUE	0	sec3value	secure3
+127.0.0.1	FALSE	/secure4/	TRUE	0	sec4value	secure4
+127.0.0.1	FALSE	/secure5/	TRUE	0	sec5value	secure5
+127.0.0.1	FALSE	/secure6/	TRUE	0	sec6value	secure6
+127.0.0.1	FALSE	/secure7/	TRUE	0	sec7value	secure7
+127.0.0.1	FALSE	/secure8/	TRUE	0	sec8value	secure8
+127.0.0.1	FALSE	/secure9/	TRUE	0	secure	very1
+#HttpOnly_127.0.0.1	FALSE	/p1/	FALSE	0	httpo1	value1
+#HttpOnly_127.0.0.1	FALSE	/p2/	FALSE	0	httpo2	value2
+#HttpOnly_127.0.0.1	FALSE	/p3/	FALSE	0	httpo3	value3
+#HttpOnly_127.0.0.1	FALSE	/p4/	FALSE	0	httpo4	value4
+#HttpOnly_127.0.0.1	FALSE	/p4/	FALSE	0	httponly	myvalue1
+#HttpOnly_127.0.0.1	FALSE	/p4/	TRUE	0	httpandsec	myvalue2
+#HttpOnly_127.0.0.1	FALSE	/p4/	TRUE	0	httpandsec2	myvalue3
+#HttpOnly_127.0.0.1	FALSE	/p4/	TRUE	0	httpandsec3	myvalue4
+#HttpOnly_127.0.0.1	FALSE	/p4/	TRUE	0	httpandsec4	myvalue5
+#HttpOnly_127.0.0.1	FALSE	/p4/	TRUE	0	httpandsec5	myvalue6
+#HttpOnly_127.0.0.1	FALSE	/p4/	TRUE	0	httpandsec6	myvalue7
+#HttpOnly_127.0.0.1	FALSE	/p4/	TRUE	0	httpandsec7	myvalue8
+#HttpOnly_127.0.0.1	FALSE	/p4/	TRUE	0	httpandsec8	myvalue9
+127.0.0.1	FALSE	/	FALSE	0	partmatch	present
 127.0.0.1	FALSE	/we/want/	FALSE	2054030187	nodomain	value
 #HttpOnly_127.0.0.1	FALSE	/silly/	FALSE	0	magic	yessir
-.0.0.1	TRUE	/we/want/	FALSE	0	blexp	yesyes
+127.0.0.1	FALSE	/we/want/	FALSE	0	blexp	yesyes
 </file>
 </verify>
 </testcase>
--- tests/data/test8.orig	2014-09-02 16:13:07.812626284 -0700
+++ tests/data/test8	2014-09-02 17:24:33.131678950 -0700
@@ -35,16 +35,20 @@
 Server: test-server/fake
 Content-Type: text/html
 Funny-head: yesyes
-Set-Cookie: foobar=name; domain=127.0.0.1; path=/;
-Set-Cookie: mismatch=this; domain=127.0.0.1; path="/silly/";
+Set-Cookie: foobar=name; domain=%HOSTIP; path=/;
+Set-Cookie: mismatch=this; domain=%HOSTIP; path="/silly/";
 Set-Cookie: partmatch=present; domain=.0.0.1; path=/w;
 Set-Cookie: duplicate=test; domain=.0.0.1; domain=.0.0.1; path=/donkey;
 Set-Cookie: cookie=yes; path=/we;
 Set-Cookie: cookie=perhaps; path=/we/want;
 Set-Cookie: nocookie=yes; path=/WE;
-Set-Cookie: blexp=yesyes; domain=.0.0.1; domain=.0.0.1; expiry=totally bad;
+Set-Cookie: blexp=yesyes; domain=%HOSTIP; domain=%HOSTIP; expiry=totally bad;
+Set-Cookie: partialip=nono; domain=.0.0.1;
 
 </file>
+<precheck>
+perl -e 'if ("%HOSTIP" !~ /\.0\.0\.1$/) {print "Test only works for HOSTIPs ending with .0.0.1"; exit(1)}'
+</precheck>
 </client>
 
 # Verify data after the test has been "shot"
@@ -56,7 +60,7 @@
 GET /we/want/8 HTTP/1.1
 Host: %HOSTIP:%HTTPPORT
 Accept: */*
-Cookie: cookie=perhaps; cookie=yes; partmatch=present; foobar=name; blexp=yesyes
+Cookie: cookie=perhaps; cookie=yes; foobar=name; blexp=yesyes
 
 </protocol>
 </verify>
upstream/oracle/userland-gate