Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/lynx/patches/05-fix-CVE-2016-9179.patch
author jiri.kralovec@oracle.com <jiri.kralovec@oracle.com>
Fri, 07 Apr 2017 00:53:32 -0700
changeset 7846 eaed6d702f04
parent 7432 ce5c0c506eec
permissions -rw-r--r--
25556325 Firefox 45 sometimes generates core file on exit

Fix for CVE-2016-9179
See:
http://lists.nongnu.org/archive/html/lynx-dev/2016-11/msg00018.html

Re-engineered the upstream patch, which was only released
for the unstable lynx2.8.9. Removed the at_sign, and made sure that
the user id is correctly stripped of all non valid inputs.

--- lynx2-8-8/WWW/Library/Implementation/HTTCP.c_orig	2016-12-01 15:07:39.487753520 +0000
+++ lynx2-8-8/WWW/Library/Implementation/HTTCP.c	2016-12-01 15:10:20.291328282 +0000
@@ -1792,7 +1792,6 @@
     int status = 0;
     char *line = NULL;
     char *p1 = NULL;
-    char *at_sign = NULL;
     char *host = NULL;
 
 #ifdef INET6
@@ -1814,14 +1813,8 @@
      * Get node name and optional port number.
      */
     p1 = HTParse(url, "", PARSE_HOST);
-    if ((at_sign = StrChr(p1, '@')) != NULL) {
-	/*
-	 * If there's an @ then use the stuff after it as a hostname.
-	 */
-	StrAllocCopy(host, (at_sign + 1));
-    } else {
 	StrAllocCopy(host, p1);
-    }
+    strip_userid(host, FALSE);
     FREE(p1);
 
     HTSprintf0(&line, "%s%s", WWW_FIND_MESSAGE, host);
--- lynx2-8-8/WWW/Library/Implementation/HTTP.c_orig	2016-12-01 15:13:24.171404704 +0000
+++ lynx2-8-8/WWW/Library/Implementation/HTTP.c	2016-12-01 15:19:59.699276204 +0000
@@ -426,7 +426,7 @@
 /*
  * Strip any username from the given string so we retain only the host.
  */
-static void strip_userid(char *host)
+void strip_userid(char *host, int parse_only)
 {
     char *p1 = host;
     char *p2 = StrChr(host, '@');
@@ -439,7 +439,8 @@
 
 	    CTRACE((tfp, "parsed:%s\n", fake));
 	    HTSprintf0(&msg, gettext("Address contains a username: %s"), host);
-	    HTAlert(msg);
+           if (msg !=0 && !parse_only)
+	        HTAlert(msg);
 	    FREE(msg);
 	}
 	while ((*p1++ = *p2++) != '\0') {
@@ -1081,7 +1082,7 @@
 	char *host = NULL;
 
 	if ((host = HTParse(anAnchor->address, "", PARSE_HOST)) != NULL) {
-	    strip_userid(host);
+	    strip_userid(host, TRUE);
 	    HTBprintf(&command, "Host: %s%c%c", host, CR, LF);
 	    FREE(host);
 	}
--- lynx2-8-8/WWW/Library/Implementation/HTUtils.h_orig	2016-12-01 15:21:38.919699987 +0000
+++ lynx2-8-8/WWW/Library/Implementation/HTUtils.h	2016-12-01 15:22:57.870511104 +0000
@@ -801,6 +801,8 @@
 
     extern FILE *TraceFP(void);
 
+    extern void strip_userid(char *host, int warn);
+
 #ifdef USE_SSL
     extern SSL *HTGetSSLHandle(void);
     extern void HTSSLInitPRNG(void);
--- lynx2-8-8/src/LYUtils.c_orig	2016-12-01 15:25:21.769447171 +0000
+++ lynx2-8-8/src/LYUtils.c	2016-12-01 15:28:31.901411555 +0000
@@ -4693,6 +4693,7 @@
      * Do a DNS test on the potential host field as presently trimmed.  - FM
      */
     StrAllocCopy(host, Str);
+    strip_userid(host, FALSE);
     HTUnEscape(host);
     if (LYCursesON) {
 	StrAllocCopy(MsgStr, WWW_FIND_MESSAGE);
upstream/oracle/userland-gate