diff options
author | Viktor Szakats <commit@vsz.me> | 2021-02-23 14:54:46 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2021-03-28 23:19:55 +0200 |
commit | 7214288898f5625a6cc196e22a74232eada7861c (patch) | |
tree | 3db8599cd34164f6005cb8aa423cb7cd9ddc853d | |
parent | 184ffc0bdfcab17eb96d1dd64f9c0cecc139e3e9 (diff) | |
download | curl-7214288898f5625a6cc196e22a74232eada7861c.tar.gz |
transfer: strip credentials from the auto-referer header field
Added test 2081 to verify.
CVE-2021-22876
Bug: https://curl.se/docs/CVE-2021-22876.html
-rw-r--r-- | lib/transfer.c | 25 | ||||
-rw-r--r-- | tests/data/Makefile.inc | 2 | ||||
-rw-r--r-- | tests/data/test2081 | 66 |
3 files changed, 90 insertions, 3 deletions
diff --git a/lib/transfer.c b/lib/transfer.c index 1976bc033..a68c021c8 100644 --- a/lib/transfer.c +++ b/lib/transfer.c @@ -1581,6 +1581,9 @@ CURLcode Curl_follow(struct Curl_easy *data, data->state.followlocation++; /* count location-followers */ if(data->set.http_auto_referer) { + CURLU *u; + char *referer; + /* We are asked to automatically set the previous URL as the referer when we get the next URL. We pick the ->url field, which may or may not be 100% correct */ @@ -1590,9 +1593,27 @@ CURLcode Curl_follow(struct Curl_easy *data, data->state.referer_alloc = FALSE; } - data->state.referer = strdup(data->state.url); - if(!data->state.referer) + /* Make a copy of the URL without crenditals and fragment */ + u = curl_url(); + if(!u) + return CURLE_OUT_OF_MEMORY; + + uc = curl_url_set(u, CURLUPART_URL, data->state.url, 0); + if(!uc) + uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); + if(!uc) + uc = curl_url_set(u, CURLUPART_USER, NULL, 0); + if(!uc) + uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); + if(!uc) + uc = curl_url_get(u, CURLUPART_URL, &referer, 0); + + curl_url_cleanup(u); + + if(uc || referer == NULL) return CURLE_OUT_OF_MEMORY; + + data->state.referer = referer; data->state.referer_alloc = TRUE; /* yes, free this later */ } } diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 2c7a0ca89..ea52683d2 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -225,7 +225,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \ test2064 test2065 test2066 test2067 test2068 test2069 test2070 \ test2071 test2072 test2073 test2074 test2075 test2076 test2077 \ test2078 \ -test2080 \ +test2080 test2081 \ test2100 \ \ test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \ diff --git a/tests/data/test2081 b/tests/data/test2081 new file mode 100644 index 000000000..a6733e737 --- /dev/null +++ b/tests/data/test2081 @@ -0,0 +1,66 @@ +<testcase> +<info> +<keywords> +HTTP +HTTP GET +referer +followlocation +--write-out +</keywords> +</info> + +# Server-side +<reply> +<data nocheck="yes"> +HTTP/1.1 301 This is a weirdo text message swsclose
+Location: data/%TESTNUMBER0002.txt?coolsite=yes
+Content-Length: 62
+Connection: close
+
+This server reply is for testing a simple Location: following +</data> +</reply> + +# Client-side +<client> +<server> +http +</server> + <name> +Automatic referrer credential and anchor stripping check + </name> + <command> +http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n' +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +<errorcode> +52 +</errorcode> +<protocol> +GET /we/want/our/%TESTNUMBER HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic dXNlcjpwYXNz
+User-Agent: curl/%VERSION
+Accept: */*
+
+GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Authorization: Basic dXNlcjpwYXNz
+User-Agent: curl/%VERSION
+Accept: */*
+Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
+
+</protocol> +<stdout> +HTTP/1.1 301 This is a weirdo text message swsclose
+Location: data/%TESTNUMBER0002.txt?coolsite=yes
+Content-Length: 62
+Connection: close
+
+http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER +</stdout> +</verify> +</testcase> |