diff options
Diffstat (limited to 'main/curl/CVE-2016-8624-fixed.patch')
| -rw-r--r-- | main/curl/CVE-2016-8624-fixed.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/main/curl/CVE-2016-8624-fixed.patch b/main/curl/CVE-2016-8624-fixed.patch new file mode 100644 index 0000000000..b288f9ecda --- /dev/null +++ b/main/curl/CVE-2016-8624-fixed.patch @@ -0,0 +1,61 @@ +From 6604d4df30aec66db6f5bd51ee3c341dd7329fcf Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 11 Oct 2016 00:48:35 +0200 +Subject: [PATCH] urlparse: accept '#' as end of host name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +'http://example.com#@127.0.0.1/x.txt' equals a request to example.com +for the '/' document with the rest of the URL being a fragment. + +CVE-2016-8624 + +Bug: https://curl.haxx.se/docs/adv_20161102J.html +Reported-by: Fernando Muñoz +--- + lib/url.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 91b2bf8..98236e2 100644 +--- +Patch was slightly modified by Sergey Lukin <sergej.lukin@gmail.com> +Original patch (https://curl.haxx.se/CVE-2016-8624.patch) failed to apply to +curl 7.49.1 + +--- a/lib/url.c ++++ b/lib/url.c +@@ -4144,7 +4144,7 @@ + path[0]=0; + + if(2 > sscanf(data->change.url, +- "%15[^\n:]://%[^\n/?]%[^\n]", ++ "%15[^\n:]://%[^\n/?#]%[^\n]", + protobuf, + conn->host.name, path)) { + +@@ -4152,7 +4152,7 @@ + * The URL was badly formatted, let's try the browser-style _without_ + * protocol specified like 'http://'. + */ +- rc = sscanf(data->change.url, "%[^\n/?]%[^\n]", conn->host.name, path); ++ rc = sscanf(data->change.url, "%[^\n/?#]%[^\n]", conn->host.name, path); + if(1 > rc) { + /* + * We couldn't even get this format. +@@ -4242,10 +4242,10 @@ + } + + /* If the URL is malformatted (missing a '/' after hostname before path) we +- * insert a slash here. The only letter except '/' we accept to start a path +- * is '?'. ++ * insert a slash here. The only letters except '/' that can start a path is ++ * '?' and '#' - as controlled by the two sscanf() patterns above. + */ +- if(path[0] == '?') { ++ if(path[0] != '/') { + /* We need this function to deal with overlapping memory areas. We know + that the memory area 'path' points to is 'urllen' bytes big and that + is bigger than the path. Use +1 to move the zero byte too. */ + |