From b7cca520678acef8bc2deba8ab6a3b03618d710b Mon Sep 17 00:00:00 2001
From: Kawe Mazidjatari <48657826+Mauler125@users.noreply.github.com>
Date: Tue, 13 Jun 2023 09:45:16 +0200
Subject: [PATCH] Fix CVE-2021-22876

Merge: curl/curl@7214288898f5625a6cc196e22a
Note: The 'CURLU' class does not exist in this particular version of curl, therefore, an alternative approach has been incorporated to mitigate the issue. Code has been tested, and the issue has been fixed.
---
 r5dev/thirdparty/curl/transfer.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/r5dev/thirdparty/curl/transfer.c b/r5dev/thirdparty/curl/transfer.c
index 7c0601fb..8a6d3b79 100644
--- a/r5dev/thirdparty/curl/transfer.c
+++ b/r5dev/thirdparty/curl/transfer.c
@@ -1674,6 +1674,26 @@ CURLcode Curl_follow(struct Curl_easy *data,
       data->change.referer = strdup(data->change.url);
       if(!data->change.referer)
         return CURLE_OUT_OF_MEMORY;
+
+      char* url = data->change.referer;
+      char* p;
+
+      /* remove the fragment part of the path */
+      p = strchr(url, '#');
+      if(p)
+        *p = '\0';
+
+      /* remove user and password of the path */
+      p = strstr(url, "://");
+      if(p) {
+        char* end_of_protocol = p + sizeof("://") - 1;
+        char* at = strchr(end_of_protocol, '@');
+        char* slash = strchr(end_of_protocol, '/');
+        if(at && (!slash || at < slash)) {
+          memmove(end_of_protocol, at + 1, strlen(at + 1) + 1);
+        }
+      }
+
       data->change.referer_alloc = TRUE; /* yes, free this later */
     }
   }