Fix 'CVE-2018-1000007'

Merge: curl/curl@af32cd3859
2025-02-09 19:15:03 +01:00 · 2023-06-12 19:56:24 +02:00 · 2023-06-12 19:56:24 +02:00 · f3b27f66bb
commit f3b27f66bb
parent 2905bcad53
3 changed files with 11 additions and 3 deletions
--- a/r5dev/thirdparty/curl/http.c
+++ b/r5dev/thirdparty/curl/http.c
@ -726,7 +726,7 @@ Curl_http_output_auth(struct connectdata *conn,
  if(!data->state.this_is_a_follow ||
     conn->bits.netrc ||
     !data->state.first_host ||
-     data->set.http_disable_hostname_check_before_authentication ||
+     data->set.allow_auth_to_other_hosts ||
     strcasecompare(data->state.first_host, conn->host.name)) {
    result = output_auth_headers(conn, authhost, request, path, FALSE);
  }
@ -1645,6 +1645,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
                  checkprefix("Transfer-Encoding:", headers->data))
            /* HTTP/2 doesn't support chunked requests */
            ;
+          else if(checkprefix("Authorization:", headers->data) &&
+                  /* be careful of sending this potentially sensitive header to
+                     other hosts */
+                  (data->state.this_is_a_follow &&
+                   data->state.first_host &&
+                   !data->set.allow_auth_to_other_hosts &&
+                   !strcasecompare(data->state.first_host, conn->host.name)))
+            ;
          else {
            CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
                                               headers->data);
--- a/r5dev/thirdparty/curl/url.c
+++ b/r5dev/thirdparty/curl/url.c
@ -986,7 +986,7 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
     * Send authentication (user+password) when following locations, even when
     * hostname changed.
     */
-    data->set.http_disable_hostname_check_before_authentication =
+    data->set.allow_auth_to_other_hosts =
      (0 != va_arg(param, long)) ? TRUE : FALSE;
    break;

--- a/r5dev/thirdparty/curl/urldata.h
+++ b/r5dev/thirdparty/curl/urldata.h
@ -1693,7 +1693,7 @@ struct UserDefined {
  bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */
  bool http_follow_location; /* follow HTTP redirects */
  bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
-  bool http_disable_hostname_check_before_authentication;
+  bool allow_auth_to_other_hosts;
  bool include_header;   /* include received protocol headers in data output */
  bool http_set_referer; /* is a custom referer used */
  bool http_auto_referer; /* set "correct" referer when following location: */