commit 91ef7a7ae4d618021f71c023a3702ffbf94d4a04
Author: Daniel Stenberg <daniel@haxx.se>
Date:   Mon Apr 25 16:24:33 2022 +0200

    [Backport] transfer: redirects to other protocols or ports clear auth
    
    Offering: RTOS
    CVE: CVE-2022-27774
    Reference: upstream_commit_id=620ea21410030a9977396b4661806bc187231b79
    
    DTS/AR: DTS2022042805098
    type: LTS
    reason: fix CVE-2022-27774 for curl.
    weblink：https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79
    
    ... unless explicitly permitted.
    
    Bug: https://curl.se/docs/CVE-2022-27774.html
    Reported-by: Harry Sintonen
    Closes #8748
    
    Signed-off-by: lvshengyuan <lvshengyuan1@h-partners.com>

diff --git a/lib/transfer.c b/lib/transfer.c
index 3e650b5b9..78bf349fc 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1652,10 +1652,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
       return CURLE_OUT_OF_MEMORY;
   }
   else {
-
     uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
     if(uc)
       return Curl_uc_to_curlcode(uc);
+
+    /* Clear auth if this redirects to a different port number or protocol,
+       unless permitted */
+    if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
+      char *portnum;
+      int port;
+      bool clear = FALSE;
+
+      if(data->set.use_port && data->state.allow_port)
+        /* a custom port is used */
+        port = (int)data->set.use_port;
+      else {
+        uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
+                          CURLU_DEFAULT_PORT);
+        if(uc) {
+          free(newurl);
+          return Curl_uc_to_curlcode(uc);
+        }
+        port = atoi(portnum);
+        free(portnum);
+      }
+      if(port != data->info.conn_remote_port) {
+        infof(data, "Clear auth, redirects to port from %u to %u",
+              data->info.conn_remote_port, port);
+        clear = TRUE;
+      }
+      else {
+        char *scheme;
+        const struct Curl_handler *p;
+        uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
+        if(uc) {
+          free(newurl);
+          return Curl_uc_to_curlcode(uc);
+        }
+
+        p = Curl_builtin_scheme(scheme);
+        if(p && (p->protocol != data->info.conn_protocol)) {
+          infof(data, "Clear auth, redirects scheme from %s to %s",
+                data->info.conn_scheme, scheme);
+          clear = TRUE;
+        }
+        free(scheme);
+      }
+      if(clear) {
+        Curl_safefree(data->state.aptr.user);
+        Curl_safefree(data->state.aptr.passwd);
+      }
+    }
   }
 
   if(type == FOLLOW_FAKE) {