From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 6 Oct 2022 14:13:36 +0200 Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error Reported-by: Trail of Bits Closes #9790 Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89 Signed-off-by: Kamil Dudka Conflict: NA Reference:https://src.fedoraproject.org/rpms/curl/blob/f35/f/0017-curl-7.82.0-CVE-2022-42915.patch --- lib/http_proxy.c | 3 +-- lib/url.c | 9 --------- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/lib/http_proxy.c b/lib/http_proxy.c index 1f87f6c..cc20b3a 100644 --- a/lib/http_proxy.c +++ b/lib/http_proxy.c @@ -207,9 +207,8 @@ static void connect_done(struct Curl_easy *data) Curl_dyn_free(&s->rcvbuf); Curl_dyn_free(&s->req); - /* retore the protocol pointer */ + /* restore the protocol pointer */ data->req.p.http = s->prot_save; - s->prot_save = NULL; infof(data, "CONNECT phase completed!"); } } diff --git a/lib/url.c b/lib/url.c index bfc784f..61c99d2 100644 --- a/lib/url.c +++ b/lib/url.c @@ -735,15 +735,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) DEBUGASSERT(data); infof(data, "Closing connection %ld", conn->connection_id); -#ifndef USE_HYPER - if(conn->connect_state && conn->connect_state->prot_save) { - /* If this was closed with a CONNECT in progress, cleanup this temporary - struct arrangement */ - data->req.p.http = NULL; - Curl_safefree(conn->connect_state->prot_save); - } -#endif - /* possible left-overs from the async name resolvers */ Curl_resolver_cancel(data); -- 2.37.3 From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 6 Oct 2022 14:14:25 +0200 Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and fix Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8 Signed-off-by: Kamil Dudka --- tests/data/Makefile.inc | 2 +- tests/data/test445 | 61 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 tests/data/test445 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 1f774ce..f79b63e 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -67,7 +67,7 @@ test392 test393 test394 test395 test396 test397 \ test400 test401 test402 test403 test404 test405 test406 test407 test408 \ test409 test410 \ \ -test430 test431 test432 test433 test434 \ +test430 test431 test432 test433 test434 test445\ \ test490 test491 test492 test493 test494 \ \ diff --git a/tests/data/test445 b/tests/data/test445 new file mode 100644 index 0000000..0406c0f --- /dev/null +++ b/tests/data/test445 @@ -0,0 +1,61 @@ + + + +HTTP +HTTP proxy + + + +# +# Server-side + + +HTTP/1.1 503 no just no +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Accept-Ranges: bytes +Content-Length: 6 +Connection: close + +-foo- + + + +# +# Client-side + + +gopher +dict +http +ftp +imap +ldap +mqtt +pop3 +rtsp +scp +sftp +smb +smtp + + +http-proxy + + +Refuse tunneling protocols through HTTP proxy + + +-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send + + + +# +# Verify data after the test has been "shot" + +# refused in the CONNECT + +56 + + + -- 2.33.0