88 lines
3.0 KiB
Diff
88 lines
3.0 KiB
Diff
commit 7d598b883eca2d63fa2df9e604a67b6c0c95c15a
|
|
Author: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon Apr 25 17:59:15 2022 +0200
|
|
|
|
[Backport] openssl: don't leak the SRP credentials in redirects either
|
|
|
|
Offering: RTOS
|
|
CVE: CVE-2022-27774
|
|
Reference: upstream_commit_id=139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
|
|
|
|
DTS/AR: DTS2022042805098
|
|
type: LTS
|
|
reason: fix CVE-2022-27774 for curl.
|
|
weblink:https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
|
|
|
|
Follow-up to 620ea21410030
|
|
|
|
Reported-by: Harry Sintonen
|
|
Closes #8751
|
|
|
|
Signed-off-by: lvshengyuan <lvshengyuan1@h-partners.com>
|
|
|
|
diff --git a/lib/http.c b/lib/http.c
|
|
index 180edaf4b..c4427f15a 100644
|
|
--- a/lib/http.c
|
|
+++ b/lib/http.c
|
|
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
|
|
}
|
|
|
|
/*
|
|
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
|
|
- * data" can (still) be sent to this host.
|
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
|
+ * "sensitive data" can (still) be sent to this host.
|
|
*/
|
|
-static bool allow_auth_to_host(struct Curl_easy *data)
|
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
|
|
{
|
|
struct connectdata *conn = data->conn;
|
|
return (!data->state.this_is_a_follow ||
|
|
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
|
|
|
|
/* To prevent the user+password to get sent to other than the original host
|
|
due to a location-follow */
|
|
- if(allow_auth_to_host(data)
|
|
+ if(Curl_allow_auth_to_host(data)
|
|
#ifndef CURL_DISABLE_NETRC
|
|
|| conn->bits.netrc
|
|
#endif
|
|
@@ -1925,7 +1925,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
|
|
checkprefix("Cookie:", compare)) &&
|
|
/* be careful of sending this potentially sensitive header to
|
|
other hosts */
|
|
- !allow_auth_to_host(data))
|
|
+ !Curl_allow_auth_to_host(data))
|
|
;
|
|
else {
|
|
#ifdef USE_HYPER
|
|
diff --git a/lib/http.h b/lib/http.h
|
|
index bce171550..76741c5b0 100644
|
|
--- a/lib/http.h
|
|
+++ b/lib/http.h
|
|
@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data,
|
|
bool proxytunnel); /* TRUE if this is the request setting
|
|
up the proxy tunnel */
|
|
|
|
+/*
|
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
|
+ * "sensitive data" can (still) be sent to this host.
|
|
+ */
|
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
|
|
+
|
|
#endif /* HEADER_CURL_HTTP_H */
|
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
|
index 8af23b783..2eae2a8ef 100644
|
|
--- a/lib/vtls/openssl.c
|
|
+++ b/lib/vtls/openssl.c
|
|
@@ -2866,7 +2866,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
|
#endif
|
|
|
|
#ifdef USE_OPENSSL_SRP
|
|
- if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
|
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
|
+ Curl_allow_auth_to_host(data)) {
|
|
char * const ssl_username = SSL_SET_OPTION(username);
|
|
|
|
infof(data, "Using TLS-SRP username: %s", ssl_username);
|