55 lines
1.5 KiB
Diff
55 lines
1.5 KiB
Diff
From 30de95bbc64f2a66bd4cd1bf10483f41272c274d Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Tue, 27 Dec 2022 11:50:23 +0100
|
|
Subject: [PATCH 1/5] [Backport] hsts: handle adding the same host name again
|
|
|
|
Offering: RTOS
|
|
CVE: CVE-2023-23914
|
|
Reference: https://github.com/curl/curl/commit/ca02a77f05bd5cef20618c8f741aa48b7be0a648
|
|
DTS/AR: DTS2023021511961
|
|
type: LTS
|
|
reason: It will then use the largest expire time of the two entries.
|
|
|
|
(cherry picked from commit ca02a77f05bd5cef20618c8f741aa48b7be0a648)
|
|
|
|
Conflicts:
|
|
lib/hsts.c
|
|
Signed-off-by: chenzanyu <chenzanyu@huawei.com>
|
|
---
|
|
lib/hsts.c | 13 +++++++++++--
|
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/hsts.c b/lib/hsts.c
|
|
index 1d0263cdf..525d2f2b1 100644
|
|
--- a/lib/hsts.c
|
|
+++ b/lib/hsts.c
|
|
@@ -394,14 +394,23 @@ static CURLcode hsts_add(struct hsts *h, char *line)
|
|
host, date);
|
|
if(2 == rc) {
|
|
time_t expires = Curl_getdate_capped(date);
|
|
- CURLcode result;
|
|
+ CURLcode result = CURLE_OK;
|
|
char *p = host;
|
|
bool subdomain = FALSE;
|
|
+ struct stsentry *e;
|
|
if(p[0] == '.') {
|
|
p++;
|
|
subdomain = TRUE;
|
|
}
|
|
- result = hsts_create(h, p, subdomain, expires);
|
|
+ /* only add it if not already present */
|
|
+ e = Curl_hsts(h, p, subdomain);
|
|
+ if(!e)
|
|
+ result = hsts_create(h, p, subdomain, expires);
|
|
+ else {
|
|
+ /* the same host name, use the largest expire time */
|
|
+ if(expires > e->expires)
|
|
+ e->expires = expires;
|
|
+ }
|
|
if(result)
|
|
return result;
|
|
}
|
|
--
|
|
2.35.1.windows.2
|
|
|