259 lines
6.7 KiB
Diff
259 lines
6.7 KiB
Diff
From 6a566f26236e4b327723c8ab1053fc27ed6b819c Mon Sep 17 00:00:00 2001
|
|
From: Patrick Monnerat <patrick@monnerat.net>
|
|
Date: Mon, 13 Feb 2023 08:33:09 +0100
|
|
Subject: [PATCH 2/2] [Backport] content_encoding: do not reset stage counter
|
|
for each header
|
|
|
|
Offering: RTOS
|
|
CVE: CVE-2023-23916
|
|
Reference: https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9
|
|
DTS/AR: DTS2023021511961
|
|
type: LTS
|
|
reason: do not reset stage counter for each header
|
|
|
|
Test 418 verifies
|
|
|
|
Closes #10492
|
|
|
|
(cherry picked from commit 119fb187192a9ea13dc90d9d20c215fc82799ab9)
|
|
|
|
Conflicts:
|
|
lib/urldata.h
|
|
tests/data/Makefile.inc
|
|
Signed-off-by: chenzanyu <chenzanyu@huawei.com>
|
|
---
|
|
lib/content_encoding.c | 7 +-
|
|
lib/urldata.h | 3 +-
|
|
tests/data/Makefile.inc | 2 +-
|
|
tests/data/test387 | 2 +-
|
|
tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++
|
|
5 files changed, 159 insertions(+), 7 deletions(-)
|
|
create mode 100644 tests/data/test418
|
|
|
|
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
|
|
index 37aceccdf..cdc5baf21 100644
|
|
--- a/lib/content_encoding.c
|
|
+++ b/lib/content_encoding.c
|
|
@@ -1036,7 +1036,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
|
const char *enclist, int is_transfer)
|
|
{
|
|
struct SingleRequest *k = &data->req;
|
|
- int counter = 0;
|
|
unsigned int order = is_transfer? 2: 1;
|
|
|
|
do {
|
|
@@ -1073,9 +1072,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
|
if(!encoding)
|
|
encoding = &error_encoding; /* Defer error at stack use. */
|
|
|
|
- if(++counter >= MAX_ENCODE_STACK) {
|
|
- failf(data, "Reject response due to %u content encodings",
|
|
- counter);
|
|
+ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) {
|
|
+ failf(data, "Reject response due to more than %u content encodings",
|
|
+ MAX_ENCODE_STACK);
|
|
return CURLE_BAD_CONTENT_ENCODING;
|
|
}
|
|
/* Stack the unencoding stage. */
|
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
index 5d4db19a6..ba76fc794 100644
|
|
--- a/lib/urldata.h
|
|
+++ b/lib/urldata.h
|
|
@@ -706,7 +706,8 @@ struct SingleRequest {
|
|
struct dohdata *doh; /* DoH specific data for this request */
|
|
#endif
|
|
unsigned char setcookies;
|
|
- BIT(header); /* incoming data has HTTP header */
|
|
+ unsigned char writer_stack_depth; /* Unencoding stack depth. */
|
|
+ BIT(header); /* incoming data has HTTP header */
|
|
BIT(content_range); /* set TRUE if Content-Range: was found */
|
|
BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding
|
|
upload and we're uploading the last chunk */
|
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
index 831cdb800..37237044e 100644
|
|
--- a/tests/data/Makefile.inc
|
|
+++ b/tests/data/Makefile.inc
|
|
@@ -65,7 +65,7 @@ test387 \
|
|
test393 test394 test395 test396 test397 \
|
|
\
|
|
test400 test401 test402 test403 test404 test405 test406 test407 test408 \
|
|
-test409 test410 \
|
|
+test409 test410 test418 \
|
|
\
|
|
test430 test431 test432 test433 test434 \
|
|
\
|
|
diff --git a/tests/data/test387 b/tests/data/test387
|
|
index 015ec25f1..644fc7f36 100644
|
|
--- a/tests/data/test387
|
|
+++ b/tests/data/test387
|
|
@@ -47,7 +47,7 @@ Accept: */*
|
|
61
|
|
</errorcode>
|
|
<stderr mode="text">
|
|
-curl: (61) Reject response due to 5 content encodings
|
|
+curl: (61) Reject response due to more than 5 content encodings
|
|
</stderr>
|
|
</verify>
|
|
</testcase>
|
|
diff --git a/tests/data/test418 b/tests/data/test418
|
|
new file mode 100644
|
|
index 000000000..50e974e60
|
|
--- /dev/null
|
|
+++ b/tests/data/test418
|
|
@@ -0,0 +1,152 @@
|
|
+<testcase>
|
|
+<info>
|
|
+<keywords>
|
|
+HTTP
|
|
+gzip
|
|
+</keywords>
|
|
+</info>
|
|
+
|
|
+#
|
|
+# Server-side
|
|
+<reply>
|
|
+<data nocheck="yes">
|
|
+HTTP/1.1 200 OK
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+Transfer-Encoding: gzip
|
|
+
|
|
+-foo-
|
|
+</data>
|
|
+</reply>
|
|
+
|
|
+#
|
|
+# Client-side
|
|
+<client>
|
|
+<server>
|
|
+http
|
|
+</server>
|
|
+ <name>
|
|
+Response with multiple Transfer-Encoding headers
|
|
+ </name>
|
|
+ <command>
|
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS
|
|
+</command>
|
|
+</client>
|
|
+
|
|
+#
|
|
+# Verify data after the test has been "shot"
|
|
+<verify>
|
|
+<protocol crlf="yes">
|
|
+GET /%TESTNUMBER HTTP/1.1
|
|
+Host: %HOSTIP:%HTTPPORT
|
|
+User-Agent: curl/%VERSION
|
|
+Accept: */*
|
|
+
|
|
+</protocol>
|
|
+
|
|
+# CURLE_BAD_CONTENT_ENCODING is 61
|
|
+<errorcode>
|
|
+61
|
|
+</errorcode>
|
|
+<stderr mode="text">
|
|
+curl: (61) Reject response due to more than 5 content encodings
|
|
+</stderr>
|
|
+</verify>
|
|
+</testcase>
|
|
--
|
|
2.35.1.windows.2
|
|
|