1
Description: fix URL request injection
2
Origin: backport, https://github.com/bagder/curl/commit/178bd7db34f77e020fb8562890c5625ccbd67093
3
Origin: backport, https://github.com/bagder/curl/commit/3df8e78860d3a3d3cf95252bd2b4ad5fd53360cd
5
Index: curl-7.35.0/lib/url.c
6
===================================================================
7
--- curl-7.35.0.orig/lib/url.c 2015-01-14 08:48:08.506540363 -0500
8
+++ curl-7.35.0/lib/url.c 2015-01-14 08:48:08.502540334 -0500
11
*prot_missing = FALSE;
13
+ /* We might pass the entire URL into the request so we need to make sure
14
+ * there are no bad characters in there.*/
15
+ if(strpbrk(data->change.url, "\r\n")) {
16
+ failf(data, "Illegal characters found in URL");
17
+ return CURLE_URL_MALFORMAT;
20
/*************************************************************
23
Index: curl-7.35.0/tests/data/Makefile.am
24
===================================================================
25
--- curl-7.35.0.orig/tests/data/Makefile.am 2015-01-14 08:48:08.506540363 -0500
26
+++ curl-7.35.0/tests/data/Makefile.am 2015-01-14 08:48:35.486745922 -0500
28
test1416 test1417 test1418 test1419 \
30
test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
31
-test1508 test1509 test1510 test1511 test1512 test1513 test1514 \
32
+test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1529 \
34
test1900 test1901 test1902 test1903 \
36
Index: curl-7.35.0/tests/data/test1529
37
===================================================================
38
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
39
+++ curl-7.35.0/tests/data/test1529 2015-01-14 08:48:08.502540334 -0500
69
+HTTP request-injection in URL sent over proxy
72
+ "http://the.old.moo:%HTTPPORT/1529" %HOSTIP:%PROXYPORT
76
+# it should be detected and an error should be reported
78
+# 3 == CURLE_URL_MALFORMAT
84
Index: curl-7.35.0/tests/libtest/Makefile.inc
85
===================================================================
86
--- curl-7.35.0.orig/tests/libtest/Makefile.inc 2015-01-14 08:48:08.506540363 -0500
87
+++ curl-7.35.0/tests/libtest/Makefile.inc 2015-01-14 08:48:45.318820813 -0500
89
lib571 lib572 lib573 lib574 lib575 lib576 lib578 lib579 lib582 \
90
lib583 lib585 lib586 lib587 lib590 lib591 lib597 lib598 lib599 \
91
lib1500 lib1501 lib1502 lib1503 lib1504 lib1505 lib1506 lib1507 lib1508 \
92
- lib1509 lib1510 lib1511 lib1512 lib1513 lib1514 \
93
+ lib1509 lib1510 lib1511 lib1512 lib1513 lib1514 lib1529 \
98
lib1514_LDADD = $(TESTUTIL_LIBS)
99
lib1514_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1514
101
+lib1529_SOURCES = lib1529.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
102
+lib1529_LDADD = $(TESTUTIL_LIBS)
103
+lib1529_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1529
105
lib1900_SOURCES = lib1900.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
106
lib1900_LDADD = $(TESTUTIL_LIBS)
107
lib1900_CPPFLAGS = $(AM_CPPFLAGS)
108
Index: curl-7.35.0/tests/libtest/lib1529.c
109
===================================================================
110
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
111
+++ curl-7.35.0/tests/libtest/lib1529.c 2015-01-14 08:48:08.502540334 -0500
113
+/***************************************************************************
115
+ * Project ___| | | | _ \| |
116
+ * / __| | | | |_) | |
117
+ * | (__| |_| | _ <| |___
118
+ * \___|\___/|_| \_\_____|
120
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
122
+ * This software is licensed as described in the file COPYING, which
123
+ * you should have received as part of this distribution. The terms
124
+ * are also available at http://curl.haxx.se/docs/copyright.html.
126
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
127
+ * copies of the Software, and permit persons to whom the Software is
128
+ * furnished to do so, under the terms of the COPYING file.
130
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
131
+ * KIND, either express or implied.
133
+ ***************************************************************************/
137
+#include "memdebug.h"
142
+ CURLcode res = CURLE_FAILED_INIT;
144
+ snprintf(bURL, sizeof(bURL), "%s HTTP/1.1\r\nGET http://1529.com/1529", URL);
146
+ if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
147
+ fprintf(stderr, "curl_global_init() failed\n");
148
+ return TEST_ERR_MAJOR_BAD;
151
+ if((curl = curl_easy_init()) == NULL) {
152
+ fprintf(stderr, "curl_easy_init() failed\n");
153
+ curl_global_cleanup();
154
+ return TEST_ERR_MAJOR_BAD;
157
+ test_setopt(curl, CURLOPT_URL, bURL);
158
+ test_setopt(curl, CURLOPT_PROXY, libtest_arg2);
159
+ test_setopt(curl, CURLOPT_VERBOSE, 1L);
160
+ test_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTP);
161
+ test_setopt(curl, CURLOPT_HEADER, 1L);
163
+ res = curl_easy_perform(curl);
167
+ curl_easy_cleanup(curl);
168
+ curl_global_cleanup();