xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Mon, 25 Apr 2022 17:59:15 +0200
4Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either
5
6Follow-up to 620ea21410030
7
8Reported-by: Harry Sintonen
9Closes #8751
10
11Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08]
12Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
13---
14 lib/http.c         | 10 +++++-----
15 lib/http.h         |  6 ++++++
16 lib/vtls/openssl.c |  3 ++-
17 3 files changed, 13 insertions(+), 6 deletions(-)
18
19diff --git a/lib/http.c b/lib/http.c
20index 0791dcf..4433824 100644
21--- a/lib/http.c
22+++ b/lib/http.c
23@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
24 }
25
26 /*
27- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
28- * data" can (still) be sent to this host.
29+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
30+ * "sensitive data" can (still) be sent to this host.
31  */
32-static bool allow_auth_to_host(struct Curl_easy *data)
33+bool Curl_allow_auth_to_host(struct Curl_easy *data)
34 {
35   struct connectdata *conn = data->conn;
36   return (!data->state.this_is_a_follow ||
37@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
38
39   /* To prevent the user+password to get sent to other than the original host
40      due to a location-follow */
41-  if(allow_auth_to_host(data)
42+  if(Curl_allow_auth_to_host(data)
43 #ifndef CURL_DISABLE_NETRC
44      || conn->bits.netrc
45 #endif
46@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
47                    checkprefix("Cookie:", compare)) &&
48                   /* be careful of sending this potentially sensitive header to
49                      other hosts */
50-                  !allow_auth_to_host(data))
51+                  !Curl_allow_auth_to_host(data))
52             ;
53           else {
54 #ifdef USE_HYPER
55diff --git a/lib/http.h b/lib/http.h
56index 07e963d..9000bae 100644
57--- a/lib/http.h
58+++ b/lib/http.h
59@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data,
60                       bool proxytunnel); /* TRUE if this is the request setting
61                                             up the proxy tunnel */
62
63+/*
64+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
65+ * "sensitive data" can (still) be sent to this host.
66+ */
67+bool Curl_allow_auth_to_host(struct Curl_easy *data);
68+
69 #endif /* HEADER_CURL_HTTP_H */
70diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
71index 616a510..e8633f4 100644
72--- a/lib/vtls/openssl.c
73+++ b/lib/vtls/openssl.c
74@@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
75 #endif
76
77 #ifdef USE_OPENSSL_SRP
78-  if(ssl_authtype == CURL_TLSAUTH_SRP) {
79+  if((ssl_authtype == CURL_TLSAUTH_SRP) &&
80+     Curl_allow_auth_to_host(data)) {
81     char * const ssl_username = SSL_SET_OPTION(username);
82
83     infof(data, "Using TLS-SRP username: %s", ssl_username);
84