From 1c875f3e08124c32205a7d33b5c10256ff9352cc Mon Sep 17 00:00:00 2001 From: Viktor Szakats <commit@vsz.me> Date: Tue, 23 Feb 2021 14:54:46 +0100 Subject: [PATCH] transfer: strip credentials from the auto-referer header field Added test 2081 to verify. CVE-2021-22876 Bug: https://curl.se/docs/CVE-2021-22876.html Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c Signed-off-by: Kamil Dudka <kdudka@redhat.com> --- lib/transfer.c | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/lib/transfer.c b/lib/transfer.c index 44104ab..3325a0e 100644 --- a/lib/transfer.c +++ b/lib/transfer.c @@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data, data->set.followlocation++; /* count location-followers */ if(data->set.http_auto_referer) { + CURLU *u; + char *referer; + /* We are asked to automatically set the previous URL as the referer when we get the next URL. We pick the ->url field, which may or may not be 100% correct */ @@ -1579,9 +1582,26 @@ CURLcode Curl_follow(struct Curl_easy *data, data->change.referer_alloc = FALSE; } - data->change.referer = strdup(data->change.url); - if(!data->change.referer) + /* Make a copy of the URL without crenditals and fragment */ + u = curl_url(); + if(!u) + return CURLE_OUT_OF_MEMORY; + + uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); + if(!uc) + uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); + if(!uc) + uc = curl_url_set(u, CURLUPART_USER, NULL, 0); + if(!uc) + uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); + if(!uc) + uc = curl_url_get(u, CURLUPART_URL, &referer, 0); + + curl_url_cleanup(u); + + if(uc || referer == NULL) return CURLE_OUT_OF_MEMORY; + data->change.referer = referer; data->change.referer_alloc = TRUE; /* yes, free this later */ } } -- 2.26.3