forked from curl/curl-www
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2015-3153.patch
134 lines (121 loc) · 4.89 KB
/
CVE-2015-3153.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 23 Apr 2015 15:58:21 +0200
Subject: [PATCH] CURLOPT_HEADEROPT: default to separate
Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.
Bug: https://curl.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
---
docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------
lib/url.c | 1 +
tests/data/test1527 | 2 +-
tests/data/test287 | 2 +-
tests/libtest/lib1527.c | 1 +
5 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/docs/libcurl/opts/CURLOPT_HEADEROPT.3 b/docs/libcurl/opts/CURLOPT_HEADEROPT.3
index be96d7d..7776b92 100644
--- a/docs/libcurl/opts/CURLOPT_HEADEROPT.3
+++ b/docs/libcurl/opts/CURLOPT_HEADEROPT.3
@@ -3,11 +3,11 @@
.\" * Project ___| | | | _ \| |
.\" * / __| | | | |_) | |
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
.\" * are also available at https://curl.se/docs/copyright.html.
.\" *
@@ -29,24 +29,24 @@ CURLOPT_HEADEROPT \- set how to send HTTP headers
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_HEADEROPT, long bitmask);
.SH DESCRIPTION
Pass a long that is a bitmask of options of how to deal with headers. The two
mutually exclusive options are:
-\fBCURLHEADER_UNIFIED\fP - keep working as before. This means
-\fICURLOPT_HTTPHEADER(3)\fP headers will be used in requests both to servers
-and proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not
-have any effect.
+\fBCURLHEADER_UNIFIED\fP - the headers specified in
+\fICURLOPT_HTTPHEADER(3)\fP will be used in requests both to servers and
+proxies. With this option enabled, \fICURLOPT_PROXYHEADER(3)\fP will not have
+any effect.
\fBCURLHEADER_SEPARATE\fP - makes \fICURLOPT_HTTPHEADER(3)\fP headers only get
sent to a server and not to a proxy. Proxy headers must be set with
\fICURLOPT_PROXYHEADER(3)\fP to get used. Note that if a non-CONNECT request
is sent to a proxy, libcurl will send both server headers and proxy
headers. When doing CONNECT, libcurl will send \fICURLOPT_PROXYHEADER(3)\fP
headers only to the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to
the server.
.SH DEFAULT
-CURLHEADER_UNIFIED
+CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then)
.SH PROTOCOLS
HTTP
.SH EXAMPLE
TODO
.SH AVAILABILITY
diff --git a/lib/url.c b/lib/url.c
index 7dc5c45..1af859d 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -603,10 +603,11 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
set->ssl_enable_npn = TRUE;
set->ssl_enable_alpn = TRUE;
set->expect_100_timeout = 1000L; /* Wait for a second by default. */
+ set->sep_headers = TRUE; /* separated header lists by default */
return result;
}
/**
* Curl_open()
diff --git a/tests/data/test1527 b/tests/data/test1527
index ee4887a..e8d5279 100644
--- a/tests/data/test1527
+++ b/tests/data/test1527
@@ -43,11 +43,11 @@ http-proxy
</server>
<tool>
lib1527
</tool>
<name>
-Check same headers are generated without CURLOPT_PROXYHEADER
+Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED
</name>
<command>
http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT
</command>
</client>
diff --git a/tests/data/test287 b/tests/data/test287
index ec4dfeb..6772e22 100644
--- a/tests/data/test287
+++ b/tests/data/test287
@@ -26,11 +26,11 @@ http
</server>
<name>
HTTP proxy CONNECT with custom User-Agent header
</name>
<command>
-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel
+http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007"
</command>
</client>
# Verify data after the test has been "shot"
<verify>
diff --git a/tests/libtest/lib1527.c b/tests/libtest/lib1527.c
index 280c947..1122d8e 100644
--- a/tests/libtest/lib1527.c
+++ b/tests/libtest/lib1527.c
@@ -81,10 +81,11 @@ int test(char *URL)
test_setopt(curl, CURLOPT_HEADER, 1L);
test_setopt(curl, CURLOPT_WRITEFUNCTION, fwrite);
test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
test_setopt(curl, CURLOPT_INFILESIZE, strlen(data));
+ test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED);
res = curl_easy_perform(curl);
test_cleanup:
--
2.1.4