130 lines
4.7 KiB
Diff
130 lines
4.7 KiB
Diff
From e193f712be95dc9e5e2b92eae6381d4572231152 Mon Sep 17 00:00:00 2001
|
|
From: Patrick Monnerat <patrick@monnerat.net>
|
|
Date: Sun, 17 Apr 2022 23:29:46 +0200
|
|
Subject: [PATCH] url: check sasl additional parameters for connection reuse.
|
|
|
|
Also move static function safecmp() as non-static Curl_safecmp() since
|
|
its purpose is needed at several places.
|
|
|
|
Bug: https://curl.se/docs/CVE-2022-22576.html
|
|
|
|
CVE-2022-22576
|
|
diff --git a/lib/strcase.c b/lib/strcase.c
|
|
index 955e3c7..cd04f2c 100644
|
|
--- a/lib/strcase.c
|
|
+++ b/lib/strcase.c
|
|
@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
|
|
} while(*src++ && --n);
|
|
}
|
|
|
|
+/* Compare case-sensitive NUL-terminated strings, taking care of possible
|
|
+ * null pointers. Return true if arguments match.
|
|
+ */
|
|
+bool Curl_safecmp(char *a, char *b)
|
|
+{
|
|
+ if(a && b)
|
|
+ return !strcmp(a, b);
|
|
+ return !a && !b;
|
|
+}
|
|
+
|
|
/* --- public functions --- */
|
|
|
|
int curl_strequal(const char *first, const char *second)
|
|
diff --git a/lib/strcase.h b/lib/strcase.h
|
|
index 10dc698..127bfdd 100644
|
|
--- a/lib/strcase.h
|
|
+++ b/lib/strcase.h
|
|
@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in);
|
|
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
|
void Curl_strntolower(char *dest, const char *src, size_t n);
|
|
|
|
+bool Curl_safecmp(char *a, char *b);
|
|
+
|
|
#endif /* HEADER_CURL_STRCASE_H */
|
|
diff --git a/lib/url.c b/lib/url.c
|
|
index a6519be..a8e2e41 100644
|
|
--- a/lib/url.c
|
|
+++ b/lib/url.c
|
|
@@ -752,6 +752,7 @@ static void conn_free(struct connectdata *conn)
|
|
Curl_safefree(conn->passwd);
|
|
Curl_safefree(conn->sasl_authzid);
|
|
Curl_safefree(conn->options);
|
|
+ Curl_safefree(conn->oauth_bearer);
|
|
Curl_dyn_free(&conn->trailer);
|
|
Curl_safefree(conn->host.rawalloc); /* host name buffer */
|
|
Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
|
|
@@ -1284,7 +1285,9 @@ ConnectionExists(struct Curl_easy *data,
|
|
/* This protocol requires credentials per connection,
|
|
so verify that we're using the same name and password as well */
|
|
if(strcmp(needle->user, check->user) ||
|
|
- strcmp(needle->passwd, check->passwd)) {
|
|
+ strcmp(needle->passwd, check->passwd) ||
|
|
+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
|
|
+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
|
|
/* one of them was different */
|
|
continue;
|
|
}
|
|
@@ -3486,6 +3489,14 @@ static CURLcode create_conn(struct Curl_easy *data,
|
|
}
|
|
}
|
|
|
|
+ if(data->set.str[STRING_BEARER]) {
|
|
+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
|
|
+ if(!conn->oauth_bearer) {
|
|
+ result = CURLE_OUT_OF_MEMORY;
|
|
+ goto out;
|
|
+ }
|
|
+ }
|
|
+
|
|
#ifdef USE_UNIX_SOCKETS
|
|
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
|
|
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
|
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
index abd8110..11d7a33 100644
|
|
--- a/lib/urldata.h
|
|
+++ b/lib/urldata.h
|
|
@@ -967,6 +967,7 @@ struct connectdata {
|
|
char *options; /* options string, allocated */
|
|
|
|
char *sasl_authzid; /* authorisation identity string, allocated */
|
|
+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
|
|
|
|
int httpversion; /* the HTTP version*10 reported by the server */
|
|
int rtspversion; /* the RTSP version*10 reported by the server */
|
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
|
index 62239be..c074605 100644
|
|
--- a/lib/vtls/vtls.c
|
|
+++ b/lib/vtls/vtls.c
|
|
@@ -121,14 +121,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
|
|
return !memcmp(first->data, second->data, first->len); /* same data */
|
|
}
|
|
|
|
-static bool safecmp(char *a, char *b)
|
|
-{
|
|
- if(a && b)
|
|
- return !strcmp(a, b);
|
|
- else if(!a && !b)
|
|
- return TRUE; /* match */
|
|
- return FALSE; /* no match */
|
|
-}
|
|
|
|
bool
|
|
Curl_ssl_config_matches(struct ssl_primary_config *data,
|
|
@@ -142,11 +133,11 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
|
(data->verifystatus == needle->verifystatus) &&
|
|
blobcmp(data->cert_blob, needle->cert_blob) &&
|
|
blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
|
|
- safecmp(data->CApath, needle->CApath) &&
|
|
- safecmp(data->CAfile, needle->CAfile) &&
|
|
- safecmp(data->clientcert, needle->clientcert) &&
|
|
- safecmp(data->random_file, needle->random_file) &&
|
|
- safecmp(data->egdsocket, needle->egdsocket) &&
|
|
+ Curl_safecmp(data->CApath, needle->CApath) &&
|
|
+ Curl_safecmp(data->CAfile, needle->CAfile) &&
|
|
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
|
|
+ Curl_safecmp(data->random_file, needle->random_file) &&
|
|
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
|
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
|