packages/curl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
curl/backport-CVE-2022-32205.patch
eaglegai fc09d7a50b fix CVE-2022-32205 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 
(cherry picked from commit 396042a7112f4f568fdea60b6eeca9a89e3b7413)
2022-06-29 11:49:30 +08:00

155 lines
5.8 KiB
Diff
Raw Blame History

Backported of:
From 631f95b7013ba017692d9512093746af93b4e327 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 19 May 2022 12:12:04 +0200
Subject: [PATCH] cookie: apply limits
- Send no more than 150 cookies per request
- Cap the max length used for a cookie: header to 8K
- Cap the max number of received Set-Cookie: headers to 50
diff --git a/lib/cookie.c b/lib/cookie.c
index e88678c..1d1bf9b 100644
--- a/lib/cookie.c
+++ b/lib/cookie.c
@@ -453,6 +453,10 @@ Curl_cookie_add(struct Curl_easy *data,
(void)data;
#endif
+ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
+ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
+ return NULL;
+
/* First, alloc and init a new struct for it */
co = calloc(1, sizeof(struct Cookie));
if(!co)
@@ -771,7 +775,7 @@ Curl_cookie_add(struct Curl_easy *data,
freecookie(co);
return NULL;
}
-
+ data->req.setcookies++;
}
else {
/* This line is NOT a HTTP header style line, we do offer support for
@@ -1268,7 +1272,8 @@ static struct Cookie *dup_cookie(struct Cookie *src)
*
****************************************************************************/
-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
+ struct CookieInfo *c,
const char *host, const char *path,
bool secure)
{
@@ -1317,6 +1322,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
mainco = newco;
matches++;
+ if(matches >= MAX_COOKIE_SEND_AMOUNT) {
+ infof(data, "Included max number of cookies (%u) in request!",
+ matches);
+ break;
+ }
}
else
goto fail;
diff --git a/lib/cookie.h b/lib/cookie.h
index 066396f..200590e 100644
--- a/lib/cookie.h
+++ b/lib/cookie.h
@@ -80,10 +80,26 @@ struct CookieInfo {
*/
#define MAX_COOKIE_LINE 5000
-/* This is the maximum length of a cookie name or content we deal with: */
+/* Maximum length of an incoming cookie name or content we deal with. Longer
+ cookies are ignored. */
#define MAX_NAME 4096
#define MAX_NAME_TXT "4095"
+/* Maximum size for an outgoing cookie line libcurl will use in an http
+ request. This is the default maximum length used in some versions of Apache
+ httpd. */
+#define MAX_COOKIE_HEADER_LEN 8190
+
+/* Maximum number of cookies libcurl will send in a single request, even if
+ there might be more cookies that match. One reason to cap the number is to
+ keep the maximum HTTP request within the maximum allowed size. */
+#define MAX_COOKIE_SEND_AMOUNT 150
+
+/* Maximum number of Set-Cookie: lines accepted in a single response. If more
+ such header lines are received, they are ignored. This value must be less
+ than 256 since an unsigned char is used to count. */
+#define MAX_SET_COOKIE_AMOUNT 50
+
struct Curl_easy;
/*
* Add a cookie to the internal list of cookies. The domain and path arguments
@@ -96,7 +112,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data,
const char *domain, const char *path,
bool secure);
-struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *,
+struct Cookie *Curl_cookie_getlist(struct Curl_easy *,
+ struct CookieInfo *, const char *,
const char *, bool);
void Curl_cookie_freelist(struct Cookie *cookies);
void Curl_cookie_clearall(struct CookieInfo *cookies);
diff --git a/lib/http.c b/lib/http.c
index 7ccc5b5..3726c32 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1930,6 +1930,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
#if !defined(CURL_DISABLE_COOKIES)
char *addcookies = NULL;
#endif
+ bool linecap = FALSE;
curl_off_t included_body = 0;
const char *httpstring;
struct dynbuf req;
@@ -2610,7 +2611,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
if(data->cookies && data->state.cookie_engine) {
Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
- co = Curl_cookie_getlist(data->cookies,
+ co = Curl_cookie_getlist(data, data->cookies,
data->state.aptr.cookiehost?
data->state.aptr.cookiehost:host,
data->state.up.path,
@@ -2628,6 +2629,13 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
if(result)
break;
}
+ if((Curl_dyn_len(&req) + strlen(co->name) + strlen(co->value) + 1) >=
+ MAX_COOKIE_HEADER_LEN) {
+ infof(data, "Restricted outgoing cookies due to header size, "
+ "'%s' not sent", co->name);
+ linecap = TRUE;
+ break;
+ }
result = Curl_dyn_addf(&req, "%s%s=%s", count?"; ":"",
co->name, co->value);
if(result)
@@ -2638,7 +2646,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
}
Curl_cookie_freelist(store);
}
- if(addcookies && !result) {
+ if(addcookies && !result && !linecap) {
if(!count)
result = Curl_dyn_add(&req, "Cookie: ");
if(!result) {
diff --git a/lib/urldata.h b/lib/urldata.h
index cbe6bf7..25d1445 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -664,6 +664,7 @@ struct SingleRequest {
#ifndef CURL_DISABLE_DOH
struct dohdata doh; /* DoH specific data for this request */
#endif
+ unsigned char setcookies;
BIT(header); /* incoming data has HTTP header */
BIT(content_range); /* set TRUE if Content-Range: was found */
BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding
Reference in New Issue View Git Blame Copy Permalink