xref: /third_party/curl/backport-CVE-2022-42915.patch

From 3c54eaf986d62a1f7482b8d5fff2d6ac42d19f23 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 6 Oct 2022 14:13:36 +0200
Subject: [PATCH 1/2] http_proxy: restore the protocol pointer on error

Reported-by: Trail of Bits

Closes #9790

Upstream-commit: 55e1875729f9d9fc7315cec611bffbd2c817ad89
Signed-off-by: Kamil Dudka <kdudka@redhat.com>

Conflict: NA
Reference:https://src.fedoraproject.org/rpms/curl/blob/f35/f/0017-curl-7.82.0-CVE-2022-42915.patch
---
 lib/http_proxy.c | 3 +--
 lib/url.c        | 9 ---------
 2 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/lib/http_proxy.c b/lib/http_proxy.c
index 1f87f6c..cc20b3a 100644
--- a/lib/http_proxy.c
+++ b/lib/http_proxy.c
@@ -207,9 +207,8 @@ static void connect_done(struct Curl_easy *data)
     Curl_dyn_free(&s->rcvbuf);
     Curl_dyn_free(&s->req);

-    /* retore the protocol pointer */
+    /* restore the protocol pointer */
     data->req.p.http = s->prot_save;
-    s->prot_save = NULL;
     infof(data, "CONNECT phase completed!");
   }
 }
diff --git a/lib/url.c b/lib/url.c
index bfc784f..61c99d2 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -735,15 +735,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
   DEBUGASSERT(data);
   infof(data, "Closing connection %ld", conn->connection_id);

-#ifndef USE_HYPER
-  if(conn->connect_state && conn->connect_state->prot_save) {
-    /* If this was closed with a CONNECT in progress, cleanup this temporary
-       struct arrangement */
-    data->req.p.http = NULL;
-    Curl_safefree(conn->connect_state->prot_save);
-  }
-#endif
-
   /* possible left-overs from the async name resolvers */
   Curl_resolver_cancel(data);

--
2.37.3


From 5fdb5e8433c132dbb1e31a48d39a4a54ba4d7a9e Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 6 Oct 2022 14:14:25 +0200
Subject: [PATCH 2/2] test445: verifies the protocols-over-http-proxy flaw and
 fix

Upstream-commit: 038bfb8522a93328b7e65bd2b6b8387c974b9ac8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 tests/data/Makefile.inc |  2 +-
 tests/data/test445      | 61 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/test445

diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 1f774ce..f79b63e 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -67,7 +67,7 @@ test392 test393 test394 test395 test396 test397 \
 test400 test401 test402 test403 test404 test405 test406 test407 test408 \
 test409 test410 \
 \
-test430 test431 test432 test433 test434 test435 \
+test430 test431 test432 test433 test434 test435 test445\
 \
 test490 test491 test492 test493 test494 \
 \
diff --git a/tests/data/test445 b/tests/data/test445
new file mode 100644
index 0000000..0406c0f
--- /dev/null
+++ b/tests/data/test445
@@ -0,0 +1,61 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP proxy
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<connect>
+HTTP/1.1 503 no just no
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+
+-foo-
+</connect>
+</reply>
+
+#
+# Client-side
+<client>
+<features>
+gopher
+dict
+http
+ftp
+imap
+ldap
+mqtt
+pop3
+rtsp
+scp
+sftp
+smb
+smtp
+</features>
+<server>
+http-proxy
+</server>
+ <name>
+Refuse tunneling protocols through HTTP proxy
+ </name>
+ <command>
+-x http://%HOSTIP:%PROXYPORT/%TESTNUMBER -p gopher://127.0.0.1 dict://127.0.0.1 http://moo https://example telnet://another ftp://yes ftps://again imap://more ldap://perhaps mqtt://yes pop3://mail rtsp://harder scp://copy sftp://files smb://wird smtp://send
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# refused in the CONNECT
+<errorcode>
+56
+</errorcode>
+</verify>
+</testcase>
--
2.33.0