Projects
Eulaceura:Mainline:GA
curl
_service:obs_scm:backport-CVE-2024-2004.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:backport-CVE-2024-2004.patch of Package curl
From 17d302e56221f5040092db77d4f85086e8a20e0e Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson <daniel@yesql.se> Date: Tue, 27 Feb 2024 15:43:56 +0100 Subject: [PATCH] setopt: Fix disabling all protocols When disabling all protocols without enabling any, the resulting set of allowed protocols remained the default set. Clearing the allowed set before inspecting the passed value from --proto make the set empty even in the errorpath of no protocols enabled. Co-authored-by: Dan Fandrich <dan@telarity.com> Reported-by: Dan Fandrich <dan@telarity.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se> Closes: #13004 Conflict:Context adapt Reference:https://github.com/curl/curl/commit/17d302e56221f5040092db77d4f85086e8a20e0e --- lib/setopt.c | 16 ++++++++-------- tests/data/Makefile.inc | 2 +- tests/data/test1474 | 42 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 51 insertions(+), 9 deletions(-) create mode 100644 tests/data/test1474 diff --git a/lib/setopt.c b/lib/setopt.c index 6a4990cce..ce1321fc8 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -155,6 +155,12 @@ static CURLcode setstropt_userpwd(char *option, char **userp, char **passwdp) static CURLcode protocol2num(const char *str, curl_prot_t *val) { + /* + * We are asked to cherry-pick protocols, so play it safe and disallow all + * protocols to start with, and re-add the wanted ones back in. + */ + *val = 0; + if(!str) return CURLE_BAD_FUNCTION_ARGUMENT; @@ -163,8 +169,6 @@ static CURLcode protocol2num(const char *str, curl_prot_t *val) return CURLE_OK; } - *val = 0; - do { const char *token = str; size_t tlen; @@ -2654,22 +2658,18 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; case CURLOPT_PROTOCOLS_STR: { - curl_prot_t prot; argptr = va_arg(param, char *); - result = protocol2num(argptr, &prot); + result = protocol2num(argptr, &data->set.allowed_protocols); if(result) return result; - data->set.allowed_protocols = prot; break; } case CURLOPT_REDIR_PROTOCOLS_STR: { - curl_prot_t prot; argptr = va_arg(param, char *); - result = protocol2num(argptr, &prot); + result = protocol2num(argptr, &data->set.redir_protocols); if(result) return result; - data->set.redir_protocols = prot; break; } diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index c20f90d94..b80ffb618 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -187,7 +187,7 @@ test1439 test1440 test1441 test1442 test1443 test1444 test1445 test1446 \ test1447 test1448 test1449 test1450 test1451 test1452 test1453 test1454 \ test1455 test1456 test1457 test1458 test1459 test1460 test1461 test1462 \ test1463 test1464 test1465 test1466 test1467 test1468 test1469 test1470 \ -test1471 test1472 test1473 \ +test1471 test1472 test1473 test1474 \ \ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \ diff --git a/tests/data/test1474 b/tests/data/test1474 new file mode 100644 index 000000000..c66fa2810 --- /dev/null +++ b/tests/data/test1474 @@ -0,0 +1,42 @@ +<testcase> +<info> +<keywords> +HTTP +HTTP GET +--proto +</keywords> +</info> + +# +# Server-side +<reply> +<data> +</data> +</reply> + +# +# Client-side +<client> +<server> +none +</server> +<features> +http +</features> +<name> +--proto -all disables all protocols +</name> +<command> +--proto -all http://%HOSTIP:%NOLISTENPORT/%TESTNUMBER +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +# 1 - Protocol "http" disabled +<errorcode> +1 +</errorcode> +</verify> +</testcase> -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2