Projects
Mega:23.03
curl
_service:tar_scm:backport-CVE-2022-43551-http-u...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2022-43551-http-use-the-IDN-decoded-name-in-HSTS-checks.patch of Package curl
From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Mon, 19 Dec 2022 08:36:55 +0100 Subject: [PATCH 1/2] http: use the IDN decoded name in HSTS checks Otherwise it stores the info HSTS into the persistent cache for the IDN name which will not match when the HSTS status is later checked for using the decoded name. Reported-by: Hiroki Kurosawa Closes #10111 --- lib/http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/http.c b/lib/http.c index 85528a221..a784745a8 100644 --- a/lib/http.c +++ b/lib/http.c @@ -3646,7 +3646,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, #endif )) { CURLcode check = - Curl_hsts_parse(data->hsts, data->state.up.hostname, + Curl_hsts_parse(data->hsts, conn->host.name, headp + strlen("Strict-Transport-Security:")); if(check) infof(data, "Illegal STS header skipped"); -- 2.33.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2