Projects
openEuler:24.03:SP1:Everything
lynx
_service:tar_scm:CVE-2021-38165.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2021-38165.patch of Package lynx
Description: Fix CVE-2021-38165 CVE-2021-38165: If Lynx is given an HTTPS URL which included username and password, e.g. https://username:password@www.example.org/, username and password were sent over the wire in clear text if the TLS 1.2 Server Name Indication (SNI) extension was used. . This patch is extracted from upstream's patch from 2.9.0dev.8 to 2.9.0dev.9 to fix this issue. Origin: https://invisible-mirror.net/archives/lynx/patches/lynx2.9.0dev.9.patch.gz Author: Thomas E. Dickey <dickey@invisible-island.net> Reviewed-By: Axel Beckert <abe@debian.org> Bug-Debian: https://bugs.debian.org/991971 Bug: https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00000.html Bug: https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html --- a/WWW/Library/Implementation/HTTP.c +++ b/WWW/Library/Implementation/HTTP.c @@ -762,6 +762,23 @@ } #endif +/* + * Remove user/password, if any, from the given host-string. + */ +#ifdef USE_SSL +static char *StripUserAuthents(char *host) +{ + char *p = strchr(host, '@'); + + if (p != NULL) { + char *q = host; + + while ((*q++ = *++p) != '\0') ; + } + return host; +} +#endif + /* Load Document from HTTP Server HTLoadHTTP() * ============================== * @@ -957,6 +974,7 @@ /* get host we're connecting to */ ssl_host = HTParse(url, "", PARSE_HOST); ssl_host = StripIpv6Brackets(ssl_host); + ssl_host = StripUserAuthents(ssl_host); #if defined(USE_GNUTLS_FUNCS) ret = gnutls_server_name_set(handle->gnutls_state, GNUTLS_NAME_DNS,
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2