openkylin
/
curl
mirror of https://gitee.com/openkylin/curl.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Repair CVE-2020-8169

This commit is contained in:
liwenjie 2022-11-07 09:44:18 +08:00 committed by handsome_feng
parent dc3004c8e7
commit 70159f52e9
3 changed files with 83 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/url.c
View File

@ -2733,12 +2733,14 @@ static CURLcode override_login(struct Curl_easy *data,
/* for updated strings, we update them in the URL */ /* for updated strings, we update them in the URL */
if(user_changed) { if(user_changed) {
uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0); uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp,
CURLU_URLENCODE);
if(uc) if(uc)
return Curl_uc_to_curlcode(uc); return Curl_uc_to_curlcode(uc);
} }
if(passwd_changed) { if(passwd_changed) {
uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0); uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp,
CURLU_URLENCODE);
if(uc) if(uc)
return Curl_uc_to_curlcode(uc); return Curl_uc_to_curlcode(uc);
} }

2
tests/data/Makefile.inc
View File

@ -131,7 +131,7 @@ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \ test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \ test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \
test1160 test1161 test1162 test1163 test1164 test1165 test1166 \ test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1168 \
test1170 test1171 test1172 test1173 test1174 test1175 \ test1170 test1171 test1172 test1173 test1174 test1175 \
\ \
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

78
tests/data/test1168 Normal file
View File

@ -0,0 +1,78 @@
<testcase>
<info>
<keywords>
HTTP
HTTP GET
followlocation
</keywords>
</info>
# Server-side
<reply>
<data>
HTTP/1.1 301 This is a weirdo text message swsclose
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Location: /data/11680002.txt
Connection: close
This server reply is for testing a simple Location: following
</data>
<data2>
HTTP/1.1 200 Followed here fine swsclose
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Content-Length: 52
If this is received, the location following worked
</data2>
<datacheck>
HTTP/1.1 301 This is a weirdo text message swsclose
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Location: /data/11680002.txt
Connection: close
HTTP/1.1 200 Followed here fine swsclose
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake
Content-Length: 52
If this is received, the location following worked
</datacheck>
</reply>
# Client-side
<client>
<server>
http
</server>
<name>
HTTP redirect with credentials using # in user and password
</name>
<command>
http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY"
</command>
</client>
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET /want/1168 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
Accept: */*
GET /data/11680002.txt HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ==
Accept: */*
</protocol>
</verify>
</testcase>