mirror of https://gitee.com/openkylin/wget.git
SECURITY UPDATE
This commit is contained in:
liubo0711
openkylin-cibot
parent
0b98a96682
commit
fa7c8f4893
|
|
@ -1,3 +1,11 @@
|
||||||
|
wget (1.21.4-ok2) nile; urgency=medium
|
||||||
|
|
||||||
|
* SECURITY UPDATE: mishandling of semicolons in userinfo -
|
||||||
|
debian/patches/CVE-2024-38428.patch: properly re-implement userinfo
|
||||||
|
parsing in src/url.c. - CVE-2024-38428
|
||||||
|
|
||||||
|
-- liubo01 <liubo01@kylinos.cn> Tue, 05 Nov 2024 09:41:58 +0800
|
||||||
|
|
||||||
wget (1.21.4-ok1) nile; urgency=high
|
wget (1.21.4-ok1) nile; urgency=high
|
||||||
|
|
||||||
* Build for openKylin.
|
* Build for openKylin.
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,66 @@
|
||||||
|
From: liubo0711 <1191322237@qq.com>
|
||||||
|
Date: Tue, 5 Nov 2024 09:41:58 +0800
|
||||||
|
Subject: SECURITY UPDATE
|
||||||
|
|
||||||
|
---
|
||||||
|
src/url.c | 40 ++++++++++++++++++++++++++++++++++------
|
||||||
|
1 file changed, 34 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/url.c b/src/url.c
|
||||||
|
index 2ff0b55..0acd3f3 100644
|
||||||
|
--- a/src/url.c
|
||||||
|
+++ b/src/url.c
|
||||||
|
@@ -41,6 +41,7 @@ as that of the covered work. */
|
||||||
|
#include "url.h"
|
||||||
|
#include "host.h" /* for is_valid_ipv6_address */
|
||||||
|
#include "c-strcase.h"
|
||||||
|
+#include "c-ctype.h"
|
||||||
|
|
||||||
|
#ifdef HAVE_ICONV
|
||||||
|
# include <iconv.h>
|
||||||
|
@@ -526,12 +527,39 @@ scheme_leading_string (enum url_scheme scheme)
|
||||||
|
static const char *
|
||||||
|
url_skip_credentials (const char *url)
|
||||||
|
{
|
||||||
|
- /* Look for '@' that comes before terminators, such as '/', '?',
|
||||||
|
- '#', or ';'. */
|
||||||
|
- const char *p = (const char *)strpbrk (url, "@/?#;");
|
||||||
|
- if (!p || *p != '@')
|
||||||
|
- return url;
|
||||||
|
- return p + 1;
|
||||||
|
+ /*
|
||||||
|
+ * This whole file implements https://www.rfc-editor.org/rfc/rfc2396 .
|
||||||
|
+ * RFC 2396 is outdated since 2005 and needs a rewrite or a thorough re-visit.
|
||||||
|
+ *
|
||||||
|
+ * The RFC says
|
||||||
|
+ * server = [ [ userinfo "@" ] hostport ]
|
||||||
|
+ * userinfo = *( unreserved | escaped | ";" | ":" | "&" | "=" | "+" | "$" | "," )
|
||||||
|
+ * unreserved = alphanum | mark
|
||||||
|
+ * mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
|
||||||
|
+ */
|
||||||
|
+ static const char *allowed = "-_.!~*'();:&=+$,";
|
||||||
|
+
|
||||||
|
+ for (const char *p = url; *p; p++)
|
||||||
|
+ {
|
||||||
|
+ if (c_isalnum(*p))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ if (strchr(allowed, *p))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ if (*p == '%' && c_isxdigit(p[1]) && c_isxdigit(p[2]))
|
||||||
|
+ {
|
||||||
|
+ p += 2;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (*p == '@')
|
||||||
|
+ return p + 1;
|
||||||
|
+
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return url;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Parse credentials contained in [BEG, END). The region is expected
|
||||||
|
|
@ -1,3 +1,4 @@
|
||||||
wget-doc-remove-usr-local-in-sample.wgetrc
|
wget-doc-remove-usr-local-in-sample.wgetrc
|
||||||
wget-doc-remove-usr-local-in-wget.texi
|
wget-doc-remove-usr-local-in-wget.texi
|
||||||
wget-passive_ftp-default
|
wget-passive_ftp-default
|
||||||
|
0004-SECURITY-UPDATE.patch
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue