net/curl: security update to 7.87.0
Includes fixes for CVE-2022-43551: Another HSTS bypass via IDN CVE-2022-43552: HTTP Proxy deny use-after-free Note that this port does not enable IDN support.
This commit is contained in:
parent
a2bdee4131
commit
d09f756f77
|
@ -1,8 +1,7 @@
|
|||
COMMENT= transfer files with FTP, HTTP, HTTPS, etc.
|
||||
|
||||
DISTNAME= curl-7.86.0
|
||||
REVISION= 1
|
||||
SHARED_LIBS= curl 26.17 # 12.0
|
||||
DISTNAME= curl-7.87.0
|
||||
SHARED_LIBS= curl 26.18 # 12.0
|
||||
CATEGORIES= net
|
||||
HOMEPAGE= https://curl.se/
|
||||
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
SHA256 (curl-7.86.0.tar.xz) = LWERbl9IVYH21ZhlN330Rj8ueIZ3rEMiK0ltTkn7Yns=
|
||||
SIZE (curl-7.86.0.tar.xz) = 2518356
|
||||
SHA256 (curl-7.87.0.tar.xz) = 7l8aGVWw7UE0Ne952yi4NOpfD7fIz7HORxdcw77gj/8=
|
||||
SIZE (curl-7.87.0.tar.xz) = 2547932
|
||||
|
|
|
@ -1,96 +0,0 @@
|
|||
noproxy: also match with adjacent comma
|
||||
https://github.com/curl/curl/commit/efc286b7a62af0568fdcbf3c68791c9955182128
|
||||
|
||||
noproxy: fix tail-matching
|
||||
https://github.com/curl/curl/commit/b830f9ba9e94acf672cd191993ff679fa888838b
|
||||
|
||||
noproxy: tailmatch like in 7.85.0 and earlier
|
||||
https://github.com/curl/curl/commit/b1953c1933b369b1217ef0f16053e26da63488c3
|
||||
|
||||
Index: lib/noproxy.c
|
||||
--- lib/noproxy.c.orig
|
||||
+++ lib/noproxy.c
|
||||
@@ -149,9 +149,14 @@ bool Curl_check_noproxy(const char *name, const char *
|
||||
}
|
||||
else {
|
||||
unsigned int address;
|
||||
+ namelen = strlen(name);
|
||||
if(1 == Curl_inet_pton(AF_INET, name, &address))
|
||||
type = TYPE_IPV4;
|
||||
- namelen = strlen(name);
|
||||
+ else {
|
||||
+ /* ignore trailing dots in the host name */
|
||||
+ if(name[namelen - 1] == '.')
|
||||
+ namelen--;
|
||||
+ }
|
||||
}
|
||||
|
||||
while(*p) {
|
||||
@@ -173,33 +178,50 @@ bool Curl_check_noproxy(const char *name, const char *
|
||||
if(tokenlen) {
|
||||
switch(type) {
|
||||
case TYPE_HOST:
|
||||
- if(*token == '.') {
|
||||
- ++token;
|
||||
- --tokenlen;
|
||||
- /* tailmatch */
|
||||
- match = (tokenlen <= namelen) &&
|
||||
- strncasecompare(token, name + (namelen - tokenlen), namelen);
|
||||
+ /* ignore trailing dots in the token to check */
|
||||
+ if(token[tokenlen - 1] == '.')
|
||||
+ tokenlen--;
|
||||
+
|
||||
+ if(tokenlen && (*token == '.')) {
|
||||
+ /* ignore leading token dot as well */
|
||||
+ token++;
|
||||
+ tokenlen--;
|
||||
}
|
||||
- else
|
||||
- match = (tokenlen == namelen) &&
|
||||
- strncasecompare(token, name, namelen);
|
||||
+ /* A: example.com matches 'example.com'
|
||||
+ B: www.example.com matches 'example.com'
|
||||
+ C: nonexample.com DOES NOT match 'example.com'
|
||||
+ */
|
||||
+ if(tokenlen == namelen)
|
||||
+ /* case A, exact match */
|
||||
+ match = strncasecompare(token, name, namelen);
|
||||
+ else if(tokenlen < namelen) {
|
||||
+ /* case B, tailmatch domain */
|
||||
+ match = (name[namelen - tokenlen - 1] == '.') &&
|
||||
+ strncasecompare(token, name + (namelen - tokenlen),
|
||||
+ tokenlen);
|
||||
+ }
|
||||
+ /* case C passes through, not a match */
|
||||
break;
|
||||
case TYPE_IPV4:
|
||||
/* FALLTHROUGH */
|
||||
case TYPE_IPV6: {
|
||||
const char *check = token;
|
||||
- char *slash = strchr(check, '/');
|
||||
+ char *slash;
|
||||
unsigned int bits = 0;
|
||||
char checkip[128];
|
||||
+ if(tokenlen >= sizeof(checkip))
|
||||
+ /* this cannot match */
|
||||
+ break;
|
||||
+ /* copy the check name to a temp buffer */
|
||||
+ memcpy(checkip, check, tokenlen);
|
||||
+ checkip[tokenlen] = 0;
|
||||
+ check = checkip;
|
||||
+
|
||||
+ slash = strchr(check, '/');
|
||||
/* if the slash is part of this token, use it */
|
||||
- if(slash && (slash < &check[tokenlen])) {
|
||||
+ if(slash) {
|
||||
bits = atoi(slash + 1);
|
||||
- /* copy the check name to a temp buffer */
|
||||
- if(tokenlen >= sizeof(checkip))
|
||||
- break;
|
||||
- memcpy(checkip, check, tokenlen);
|
||||
- checkip[ slash - check ] = 0;
|
||||
- check = checkip;
|
||||
+ *slash = 0; /* null terminate there */
|
||||
}
|
||||
if(type == TYPE_IPV6)
|
||||
match = Curl_cidr6_match(name, check, bits);
|
|
@ -119,6 +119,7 @@ lib/pkgconfig/libcurl.pc
|
|||
@man man/man3/CURLOPT_CAINFO.3
|
||||
@man man/man3/CURLOPT_CAINFO_BLOB.3
|
||||
@man man/man3/CURLOPT_CAPATH.3
|
||||
@man man/man3/CURLOPT_CA_CACHE_TIMEOUT.3
|
||||
@man man/man3/CURLOPT_CERTINFO.3
|
||||
@man man/man3/CURLOPT_CHUNK_BGN_FUNCTION.3
|
||||
@man man/man3/CURLOPT_CHUNK_DATA.3
|
||||
|
|
Loading…
Reference in New Issue