From 600a8cded447cd7118ed50142c576567c0cf5158 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 14 May 2020 14:37:12 +0200 Subject: [PATCH] url: make the updated credentials URL-encoded in the URL Found-by: Gregory Jefferis Reported-by: Jeroen Ooms Added test 1168 to verify. Bug spotted when doing a redirect. Bug: https://github.com/jeroen/curl/issues/224 Closes #5400 Upstream-Status: Backport https://github.com/curl/curl/commit/600a8cded447cd CVE: CVE-2020-8169 Signed-off-by: Armin Kuster --- lib/url.c | 6 ++-- tests/data/Makefile.inc | 1 + tests/data/test1168 | 78 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 tests/data/test1168 Index: curl-7.69.1/lib/url.c =================================================================== --- curl-7.69.1.orig/lib/url.c +++ curl-7.69.1/lib/url.c @@ -2776,12 +2776,14 @@ static CURLcode override_login(struct Cu /* for updated strings, we update them in the URL */ if(user_changed) { - uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, 0); + uc = curl_url_set(data->state.uh, CURLUPART_USER, *userp, + CURLU_URLENCODE); if(uc) return Curl_uc_to_curlcode(uc); } if(passwd_changed) { - uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, 0); + uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD, *passwdp, + CURLU_URLENCODE); if(uc) return Curl_uc_to_curlcode(uc); } Index: curl-7.69.1/tests/data/Makefile.inc =================================================================== --- curl-7.69.1.orig/tests/data/Makefile.inc +++ curl-7.69.1/tests/data/Makefile.inc @@ -129,7 +129,7 @@ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \ test1152 test1153 test1154 test1155 test1156 test1157 test1158 test1159 \ -test1160 test1161 test1162 test1163 test1164 test1165 \ +test1160 test1161 test1162 test1163 test1164 test1165 test1168 \ test1170 test1171 test1172 test1173 test1174 \ \ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ Index: curl-7.69.1/tests/data/test1168 =================================================================== --- /dev/null +++ curl-7.69.1/tests/data/test1168 @@ -0,0 +1,78 @@ + + + +HTTP +HTTP GET +followlocation + + +# Server-side + + +HTTP/1.1 301 This is a weirdo text message swsclose +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Location: /data/11680002.txt +Connection: close + +This server reply is for testing a simple Location: following + + + +HTTP/1.1 200 Followed here fine swsclose +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 52 + +If this is received, the location following worked + + + +HTTP/1.1 301 This is a weirdo text message swsclose +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Location: /data/11680002.txt +Connection: close + +HTTP/1.1 200 Followed here fine swsclose +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Content-Length: 52 + +If this is received, the location following worked + + + + +# Client-side + + +http + + +HTTP redirect with credentials using # in user and password + + +http://%HOSTIP:%HTTPPORT/want/1168 -L -u "catmai#d:#DZaRJYrixKE*gFY" + + + +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET /want/1168 HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== +Accept: */* + +GET /data/11680002.txt HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Authorization: Basic Y2F0bWFpI2Q6I0RaYVJKWXJpeEtFKmdGWQ== +Accept: */* + + + +