transfer: strip credentials from the auto-referer header field

Added test 2081 to verify.

CVE-2021-22876

Bug: https://curl.se/docs/CVE-2021-22876.html

diff --git a/lib/transfer.c b/lib/transfer.c
index 1976bc0338bc42b055143354dfd173b1a78bbf59..a68c021c84d60257e4b94401fa5db34571bafb3b 100644 (file)
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1581,6 +1581,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
       data->state.followlocation++; /* count location-followers */
 
       if(data->set.http_auto_referer) {
+        CURLU *u;
+        char *referer;
+
         /* We are asked to automatically set the previous URL as the referer
            when we get the next URL. We pick the ->url field, which may or may
            not be 100% correct */
@@ -1590,9 +1593,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
           data->state.referer_alloc = FALSE;
         }
 
-        data->state.referer = strdup(data->state.url);
-        if(!data->state.referer)
+        /* Make a copy of the URL without crenditals and fragment */
+        u = curl_url();
+        if(!u)
+          return CURLE_OUT_OF_MEMORY;
+
+        uc = curl_url_set(u, CURLUPART_URL, data->state.url, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
+        if(!uc)
+          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
+
+        curl_url_cleanup(u);
+
+        if(uc || referer == NULL)
           return CURLE_OUT_OF_MEMORY;
+
+        data->state.referer = referer;
         data->state.referer_alloc = TRUE; /* yes, free this later */
       }
     }

diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 2c7a0ca89fd8fbf4ab10ddddf340252c342fae98..ea52683d2254ae90081b203fb2f5387767feef7f 100644 (file)
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -225,7 +225,7 @@ test2064 test2065 test2066 test2067 test2068 test2069 \
 test2064 test2065 test2066 test2067 test2068 test2069 test2070 \
          test2071 test2072 test2073 test2074 test2075 test2076 test2077 \
 test2078 \
-test2080 \
+test2080 test2081 \
 test2100 \
 \
 test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \

diff --git a/tests/data/test2081 b/tests/data/test2081
new file mode 100644 (file)
index 0000000..a6733e7
--- /dev/null
+++ b/tests/data/test2081
@@ -0,0 +1,66 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+referer
+followlocation
+--write-out
+</keywords>
+</info>
+
+# Server-side
+<reply>
+<data nocheck="yes">
+HTTP/1.1 301 This is a weirdo text message swsclose\r
+Location: data/%TESTNUMBER0002.txt?coolsite=yes\r
+Content-Length: 62\r
+Connection: close\r
+\r
+This server reply is for testing a simple Location: following
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+Automatic referrer credential and anchor stripping check
+ </name>
+ <command>
+http://user:pass@%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER#anchor --location --referer ';auto' --write-out '%{referer}\n'
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+52
+</errorcode>
+<protocol>
+GET /we/want/our/%TESTNUMBER HTTP/1.1\r
+Host: %HOSTIP:%HTTPPORT\r
+Authorization: Basic dXNlcjpwYXNz\r
+User-Agent: curl/%VERSION\r
+Accept: */*\r
+\r
+GET /we/want/our/data/%TESTNUMBER0002.txt?coolsite=yes HTTP/1.1\r
+Host: %HOSTIP:%HTTPPORT\r
+Authorization: Basic dXNlcjpwYXNz\r
+User-Agent: curl/%VERSION\r
+Accept: */*\r
+Referer: http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER\r
+\r
+</protocol>
+<stdout>
+HTTP/1.1 301 This is a weirdo text message swsclose\r
+Location: data/%TESTNUMBER0002.txt?coolsite=yes\r
+Content-Length: 62\r
+Connection: close\r
+\r
+http://%HOSTIP:%HTTPPORT/we/want/our/%TESTNUMBER
+</stdout>
+</verify>
+</testcase>