From c8c0db4fc5459c47cb422407cfd3ee3406c40734 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 08:13:54 +0200
Subject: [PATCH 1/2] test440/441: verify HSTS with trailing dots
Upstream-commit: ff3ee510c328db03bf171cae6179bb9463fb054f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/Makefile.inc | 2 ++
tests/data/test440 | 72 +++++++++++++++++++++++++++++++++++++++++
tests/data/test441 | 72 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 146 insertions(+)
create mode 100644 tests/data/test440
create mode 100644 tests/data/test441
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 175fc43..a5b8dc2 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -72,6 +72,8 @@ test409 test410 \
\
test430 test431 test432 test433 test434 test435 test436 \
\
+test440 test441 \
+\
test490 test491 test492 test493 test494 \
\
test500 test501 test502 test503 test504 test505 test506 test507 test508 \
diff --git a/tests/data/test440 b/tests/data/test440
new file mode 100644
index 0000000..c640b02
--- /dev/null
+++ b/tests/data/test440
@@ -0,0 +1,72 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HSTS
+trailing-dot
+</keywords>
+</info>
+
+<reply>
+
+# we use this as response to a CONNECT
+<connect nocheck="yes">
+HTTP/1.1 403 not OK at all
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+Connection: close
+Funny-head: yesyes
+
+-foo-
+</connect>
+</reply>
+
+<client>
+<server>
+http
+</server>
+<features>
+HSTS
+proxy
+https
+</features>
+
+# no trailing dot in the file only in the URL
+<file name="log/input%TESTNUMBER">
+this.hsts.example "99991001 04:47:41"
+</file>
+
+<name>
+HSTS with trailing-dot host name in URL but none in hsts file
+</name>
+<command>
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example./%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
+</command>
+</client>
+
+<verify>
+# we let it CONNECT to the server to confirm HSTS but deny from there
+<protocol>
+CONNECT this.hsts.example.:443 HTTP/1.1
+Host: this.hsts.example.:443
+User-Agent: curl/%VERSION
+Proxy-Connection: Keep-Alive
+
+</protocol>
+<stdout>
+HTTP/1.1 403 not OK at all
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+Connection: close
+Funny-head: yesyes
+
+https://this.hsts.example./%TESTNUMBER
+</stdout>
+# Proxy CONNECT aborted
+<errorcode>
+56
+</errorcode>
+</verify>
+</testcase>
diff --git a/tests/data/test441 b/tests/data/test441
new file mode 100644
index 0000000..7f5245b
--- /dev/null
+++ b/tests/data/test441
@@ -0,0 +1,72 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HSTS
+trailing-dot
+</keywords>
+</info>
+
+<reply>
+
+# we use this as response to a CONNECT
+<connect nocheck="yes">
+HTTP/1.1 403 not OK at all
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+Connection: close
+Funny-head: yesyes
+
+-foo-
+</connect>
+</reply>
+
+<client>
+<server>
+http
+</server>
+<features>
+HSTS
+proxy
+https
+</features>
+
+# no trailing dot in the file only in the URL
+<file name="log/input%TESTNUMBER">
+this.hsts.example. "99991001 04:47:41"
+</file>
+
+<name>
+HSTS with no t-dot host name in URL but t-dot in file
+</name>
+<command>
+-x http://%HOSTIP:%HTTPPORT http://this.hsts.example/%TESTNUMBER --hsts log/input%TESTNUMBER -w '%{url_effective}\n'
+</command>
+</client>
+
+<verify>
+# we let it CONNECT to the server to confirm HSTS but deny from there
+<protocol>
+CONNECT this.hsts.example:443 HTTP/1.1
+Host: this.hsts.example:443
+User-Agent: curl/%VERSION
+Proxy-Connection: Keep-Alive
+
+</protocol>
+<stdout>
+HTTP/1.1 403 not OK at all
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 6
+Connection: close
+Funny-head: yesyes
+
+https://this.hsts.example/%TESTNUMBER
+</stdout>
+# Proxy CONNECT aborted
+<errorcode>
+56
+</errorcode>
+</verify>
+</testcase>
--
2.34.1
From fa4a1193f9bb9970b925cc7795d481c8ee9a0a4a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 08:13:55 +0200
Subject: [PATCH 2/2] hsts: ignore trailing dots when comparing hosts names
CVE-2022-30115
Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-30115.html
Closes #8821
Upstream-commit: fae6fea209a2d4db1582f608bd8cc8000721733a
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/hsts.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/lib/hsts.c b/lib/hsts.c
index 03fcc9e..b9fa6f7 100644
--- a/lib/hsts.c
+++ b/lib/hsts.c
@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h,
curl_off_t expires)
{
struct stsentry *sts = hsts_entry();
+ char *duphost;
+ size_t hlen;
if(!sts)
return CURLE_OUT_OF_MEMORY;
- sts->expires = expires;
- sts->includeSubDomains = subdomains;
- sts->host = strdup(hostname);
- if(!sts->host) {
+ duphost = strdup(hostname);
+ if(!duphost) {
free(sts);
return CURLE_OUT_OF_MEMORY;
}
+
+ hlen = strlen(duphost);
+ if(duphost[hlen - 1] == '.')
+ /* strip off trailing any dot */
+ duphost[--hlen] = 0;
+
+ sts->host = duphost;
+ sts->expires = expires;
+ sts->includeSubDomains = subdomains;
Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
return CURLE_OK;
}
@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
bool subdomain)
{
if(h) {
+ char buffer[MAX_HSTS_HOSTLEN + 1];
time_t now = time(NULL);
size_t hlen = strlen(hostname);
struct Curl_llist_element *e;
struct Curl_llist_element *n;
+
+ if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
+ return NULL;
+ memcpy(buffer, hostname, hlen);
+ if(hostname[hlen-1] == '.')
+ /* remove the trailing dot */
+ --hlen;
+ buffer[hlen] = 0;
+ hostname = buffer;
+
for(e = h->list.head; e; e = n) {
struct stsentry *sts = e->ptr;
n = e->next;
@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
CURLSTScode sc;
DEBUGASSERT(h);
do {
- char buffer[257];
+ char buffer[MAX_HSTS_HOSTLEN + 1];
struct curl_hstsentry e;
e.name = buffer;
e.namelen = sizeof(buffer)-1;
--
2.34.1