mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-12-15 06:40:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

hsts: ignore trailing dots when comparing hosts names

Browse Source 
CVE-2022-30115

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-30115.html
Closes #8821
This commit is contained in:
Daniel Stenberg 2022-05-09 08:13:55 +02:00
parent ff3ee510c3
commit fae6fea209
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lib/hsts.c
View File

@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h,
curl_off_t expires)
{
struct stsentry *sts = hsts_entry();
char *duphost;
size_t hlen;
if(!sts)
return CURLE_OUT_OF_MEMORY;
sts->expires = expires;
sts->includeSubDomains = subdomains;
sts->host = strdup(hostname);
if(!sts->host) {
duphost = strdup(hostname);
if(!duphost) {
free(sts);
return CURLE_OUT_OF_MEMORY;
}
hlen = strlen(duphost);
if(duphost[hlen - 1] == '.')
/* strip off trailing any dot */
duphost[--hlen] = 0;
sts->host = duphost;
sts->expires = expires;
sts->includeSubDomains = subdomains;
Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node);
return CURLE_OK;
}
@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
bool subdomain)
{
if(h) {
char buffer[MAX_HSTS_HOSTLEN + 1];
time_t now = time(NULL);
size_t hlen = strlen(hostname);
struct Curl_llist_element *e;
struct Curl_llist_element *n;
if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
return NULL;
memcpy(buffer, hostname, hlen);
if(hostname[hlen-1] == '.')
/* remove the trailing dot */
--hlen;
buffer[hlen] = 0;
hostname = buffer;
for(e = h->list.head; e; e = n) {
struct stsentry *sts = e->ptr;
n = e->next;
@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h)
CURLSTScode sc;
DEBUGASSERT(h);
do {
char buffer[257];
char buffer[MAX_HSTS_HOSTLEN + 1];
struct curl_hstsentry e;
e.name = buffer;
e.namelen = sizeof(buffer)-1;