diff options
author | V3n3RiX <venerix@koprulu.sector> | 2023-05-23 08:58:35 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2023-05-23 08:58:35 +0100 |
commit | 955b5fcaf4acc77c39a1f145d7c56e99f13083a7 (patch) | |
tree | 1141703ebc6ca24ff935b991e261d716a5d98243 /net-misc/curl | |
parent | 24c53d42e0294f4f6e36fbb051891af86c9ae503 (diff) |
gentoo auto-resync : 23:05:2023 - 08:58:35
Diffstat (limited to 'net-misc/curl')
-rw-r--r-- | net-misc/curl/Manifest | 4 | ||||
-rw-r--r-- | net-misc/curl/curl-8.1.0-r1.ebuild (renamed from net-misc/curl/curl-8.1.0.ebuild) | 3 | ||||
-rw-r--r-- | net-misc/curl/files/curl-8.1.0-header-length.patch | 86 | ||||
-rw-r--r-- | net-misc/curl/files/curl-8.1.0-numeric-hostname.patch | 227 |
4 files changed, 319 insertions, 1 deletions
diff --git a/net-misc/curl/Manifest b/net-misc/curl/Manifest index 31e027614aaa..f3cb5f54f39e 100644 --- a/net-misc/curl/Manifest +++ b/net-misc/curl/Manifest @@ -1,10 +1,12 @@ AUX curl-7.30.0-prefix.patch 880 BLAKE2B 5b7552a8339014221864a585d174b02a96ec7dd7fe8762d331d1981834044f8ec4db64d527a4ded3f5f4cccc86f281576668de092439eb19f5477d5fcf8369cf SHA512 c7cd13b9ccbd12ed01ea121ffece9c23b898a5b34698bae59ae1dd23b1cf2445180b84d80c4a640981f16dba5018df944f405dd5c660addab54ca21e0e673b7f AUX curl-8.0.1-onion-resolution.patch 4036 BLAKE2B 7f9a693f5090585c46d596133e915b67cf6a0b0a78ee164f987de166f24fb3d64a968f6263110c119710735363429447d52e5cc52df90d0f3830cf0e10c3673b SHA512 72efe3cd6d594cd2b73a19596e587c88a7ca89ed6f9a7325df98df2e18a1e85f26232ea48e80097d2d1e2f8db2c1cd945896311cd70ee830c8838afbcb7628d9 +AUX curl-8.1.0-header-length.patch 2979 BLAKE2B f5028eeec1960abbe05124fa0bcc8e0de039facdf7b0b148abefbbe20b9051d252014e95ef942c0c1ccaab5acc878c69c8ff69ef51d5da7f39be6594eebb8ac5 SHA512 cb6145dc0471ab51bd9e901c3680f7597b2d351d0b6e7149c6436bf01c06945eb58acd6753f9994eccb13adf26794005f0379900bc7efc39aeb5459edd8dfdb2 +AUX curl-8.1.0-numeric-hostname.patch 8375 BLAKE2B 3936764975eea8499b699d126f58a8b8ad35a19a563b84c40e8f2031251bd1f7094f1bee975e1d00dde84613045a7a61a3bb9cb85794dfc9a72d0341033f75e2 SHA512 f630dc2ef72b1a918437eb1ab4bf0c64e2787fdf4dd003de215246633518d8cbf555607c5d6ac65215e6a44a678849528ea0961a9a186feff6ed994c530c0ee4 AUX curl-respect-cflags-3.patch 406 BLAKE2B 1b533144858aff5566150c4a2648ad2e48e8ff29849ae285592edfee4b3332d06e750395dea7190ee6a01d2b5ee2c2c42c10400c2e5defa09963a90a1a10417d SHA512 3219e4e67d534e35012909243fc8d69d58989462db44dd507c502e7aaa299f1d9a01392e2c83797cc2bdb53d503470c5d6e7bf94572a6ccc6e5eafcc0466bc54 DIST curl-8.0.1.tar.xz 2575544 BLAKE2B 67d82e9d71f0a351b5c2ed3ad5eab02e367ded872658a295179b935729d5105015f8c29569c396e11cd14036656af894ded85c8838cba260d9f6f1a8dcb5e22b SHA512 3bb777982659ed697ae90f113ff7b65d6ce8ba9fe6a8984cfd6769d2f051a72ba953c911abe234c204ec2cc5a35d68b4d033037fad7fba31bb92a52543f8d13d DIST curl-8.0.1.tar.xz.asc 488 BLAKE2B 452e1bebe1028e7621bbf8829e50cf56e254cd63a8cf2a4c0332176b9f18fb2821304ae556a203996d273c986bddbd04db2218c18fd34dee66e9155861ba50ce SHA512 92c6a0570e9a8a708fe2f717b8b37a68dcb9cd4520ca50c9baafec5891bda103bce2d2dcb67f1387bf11bd7e51e0e64ccd52d196e61d58b598ad3aa1960386cf DIST curl-8.1.0.tar.xz 2612568 BLAKE2B 768a824b8f5f6ddaa073599c4106f07a8134bcbe0e0d666390be1bce16ba25386d85930853bb47bc90b2c8a499a0b2abb9c685042563801e0fe58b9c315ac6cc SHA512 b99926f372ddd715cd1d2b54d8fb96b26b085e6501715e25aa57b6c6a7f8452473506ddb284e2f280f8afdb301b7f0c3bfde7ad7ed393b12c022430a9301096d DIST curl-8.1.0.tar.xz.asc 488 BLAKE2B c1a8e50eddc7dd140af2af29736eb486e96a6d3b67a9161244daa86558f65522527380c92597a5f10e5dad187f0bda6ac5b9cadc29386bef4492bc047c77b423 SHA512 191a74c7a6b6aa78b7f36e1535fda0701bde8b333a61c90343e1f1b2d65cc5097b5febc5fa42b2f373795ef1b34078790deaaa71c8aaa45eed1c753729a45f3d EBUILD curl-8.0.1.ebuild 8766 BLAKE2B ce80e8ecb6d98cf55964660fa69b61415d7a37e369f56bb236fe04841939c7d7a7f4117aacdb3d96aa55c2f5d9d3e9083b582ac456dc342268b3835624e0c0bb SHA512 e0588ad7a77ac1497e0e37217c58a5fa73bb6cb5240b7b750a5a39d53720b7762b863490320d73462e1cb53d5d55dffb52b46778a474b9b85b8df3bcb50db91d -EBUILD curl-8.1.0.ebuild 8958 BLAKE2B 5247c66512dfab50535a5d733a632ed6bd4527e9d2f10ee3253de3fd3f15b5d5c65a95b24261f0f7f3a3b642c2a31326d9d87cf0c328383045b942021e85db5b SHA512 5aaa9953f16aff8ffd2d98fc1a6b26fefa701cee0f115732235761e11428157eb7130f1e3126a8438821d02e8bd733078b3fc8ac5533b0bd78765322b8df8372 +EBUILD curl-8.1.0-r1.ebuild 9056 BLAKE2B a7a2ebe531a83286a3d3b4c9374ed2e2528183a7f2cefe536af31b0569944abfca833f20ef6d4e5a92fe066908e285ad7c5307946d5fb60121d14fb6089a61a3 SHA512 c8aa64fe676043a5cf822987172eb580c0c9391797b867855b2284d01f8274494aed3cb34959e132b64a7cf3120e9b3fd4eafe9a5f9bc9522e710760236227c3 MISC metadata.xml 2203 BLAKE2B 939a2ec06ec2155b88d510abdfaa00eafcd5a7e5f6f7983e456ccfc7cf4179d58adbcc7f282a11bb74d217640c93896fb5038206f7c76ea2c2e2543fe0db378e SHA512 c81d7159c0851dab0ae099c7129d965d3d3bd5cc7f7f3240052a4afab0eaa1e15efbf79265bbad5f2d257cc14b5d30daacd3aa5c3099c2ac264560e23ec797f1 diff --git a/net-misc/curl/curl-8.1.0.ebuild b/net-misc/curl/curl-8.1.0-r1.ebuild index 12be62edfe30..bad759c48393 100644 --- a/net-misc/curl/curl-8.1.0.ebuild +++ b/net-misc/curl/curl-8.1.0-r1.ebuild @@ -108,6 +108,9 @@ QA_CONFIG_IMPL_DECL_SKIP=( PATCHES=( "${FILESDIR}"/${PN}-7.30.0-prefix.patch "${FILESDIR}"/${PN}-respect-cflags-3.patch + ### Backports + "${FILESDIR}"/${P}-numeric-hostname.patch + "${FILESDIR}"/${P}-header-length.patch ) src_prepare() { diff --git a/net-misc/curl/files/curl-8.1.0-header-length.patch b/net-misc/curl/files/curl-8.1.0-header-length.patch new file mode 100644 index 000000000000..6229fd817f2a --- /dev/null +++ b/net-misc/curl/files/curl-8.1.0-header-length.patch @@ -0,0 +1,86 @@ +https://github.com/curl/curl/commit/77c9a9845bbee66f3aff158b8452dc8cd963cbd5.patch +From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io> +Date: Thu, 18 May 2023 18:22:57 +0200 +Subject: [PATCH] http2: double http request parser max line length + +This works around #11138, by doubling the limit, and should be a +relatively safe fix. + +Ideally the buffer would grow as needed and there would be no need for a +limit? But that might be follow-up material. + +Fixes #11138 +Closes #11139 +--- + lib/http1.h | 2 ++ + lib/http2.c | 2 +- + lib/vquic/curl_msh3.c | 2 +- + lib/vquic/curl_ngtcp2.c | 2 +- + lib/vquic/curl_quiche.c | 2 +- + 5 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/http1.h b/lib/http1.h +index c2d107587a6f8..8acb9db401a95 100644 +--- a/lib/http1.h ++++ b/lib/http1.h +@@ -33,6 +33,8 @@ + #define H1_PARSE_OPT_NONE (0) + #define H1_PARSE_OPT_STRICT (1 << 0) + ++#define H1_PARSE_DEFAULT_MAX_LINE_LEN (8 * 1024) ++ + struct h1_req_parser { + struct http_req *req; + struct bufq scratch; +diff --git a/lib/http2.c b/lib/http2.c +index 47e6f71393156..4e3b182b8d815 100644 +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -1860,7 +1860,7 @@ static ssize_t h2_submit(struct stream_ctx **pstream, + nghttp2_priority_spec pri_spec; + ssize_t nwritten; + +- Curl_h1_req_parse_init(&h1, (4*1024)); ++ Curl_h1_req_parse_init(&h1, H1_PARSE_DEFAULT_MAX_LINE_LEN); + Curl_dynhds_init(&h2_headers, 0, DYN_HTTP_REQUEST); + + *err = http2_data_setup(cf, data, &stream); +diff --git a/lib/vquic/curl_msh3.c b/lib/vquic/curl_msh3.c +index 40e89379fc402..173886739b6dc 100644 +--- a/lib/vquic/curl_msh3.c ++++ b/lib/vquic/curl_msh3.c +@@ -575,7 +575,7 @@ static ssize_t cf_msh3_send(struct Curl_cfilter *cf, struct Curl_easy *data, + + CF_DATA_SAVE(save, cf, data); + +- Curl_h1_req_parse_init(&h1, (4*1024)); ++ Curl_h1_req_parse_init(&h1, H1_PARSE_DEFAULT_MAX_LINE_LEN); + Curl_dynhds_init(&h2_headers, 0, DYN_HTTP_REQUEST); + + /* Sizes must match for cast below to work" */ +diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c +index 05f960afdffa1..7794f148c6ec9 100644 +--- a/lib/vquic/curl_ngtcp2.c ++++ b/lib/vquic/curl_ngtcp2.c +@@ -1550,7 +1550,7 @@ static ssize_t h3_stream_open(struct Curl_cfilter *cf, + nghttp3_data_reader reader; + nghttp3_data_reader *preader = NULL; + +- Curl_h1_req_parse_init(&h1, (4*1024)); ++ Curl_h1_req_parse_init(&h1, H1_PARSE_DEFAULT_MAX_LINE_LEN); + Curl_dynhds_init(&h2_headers, 0, DYN_HTTP_REQUEST); + + *err = h3_data_setup(cf, data); +diff --git a/lib/vquic/curl_quiche.c b/lib/vquic/curl_quiche.c +index 392b9beb83c59..c63e8e10a22e0 100644 +--- a/lib/vquic/curl_quiche.c ++++ b/lib/vquic/curl_quiche.c +@@ -913,7 +913,7 @@ static ssize_t h3_open_stream(struct Curl_cfilter *cf, + DEBUGASSERT(stream); + } + +- Curl_h1_req_parse_init(&h1, (4*1024)); ++ Curl_h1_req_parse_init(&h1, H1_PARSE_DEFAULT_MAX_LINE_LEN); + Curl_dynhds_init(&h2_headers, 0, DYN_HTTP_REQUEST); + + DEBUGASSERT(stream); diff --git a/net-misc/curl/files/curl-8.1.0-numeric-hostname.patch b/net-misc/curl/files/curl-8.1.0-numeric-hostname.patch new file mode 100644 index 000000000000..6a0dd1382d62 --- /dev/null +++ b/net-misc/curl/files/curl-8.1.0-numeric-hostname.patch @@ -0,0 +1,227 @@ +https://github.com/curl/curl/commit/92772e6d395bbdda0e7822d980caf86e8c4aa51c.patch +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 18 May 2023 00:31:17 +0200 +Subject: [PATCH] urlapi: allow numerical parts in the host name + +It can only be an IPv4 address if all parts are all digits and no more than +four parts, otherwise it is a host name. Even slightly wrong IPv4 will now be +passed through as a host name. + +Regression from 17a15d88467 shipped in 8.1.0 + +Extended test 1560 accordingly. + +Reported-by: Pavel Kalyugin +Fixes #11129 +Closes #11131 +--- a/lib/urlapi.c ++++ b/lib/urlapi.c +@@ -34,6 +34,7 @@ + #include "inet_ntop.h" + #include "strdup.h" + #include "idn.h" ++#include "curl_memrchr.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -643,8 +644,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname, + * Handle partial IPv4 numerical addresses and different bases, like + * '16843009', '0x7f', '0x7f.1' '0177.1.1.1' etc. + * +- * If the given input string is syntactically wrong or any part for example is +- * too big, this function returns FALSE and doesn't create any output. ++ * If the given input string is syntactically wrong IPv4 or any part for ++ * example is too big, this function returns HOST_NAME. + * + * Output the "normalized" version of that input string in plain quad decimal + * integers. +@@ -675,7 +676,7 @@ static int ipv4_normalize(struct dynbuf *host) + unsigned long l; + if(!ISDIGIT(*c)) + /* most importantly this doesn't allow a leading plus or minus */ +- return n ? HOST_BAD : HOST_NAME; ++ return HOST_NAME; + l = strtoul(c, &endp, 0); + + parts[n] = l; +@@ -684,7 +685,7 @@ static int ipv4_normalize(struct dynbuf *host) + switch(*c) { + case '.': + if(n == 3) +- return HOST_BAD; ++ return HOST_NAME; + n++; + c++; + break; +@@ -694,39 +695,40 @@ static int ipv4_normalize(struct dynbuf *host) + break; + + default: +- return n ? HOST_BAD : HOST_NAME; ++ return HOST_NAME; + } + + /* overflow */ + if((l == ULONG_MAX) && (errno == ERANGE)) +- return HOST_BAD; ++ return HOST_NAME; + + #if SIZEOF_LONG > 4 + /* a value larger than 32 bits */ + if(l > UINT_MAX) +- return HOST_BAD; ++ return HOST_NAME; + #endif + } + +- /* this is a valid IPv4 numerical address */ +- Curl_dyn_reset(host); +- + switch(n) { + case 0: /* a -- 32 bits */ ++ Curl_dyn_reset(host); ++ + result = Curl_dyn_addf(host, "%u.%u.%u.%u", + parts[0] >> 24, (parts[0] >> 16) & 0xff, + (parts[0] >> 8) & 0xff, parts[0] & 0xff); + break; + case 1: /* a.b -- 8.24 bits */ + if((parts[0] > 0xff) || (parts[1] > 0xffffff)) +- return HOST_BAD; ++ return HOST_NAME; ++ Curl_dyn_reset(host); + result = Curl_dyn_addf(host, "%u.%u.%u.%u", + parts[0], (parts[1] >> 16) & 0xff, + (parts[1] >> 8) & 0xff, parts[1] & 0xff); + break; + case 2: /* a.b.c -- 8.8.16 bits */ + if((parts[0] > 0xff) || (parts[1] > 0xff) || (parts[2] > 0xffff)) +- return HOST_BAD; ++ return HOST_NAME; ++ Curl_dyn_reset(host); + result = Curl_dyn_addf(host, "%u.%u.%u.%u", + parts[0], parts[1], (parts[2] >> 8) & 0xff, + parts[2] & 0xff); +@@ -734,7 +736,8 @@ static int ipv4_normalize(struct dynbuf *host) + case 3: /* a.b.c.d -- 8.8.8.8 bits */ + if((parts[0] > 0xff) || (parts[1] > 0xff) || (parts[2] > 0xff) || + (parts[3] > 0xff)) +- return HOST_BAD; ++ return HOST_NAME; ++ Curl_dyn_reset(host); + result = Curl_dyn_addf(host, "%u.%u.%u.%u", + parts[0], parts[1], parts[2], parts[3]); + break; +@@ -796,6 +799,9 @@ static CURLUcode parse_authority(struct Curl_URL *u, + if(result) + goto out; + ++ if(!Curl_dyn_len(host)) ++ return CURLUE_NO_HOST; ++ + switch(ipv4_normalize(host)) { + case HOST_IPV4: + break; +--- a/tests/libtest/lib1560.c ++++ b/tests/libtest/lib1560.c +@@ -474,6 +474,13 @@ static const struct testcase get_parts_list[] ={ + }; + + static const struct urltestcase get_url_list[] = { ++ {"https://1.0x1000000", "https://1.0x1000000/", 0, 0, CURLUE_OK}, ++ {"https://0x7f.1", "https://127.0.0.1/", 0, 0, CURLUE_OK}, ++ {"https://1.2.3.256.com", "https://1.2.3.256.com/", 0, 0, CURLUE_OK}, ++ {"https://10.com", "https://10.com/", 0, 0, CURLUE_OK}, ++ {"https://1.2.com", "https://1.2.com/", 0, 0, CURLUE_OK}, ++ {"https://1.2.3.com", "https://1.2.3.com/", 0, 0, CURLUE_OK}, ++ {"https://1.2.com.99", "https://1.2.com.99/", 0, 0, CURLUE_OK}, + {"https://[fe80::0000:20c:29ff:fe9c:409b]:80/moo", + "https://[fe80::20c:29ff:fe9c:409b]:80/moo", + 0, 0, CURLUE_OK}, +@@ -522,22 +529,24 @@ static const struct urltestcase get_url_list[] = { + + /* IPv4 trickeries */ + {"https://16843009", "https://1.1.1.1/", 0, 0, CURLUE_OK}, +- {"https://0x7f.1", "https://127.0.0.1/", 0, 0, CURLUE_OK}, + {"https://0177.1", "https://127.0.0.1/", 0, 0, CURLUE_OK}, + {"https://0111.02.0x3", "https://73.2.0.3/", 0, 0, CURLUE_OK}, ++ {"https://0111.02.0x3.", "https://0111.02.0x3./", 0, 0, CURLUE_OK}, ++ {"https://0111.02.030", "https://73.2.0.24/", 0, 0, CURLUE_OK}, ++ {"https://0111.02.030.", "https://0111.02.030./", 0, 0, CURLUE_OK}, + {"https://0xff.0xff.0377.255", "https://255.255.255.255/", 0, 0, CURLUE_OK}, + {"https://1.0xffffff", "https://1.255.255.255/", 0, 0, CURLUE_OK}, + /* IPv4 numerical overflows or syntax errors will not normalize */ + {"https://a127.0.0.1", "https://a127.0.0.1/", 0, 0, CURLUE_OK}, + {"https://\xff.127.0.0.1", "https://%FF.127.0.0.1/", 0, CURLU_URLENCODE, + CURLUE_OK}, +- {"https://127.-0.0.1", "https://127.-0.0.1/", 0, 0, CURLUE_BAD_HOSTNAME}, ++ {"https://127.-0.0.1", "https://127.-0.0.1/", 0, 0, CURLUE_OK}, + {"https://127.0. 1", "https://127.0.0.1/", 0, 0, CURLUE_MALFORMED_INPUT}, +- {"https://1.0x1000000", "https://1.0x1000000/", 0, 0, CURLUE_BAD_HOSTNAME}, +- {"https://1.2.3.256", "https://1.2.3.256/", 0, 0, CURLUE_BAD_HOSTNAME}, +- {"https://1.2.3.4.5", "https://1.2.3.4.5/", 0, 0, CURLUE_BAD_HOSTNAME}, +- {"https://1.2.0x100.3", "https://1.2.0x100.3/", 0, 0, CURLUE_BAD_HOSTNAME}, +- {"https://4294967296", "https://4294967296/", 0, 0, CURLUE_BAD_HOSTNAME}, ++ {"https://1.2.3.256", "https://1.2.3.256/", 0, 0, CURLUE_OK}, ++ {"https://1.2.3.256.", "https://1.2.3.256./", 0, 0, CURLUE_OK}, ++ {"https://1.2.3.4.5", "https://1.2.3.4.5/", 0, 0, CURLUE_OK}, ++ {"https://1.2.0x100.3", "https://1.2.0x100.3/", 0, 0, CURLUE_OK}, ++ {"https://4294967296", "https://4294967296/", 0, 0, CURLUE_OK}, + {"https://123host", "https://123host/", 0, 0, CURLUE_OK}, + /* 40 bytes scheme is the max allowed */ + {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA://hostname/path", +@@ -599,20 +608,11 @@ static const struct urltestcase get_url_list[] = { + 0, 0, CURLUE_OK}, + /* here the password has the semicolon */ + {"http://user:pass;word@host/file", +- "http://user:pass;word@host/file", +- 0, 0, CURLUE_OK}, +- {"file:///file.txt#moo", +- "file:///file.txt#moo", +- 0, 0, CURLUE_OK}, +- {"file:////file.txt", +- "file:////file.txt", +- 0, 0, CURLUE_OK}, +- {"file:///file.txt", +- "file:///file.txt", +- 0, 0, CURLUE_OK}, +- {"file:./", +- "file://", +- 0, 0, CURLUE_BAD_SCHEME}, ++ "http://user:pass;word@host/file", 0, 0, CURLUE_OK}, ++ {"file:///file.txt#moo", "file:///file.txt#moo", 0, 0, CURLUE_OK}, ++ {"file:////file.txt", "file:////file.txt", 0, 0, CURLUE_OK}, ++ {"file:///file.txt", "file:///file.txt", 0, 0, CURLUE_OK}, ++ {"file:./", "file://", 0, 0, CURLUE_OK}, + {"http://example.com/hello/../here", + "http://example.com/hello/../here", + CURLU_PATH_AS_IS, 0, CURLUE_OK}, +@@ -1124,7 +1124,7 @@ static int get_url(void) + } + curl_free(url); + } +- else if(rc != get_url_list[i].ucode) { ++ if(rc != get_url_list[i].ucode) { + fprintf(stderr, "Get URL\nin: %s\nreturned %d (expected %d)\n", + get_url_list[i].in, (int)rc, get_url_list[i].ucode); + error++; +@@ -1515,6 +1515,9 @@ int test(char *URL) + { + (void)URL; /* not used */ + ++ if(get_url()) ++ return 3; ++ + if(huge()) + return 9; + +@@ -1533,9 +1536,6 @@ int test(char *URL) + if(set_parts()) + return 2; + +- if(get_url()) +- return 3; +- + if(get_parts()) + return 4; + |