curl/curl-disabled-redirect-protocol-message.patch

Index: curl-7.82.0/lib/url.c
===================================================================
--- curl-7.82.0.orig/lib/url.c
+++ curl-7.82.0/lib/url.c
@@ -1832,9 +1832,13 @@ static CURLcode findprotocol(struct Curl
     /* it is allowed for "normal" request, now do an extra check if this is
        the result of a redirect */
     if(data->state.this_is_a_follow &&
-       !(data->set.redir_protocols & p->protocol))
+       !(data->set.redir_protocols & p->protocol)) {
       /* nope, get out */
-      ;
+       failf(data, "Redirect to protocol \"%s\" not supported or disabled in "
+             LIBCURL_NAME, protostr);
+
+       return CURLE_UNSUPPORTED_PROTOCOL;
+    }
     else {
       /* Perform setup complement if some. */
       conn->handler = conn->given = p;
Accepting request 973058 from home:david.anes:branches:devel:libraries:c_c++ - Patches rework: * Refreshed all patches as -p1. * Use autopatch macro. * Renamed: - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch * Removed (already upstream): - curl-fix-verifyhost.patch - Update to 7.83.0: * Security fixes: - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse - (bsc#1198608, CVE-2022-27774) Credential leak on redirect - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use * Changes: - curl: add %header{name} experimental support in -w handling - curl: add %{header_json} experimental support in -w handling - curl: add --no-clobber - curl: add --remove-on-error - header api: add curl_easy_header and curl_easy_nextheader - msh3: add support for QUIC and HTTP/3 using msh3 * Bugfixes: - appveyor: add Cygwin build - appveyor: only add MSYS2 to PATH where required - BearSSL: add CURLOPT_SSL_CIPHER_LIST support - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support - BINDINGS.md: add Hollywood binding - CI: Do not use buildconf. Instead, just use: autoreconf -fi - CI: install Python package impacket to run SMB test 1451 - configure.ac: move -pthread CFLAGS setting back where it used to be - configure: bump the copyright year range int the generated output OBS-URL: https://build.opensuse.org/request/show/973058 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=310 2022-04-27 11:43:43 +02:00			`Index: curl-7.82.0/lib/url.c`
Accepting request 645709 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to version 7.62.0 Changes: * multiplex: enable by default * url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled * setopt: add CURLOPT_DOH_URL * curl: --doh-url added * setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size * imap: change from "FETCH" to "UID FETCH" * configure: add option to disable automatic OpenSSL config loading * upkeep: add a connection upkeep API: curl_easy_upkeep() * URL-API: added five new functions * vtls: MesaLink is a new TLS backend Bugfixes: * CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758] * CVE-2018-16840: use-after-free in handle close [bsc#1113029] * CVE-2018-16842: warning message out-of-buffer read [bsc#1113660] * CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated * Curl_dedotdotify(): always nul terminate returned string * Curl_follow: Always free the passed new URL * Curl_http2_done: fix memleak in error path * Curl_retry_request: fix memory leak * Curl_saferealloc: Fixed typo in docblock * FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output * GnutTLS: TLS 1.3 support * SECURITY-PROCESS: mention the bountygraph program * VS projects: add USE_IPV6: * certs: generate tests certs with sha256 digest algorithm * checksrc: enable strict mode and warnings * checksrc: handle zero scoped ignore commands * cmake: Backport to work with CMake 3.0 again OBS-URL: https://build.opensuse.org/request/show/645709 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=235 2018-10-31 12:23:21 +01:00			`===================================================================`
Accepting request 973058 from home:david.anes:branches:devel:libraries:c_c++ - Patches rework: * Refreshed all patches as -p1. * Use autopatch macro. * Renamed: - dont-mess-with-rpmoptflags.diff -> dont-mess-with-rpmoptflags.patch * Removed (already upstream): - curl-fix-verifyhost.patch - Update to 7.83.0: * Security fixes: - (bsc#1198766, CVE-2022-27776) Auth/cookie leak on redirect - (bsc#1198723, CVE-2022-27775) Bad local IPv6 connection reuse - (bsc#1198608, CVE-2022-27774) Credential leak on redirect - (bsc#1198614, CVE-2022-22576) OAUTH2 bearer bypass in connection re-use * Changes: - curl: add %header{name} experimental support in -w handling - curl: add %{header_json} experimental support in -w handling - curl: add --no-clobber - curl: add --remove-on-error - header api: add curl_easy_header and curl_easy_nextheader - msh3: add support for QUIC and HTTP/3 using msh3 * Bugfixes: - appveyor: add Cygwin build - appveyor: only add MSYS2 to PATH where required - BearSSL: add CURLOPT_SSL_CIPHER_LIST support - BearSSL: add CURLOPT_SSL_CTX_FUNCTION support - BINDINGS.md: add Hollywood binding - CI: Do not use buildconf. Instead, just use: autoreconf -fi - CI: install Python package impacket to run SMB test 1451 - configure.ac: move -pthread CFLAGS setting back where it used to be - configure: bump the copyright year range int the generated output OBS-URL: https://build.opensuse.org/request/show/973058 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=310 2022-04-27 11:43:43 +02:00			`--- curl-7.82.0.orig/lib/url.c`
			`+++ curl-7.82.0/lib/url.c`
			`@@ -1832,9 +1832,13 @@ static CURLcode findprotocol(struct Curl`
Accepting request 645709 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to version 7.62.0 Changes: * multiplex: enable by default * url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled * setopt: add CURLOPT_DOH_URL * curl: --doh-url added * setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size * imap: change from "FETCH" to "UID FETCH" * configure: add option to disable automatic OpenSSL config loading * upkeep: add a connection upkeep API: curl_easy_upkeep() * URL-API: added five new functions * vtls: MesaLink is a new TLS backend Bugfixes: * CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758] * CVE-2018-16840: use-after-free in handle close [bsc#1113029] * CVE-2018-16842: warning message out-of-buffer read [bsc#1113660] * CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated * Curl_dedotdotify(): always nul terminate returned string * Curl_follow: Always free the passed new URL * Curl_http2_done: fix memleak in error path * Curl_retry_request: fix memory leak * Curl_saferealloc: Fixed typo in docblock * FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output * GnutTLS: TLS 1.3 support * SECURITY-PROCESS: mention the bountygraph program * VS projects: add USE_IPV6: * certs: generate tests certs with sha256 digest algorithm * checksrc: enable strict mode and warnings * checksrc: handle zero scoped ignore commands * cmake: Backport to work with CMake 3.0 again OBS-URL: https://build.opensuse.org/request/show/645709 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=235 2018-10-31 12:23:21 +01:00			`/* it is allowed for "normal" request, now do an extra check if this is`
			`the result of a redirect */`
			`if(data->state.this_is_a_follow &&`
			`- !(data->set.redir_protocols & p->protocol))`
			`+ !(data->set.redir_protocols & p->protocol)) {`
			`/* nope, get out */`
			`- ;`
Accepting request 856452 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to 7.74.0 * Changes: hsts: add experimental support for Strict-Transport-Security * Bugfixes: - Inferior OCSP verification [bsc#1179593, CVE-2020-8286] - FTP wildcard stack overflow [bsc#1179399, CVE-2020-8285] - trusting FTP PASV responses [bsc#1179398, CVE-2020-8284] - Revert "multi: implement wait using winsock events" - openssl: free mem_buf in error path - ntlm: avoid malloc(0) on zero length user and domain - ngtcp2: use the minimal version of QUIC supported by ngtcp2 - ngtcp2: advertise h3 ALPN unconditionally - file: avoid duplicated code sequence - openssl: guard against OOM on context creation - docs: document the 8MB input string limit for curl_easy_escape and curl_easy_setopt() - hsts: add read/write callbacks - hsts: add support for Strict-Transport-Security - alt-svc: enable by default - checksrc: warn on empty line before open brace - connect: repair build without ipv6 availability - curl.se: new home - ftp: retry getpeername for FTP with TCP_FASTOPEN - gnutls: fix memory leaks (certfields memory wasn't released) - http: pass correct header size to debug callback for chunked post - libssh2: fix transport over HTTPS proxy - openssl: guard against OOM on context creation - openssl: use OPENSSL_init_ssl() with >= 1.1.0 - Revert "multi: implement wait using winsock events" - socks: check for DNS entries with the right port number OBS-URL: https://build.opensuse.org/request/show/856452 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=288 2020-12-19 19:24:38 +01:00			`+ failf(data, "Redirect to protocol \"%s\" not supported or disabled in "`
			`+ LIBCURL_NAME, protostr);`
Accepting request 586981 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Added message about protocol redirection not supported or disabled to the function findprotocol() [bsc#1076446] * Added curl-disabled-redirect-protocol-message.patch - Update to version 7.59.0 [bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121] [bsc#1084532, CVE-2018-1000122] Changes: * curl: add --proxy-pinnedpubkey * added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS * Add new tool option --happy-eyeballs-timeout-ms * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA Bugfixes: * openldap: check ldap_get_attribute_ber() results for NULL before using * FTP: reject path components with control codes * readwrite: make sure excess reads don't go beyond buffer end * lib555: drop text conversion and encode data as ascii codes * lib517: make variable static to avoid compiler warning * lib544: sync ascii code data with textual data * GSKit: restore pinnedpubkey functionality * darwinssl: Don't import client certificates into Keychain on macOS * parsedate: fix date parsing for systems with 32 bit long * openssl: fix pinned public key build error in FIPS mode * SChannel/WinSSL: Implement public key pinning * cookies: remove verbose "cookie size:" output * progress-bar: don't use stderr explicitly, use bar->out * build: open VC15 projects with VS 2017 * curl_ctype: private is*() type macros and functions OBS-URL: https://build.opensuse.org/request/show/586981 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=222 2018-03-14 17:35:07 +01:00			`+`
Accepting request 645709 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Update to version 7.62.0 Changes: * multiplex: enable by default * url: default to CURL_HTTP_VERSION_2TLS if built h2-enabled * setopt: add CURLOPT_DOH_URL * curl: --doh-url added * setopt: add CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer size * imap: change from "FETCH" to "UID FETCH" * configure: add option to disable automatic OpenSSL config loading * upkeep: add a connection upkeep API: curl_easy_upkeep() * URL-API: added five new functions * vtls: MesaLink is a new TLS backend Bugfixes: * CVE-2018-16839: SASL password overflow via integer overflow [bsc#1112758] * CVE-2018-16840: use-after-free in handle close [bsc#1113029] * CVE-2018-16842: warning message out-of-buffer read [bsc#1113660] * CURLOPT_DNS_USE_GLOBAL_CACHE: deprecated * Curl_dedotdotify(): always nul terminate returned string * Curl_follow: Always free the passed new URL * Curl_http2_done: fix memleak in error path * Curl_retry_request: fix memory leak * Curl_saferealloc: Fixed typo in docblock * FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output * GnutTLS: TLS 1.3 support * SECURITY-PROCESS: mention the bountygraph program * VS projects: add USE_IPV6: * certs: generate tests certs with sha256 digest algorithm * checksrc: enable strict mode and warnings * checksrc: handle zero scoped ignore commands * cmake: Backport to work with CMake 3.0 again OBS-URL: https://build.opensuse.org/request/show/645709 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=235 2018-10-31 12:23:21 +01:00			`+ return CURLE_UNSUPPORTED_PROTOCOL;`
			`+ }`
			`else {`
Accepting request 586981 from home:pmonrealgonzalez:branches:devel:libraries:c_c++ - Added message about protocol redirection not supported or disabled to the function findprotocol() [bsc#1076446] * Added curl-disabled-redirect-protocol-message.patch - Update to version 7.59.0 [bsc#1084521, CVE-2018-1000120][bsc#1084524, CVE-2018-1000121] [bsc#1084532, CVE-2018-1000122] Changes: * curl: add --proxy-pinnedpubkey * added: CURLOPT_TIMEVALUE_LARGE and CURLINFO_FILETIME_T * CURLOPT_RESOLVE: Add support for multiple IP addresses per entry * Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS * Add new tool option --happy-eyeballs-timeout-ms * Add CURLOPT_RESOLVER_START_FUNCTION and CURLOPT_RESOLVER_START_DATA Bugfixes: * openldap: check ldap_get_attribute_ber() results for NULL before using * FTP: reject path components with control codes * readwrite: make sure excess reads don't go beyond buffer end * lib555: drop text conversion and encode data as ascii codes * lib517: make variable static to avoid compiler warning * lib544: sync ascii code data with textual data * GSKit: restore pinnedpubkey functionality * darwinssl: Don't import client certificates into Keychain on macOS * parsedate: fix date parsing for systems with 32 bit long * openssl: fix pinned public key build error in FIPS mode * SChannel/WinSSL: Implement public key pinning * cookies: remove verbose "cookie size:" output * progress-bar: don't use stderr explicitly, use bar->out * build: open VC15 projects with VS 2017 * curl_ctype: private is*() type macros and functions OBS-URL: https://build.opensuse.org/request/show/586981 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=222 2018-03-14 17:35:07 +01:00			`/* Perform setup complement if some. */`
			`conn->handler = conn->given = p;`