Bjørn Lie
5b8cb29a58
(boo#1233285 CVE-2024-52530 glgo#GNOME/libsoup#377). - Add libsoup-CVE-2024-52532.patch: websocket: Process the frame as soon as we read data (boo#1233287 CVE-2024-52532). - Add 29b96fab.patch: websocket-test: disconnect error copy after the test ends (glgo#GNOME/libsoup#391). - Add a35222dd.patch: be more robust against invalid input when parsing params (boo#1233292 CVE-2024-52531 glgo#GNOME/libsoup!407). OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/libsoup2?expand=0&rev=13
146 lines
4.0 KiB
Diff
146 lines
4.0 KiB
Diff
From 04df03bc092ac20607f3e150936624d4f536e68b Mon Sep 17 00:00:00 2001
|
|
From: Patrick Griffis <pgriffis@igalia.com>
|
|
Date: Mon, 8 Jul 2024 12:33:15 -0500
|
|
Subject: [PATCH] headers: Strictly don't allow NUL bytes
|
|
|
|
In the past (2015) this was allowed for some problematic sites. However Chromium also does not allow NUL bytes in either header names or values these days. So this should no longer be a problem.
|
|
---
|
|
libsoup/soup-headers.c | 15 +++------
|
|
tests/header-parsing-test.c | 62 +++++++++++++++++--------------------
|
|
2 files changed, 32 insertions(+), 45 deletions(-)
|
|
|
|
diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
|
|
index a0cf351ac..f30ee467a 100644
|
|
--- a/libsoup/soup-headers.c
|
|
+++ b/libsoup/soup-headers.c
|
|
@@ -51,13 +51,14 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
|
|
* ignorable trailing whitespace.
|
|
*/
|
|
|
|
+ /* No '\0's are allowed */
|
|
+ if (memchr (str, '\0', len))
|
|
+ return FALSE;
|
|
+
|
|
/* Skip over the Request-Line / Status-Line */
|
|
headers_start = memchr (str, '\n', len);
|
|
if (!headers_start)
|
|
return FALSE;
|
|
- /* No '\0's in the Request-Line / Status-Line */
|
|
- if (memchr (str, '\0', headers_start - str))
|
|
- return FALSE;
|
|
|
|
/* We work on a copy of the headers, which we can write '\0's
|
|
* into, so that we don't have to individually g_strndup and
|
|
@@ -69,14 +70,6 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
|
|
headers_copy[copy_len] = '\0';
|
|
value_end = headers_copy;
|
|
|
|
- /* There shouldn't be any '\0's in the headers already, but
|
|
- * this is the web we're talking about.
|
|
- */
|
|
- while ((p = memchr (headers_copy, '\0', copy_len))) {
|
|
- memmove (p, p + 1, copy_len - (p - headers_copy));
|
|
- copy_len--;
|
|
- }
|
|
-
|
|
while (*(value_end + 1)) {
|
|
name = value_end + 1;
|
|
name_end = strchr (name, ':');
|
|
diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
|
|
index edf8eebb3..715c2c6f2 100644
|
|
--- a/tests/header-parsing-test.c
|
|
+++ b/tests/header-parsing-test.c
|
|
@@ -358,24 +358,6 @@ static struct RequestTest {
|
|
}
|
|
},
|
|
|
|
- { "NUL in header name", "760832",
|
|
- "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
|
|
- SOUP_STATUS_OK,
|
|
- "GET", "/", SOUP_HTTP_1_1,
|
|
- { { "Host", "example.com" },
|
|
- { NULL }
|
|
- }
|
|
- },
|
|
-
|
|
- { "NUL in header value", "760832",
|
|
- "GET / HTTP/1.1\r\nHost: example\x00" "com\r\n", 35,
|
|
- SOUP_STATUS_OK,
|
|
- "GET", "/", SOUP_HTTP_1_1,
|
|
- { { "Host", "examplecom" },
|
|
- { NULL }
|
|
- }
|
|
- },
|
|
-
|
|
/************************/
|
|
/*** INVALID REQUESTS ***/
|
|
/************************/
|
|
@@ -448,6 +430,21 @@ static struct RequestTest {
|
|
SOUP_STATUS_EXPECTATION_FAILED,
|
|
NULL, NULL, -1,
|
|
{ { NULL } }
|
|
+ },
|
|
+
|
|
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
|
|
+ { "NUL in header name", NULL,
|
|
+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
|
|
+ SOUP_STATUS_BAD_REQUEST,
|
|
+ NULL, NULL, -1,
|
|
+ { { NULL } }
|
|
+ },
|
|
+
|
|
+ { "NUL in header value", NULL,
|
|
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
|
|
+ SOUP_STATUS_BAD_REQUEST,
|
|
+ NULL, NULL, -1,
|
|
+ { { NULL } }
|
|
}
|
|
};
|
|
static const int num_reqtests = G_N_ELEMENTS (reqtests);
|
|
@@ -620,22 +617,6 @@ static struct ResponseTest {
|
|
{ NULL } }
|
|
},
|
|
|
|
- { "NUL in header name", "760832",
|
|
- "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
|
|
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
|
|
- { { "Foo", "bar" },
|
|
- { NULL }
|
|
- }
|
|
- },
|
|
-
|
|
- { "NUL in header value", "760832",
|
|
- "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
|
|
- SOUP_HTTP_1_1, SOUP_STATUS_OK, "OK",
|
|
- { { "Foo", "bar" },
|
|
- { NULL }
|
|
- }
|
|
- },
|
|
-
|
|
/********************************/
|
|
/*** VALID CONTINUE RESPONSES ***/
|
|
/********************************/
|
|
@@ -768,6 +749,19 @@ static struct ResponseTest {
|
|
{ { NULL }
|
|
}
|
|
},
|
|
+
|
|
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
|
|
+ { "NUL in header name", NULL,
|
|
+ "HTTP/1.1 200 OK\r\nF\x00oo: bar\r\n", 28,
|
|
+ -1, 0, NULL,
|
|
+ { { NULL } }
|
|
+ },
|
|
+
|
|
+ { "NUL in header value", "760832",
|
|
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
|
|
+ -1, 0, NULL,
|
|
+ { { NULL } }
|
|
+ },
|
|
};
|
|
static const int num_resptests = G_N_ELEMENTS (resptests);
|
|
|
|
--
|
|
GitLab
|
|
|