File curl-CVE-2020-8284.patch of Package curl-mini
xxxxxxxxxx
1
From 20ceeeeb6df4ad7444d0ac6f080557954e05ec1d Mon Sep 17 00:00:00 2001
2
From: Daniel Stenberg <daniel@haxx.se>
3
Date: Tue, 24 Nov 2020 14:56:57 +0100
4
Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
5
6
The command line tool also independently sets --ftp-skip-pasv-ip by
7
default.
8
9
Ten test cases updated to adapt the modified --libcurl output.
10
11
Bug: https://curl.se/docs/CVE-2020-8284.html
12
CVE-2020-8284
13
14
Reported-by: Varnavas Papaioannou
15
---
16
docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++
17
docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
18
lib/url.c | 1 +
19
src/tool_cfgable.c | 1 +
20
tests/data/test1400 | 1 +
21
tests/data/test1401 | 1 +
22
tests/data/test1402 | 1 +
23
tests/data/test1403 | 1 +
24
tests/data/test1404 | 1 +
25
tests/data/test1405 | 1 +
26
tests/data/test1406 | 1 +
27
tests/data/test1407 | 1 +
28
tests/data/test1420 | 1 +
29
30
Index: curl-7.66.0/docs/cmdline-opts/ftp-skip-pasv-ip.d
31
===================================================================
32
--- curl-7.66.0.orig/docs/cmdline-opts/ftp-skip-pasv-ip.d
33
+++ curl-7.66.0/docs/cmdline-opts/ftp-skip-pasv-ip.d
34
35
will re-use the same IP address it already uses for the control
36
connection.
37
38
+Since curl 7.74.0 this option is enabled by default.
39
+
40
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
41
Index: curl-7.66.0/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
42
===================================================================
43
--- curl-7.66.0.orig/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
44
+++ curl-7.66.0/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
45
46
.\" * | (__| |_| | _ <| |___
47
.\" * \___|\___/|_| \_\_____|
48
.\" *
49
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
50
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
51
.\" *
52
.\" * This software is licensed as described in the file COPYING, which
53
.\" * you should have received as part of this distribution. The terms
54
55
number from the 227-response.
56
57
This option thus allows libcurl to work around broken server installations
58
-that due to NATs, firewalls or incompetence report the wrong IP address back.
59
+that due to NATs, firewalls or incompetence report the wrong IP address
60
+back. Setting the option also reduces the risk for various sorts of client
61
+abuse by malicious servers.
62
63
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
64
.SH DEFAULT
65
-0
66
+1 since 7.74.0, was 0 before then.
67
.SH PROTOCOLS
68
FTP
69
.SH EXAMPLE
70
Index: curl-7.66.0/lib/url.c
71
===================================================================
72
--- curl-7.66.0.orig/lib/url.c
73
+++ curl-7.66.0/lib/url.c
74
75
set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */
76
set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */
77
set->ftp_filemethod = FTPFILE_MULTICWD;
78
+ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */
79
#endif
80
set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
81
82
Index: curl-7.66.0/src/tool_cfgable.c
83
===================================================================
84
--- curl-7.66.0.orig/src/tool_cfgable.c
85
+++ curl-7.66.0/src/tool_cfgable.c
86
87
config->tcp_nodelay = TRUE; /* enabled by default */
88
config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
89
config->http09_allowed = FALSE;
90
+ config->ftp_skip_ip = TRUE;
91
}
92
93
static void free_config_fields(struct OperationConfig *config)
94
Index: curl-7.66.0/tests/data/test1400
95
===================================================================
96
--- curl-7.66.0.orig/tests/data/test1400
97
+++ curl-7.66.0/tests/data/test1400
98
99
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
100
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
101
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
102
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
103
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
104
105
/* Here is a list of options the curl code used that cannot get generated
106
Index: curl-7.66.0/tests/data/test1401
107
===================================================================
108
--- curl-7.66.0.orig/tests/data/test1401
109
+++ curl-7.66.0/tests/data/test1401
110
111
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
112
curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
113
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
114
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
115
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
116
curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
117
(long)CURLPROTO_FTP |
118
Index: curl-7.66.0/tests/data/test1402
119
===================================================================
120
--- curl-7.66.0.orig/tests/data/test1402
121
+++ curl-7.66.0/tests/data/test1402
122
123
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
124
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
125
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
126
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
127
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
128
129
/* Here is a list of options the curl code used that cannot get generated
130
Index: curl-7.66.0/tests/data/test1403
131
===================================================================
132
--- curl-7.66.0.orig/tests/data/test1403
133
+++ curl-7.66.0/tests/data/test1403
134
135
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
136
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
137
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
138
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
139
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
140
141
/* Here is a list of options the curl code used that cannot get generated
142
Index: curl-7.66.0/tests/data/test1404
143
===================================================================
144
--- curl-7.66.0.orig/tests/data/test1404
145
+++ curl-7.66.0/tests/data/test1404
146
147
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
148
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
149
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
150
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
151
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
152
153
/* Here is a list of options the curl code used that cannot get generated
154
Index: curl-7.66.0/tests/data/test1405
155
===================================================================
156
--- curl-7.66.0.orig/tests/data/test1405
157
+++ curl-7.66.0/tests/data/test1405
158
159
curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
160
curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
161
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
162
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
163
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
164
165
/* Here is a list of options the curl code used that cannot get generated
166
Index: curl-7.66.0/tests/data/test1406
167
===================================================================
168
--- curl-7.66.0.orig/tests/data/test1406
169
+++ curl-7.66.0/tests/data/test1406
170
171
curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
172
curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
173
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
174
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
175
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
176
curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
177
curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
178
Index: curl-7.66.0/tests/data/test1407
179
===================================================================
180
--- curl-7.66.0.orig/tests/data/test1407
181
+++ curl-7.66.0/tests/data/test1407
182
183
curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
184
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
185
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
186
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
187
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
188
189
/* Here is a list of options the curl code used that cannot get generated
190
Index: curl-7.66.0/tests/data/test1420
191
===================================================================
192
--- curl-7.66.0.orig/tests/data/test1420
193
+++ curl-7.66.0/tests/data/test1420
194
195
curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1");
196
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
197
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
198
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
199
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
200
201
/* Here is a list of options the curl code used that cannot get generated
202