From e9b9bbac22c26cf67316fa8e6c6b9e831af31949 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 15 Nov 2024 11:06:36 +0100 Subject: [PATCH] netrc: address several netrc parser flaws - make sure that a match that returns a username also returns a password, that should be blank if no password is found - fix handling of multiple logins for same host where the password/login order might be reversed. - reject credentials provided in the .netrc if they contain ASCII control codes - if the used protocol does not support such (like HTTP and WS do) Reported-by: Harry Sintonen Add test 478, 479 and 480 to verify. Updated unit 1304. Closes #15586 Changes: - Refresh patch context. - Adjust `%LOGDIR/` to 'log/' due to its absence in code. - Backported only required enum found_state defination from: https://github.com/curl/curl/commit/3b43a05e000aa8f65bda513f733a73fefe35d5ca - Replaces the previous usage of the state_login, state_password, and state_our_login variables with the found_state enum, which includes the values NONE, LOGIN, and PASSWORD. As a result, all conditionals and memory management logic associated with these variables were updated. CVE: CVE-2024-11053 Upstream-Status: Backport [https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af3194] Signed-off-by: Yogita Urade --- lib/netrc.c | 122 ++++++++++++++++++++++------------------ lib/url.c | 59 ++++++++++++------- tests/data/Makefile.inc | 2 +- tests/data/test478 | 73 ++++++++++++++++++++++++ tests/data/test479 | 107 +++++++++++++++++++++++++++++++++++ tests/data/test480 | 38 +++++++++++++ tests/unit/unit1304.c | 75 +++++++----------------- 7 files changed, 347 insertions(+), 129 deletions(-) create mode 100644 tests/data/test478 create mode 100644 tests/data/test479 create mode 100644 tests/data/test480 diff --git a/lib/netrc.c b/lib/netrc.c index cd2a284..64efdc0 100644 --- a/lib/netrc.c +++ b/lib/netrc.c @@ -49,6 +49,15 @@ enum host_lookup_state { MACDEF }; +enum found_state { + NONE, + LOGIN, + PASSWORD +}; + +#define FOUND_LOGIN 1 +#define FOUND_PASSWORD 2 + #define NETRC_FILE_MISSING 1 #define NETRC_FAILED -1 #define NETRC_SUCCESS 0 @@ -59,23 +68,20 @@ enum host_lookup_state { * Returns zero on success. */ static int parsenetrc(const char *host, - char **loginp, + char **loginp, /* might point to a username */ char **passwordp, char *netrcfile) { FILE *file; int retcode = NETRC_FILE_MISSING; char *login = *loginp; - char *password = *passwordp; - bool specific_login = (login && *login != 0); - bool login_alloc = FALSE; - bool password_alloc = FALSE; + char *password = NULL; + bool specific_login = login; /* points to something */ enum host_lookup_state state = NOTHING; - - char state_login = 0; /* Found a login keyword */ - char state_password = 0; /* Found a password keyword */ - int state_our_login = TRUE; /* With specific_login, found *our* login - name (or login-less line) */ + enum found_state keyword = NONE; + unsigned char found = 0; /* login + password found bits, as they can come in + any order */ + bool our_login = FALSE; /* found our login name */ DEBUGASSERT(netrcfile); @@ -97,7 +103,7 @@ static int parsenetrc(const char *host, continue; } tok = netrcbuffer; - while(tok) { + while(tok && !done) { while(ISBLANK(*tok)) tok++; /* tok is first non-space letter */ @@ -156,11 +162,6 @@ static int parsenetrc(const char *host, } } - if((login && *login) && (password && *password)) { - done = TRUE; - break; - } - switch(state) { case NOTHING: if(strcasecompare("macdef", tok)) { @@ -175,6 +176,12 @@ static int parsenetrc(const char *host, after this we need to search for 'login' and 'password'. */ state = HOSTFOUND; + keyword = NONE; + found = 0; + our_login = FALSE; + Curl_safefree(password); + if(!specific_login) + Curl_safefree(login); } else if(strcasecompare("default", tok)) { state = HOSTVALID; @@ -198,48 +205,55 @@ static int parsenetrc(const char *host, break; case HOSTVALID: /* we are now parsing sub-keywords concerning "our" host */ - if(state_login) { + if(keyword == LOGIN) { if(specific_login) { - state_our_login = !Curl_timestrcmp(login, tok); + our_login = !Curl_timestrcmp(login, tok); } - else if(!login || Curl_timestrcmp(login, tok)) { - if(login_alloc) { - free(login); - login_alloc = FALSE; - } + else { + our_login = TRUE; + free(login); login = strdup(tok); if(!login) { retcode = NETRC_FAILED; /* allocation failed */ goto out; } - login_alloc = TRUE; } - state_login = 0; + found |= FOUND_LOGIN; + keyword = NONE; } - else if(state_password) { - if((state_our_login || !specific_login) - && (!password || Curl_timestrcmp(password, tok))) { - if(password_alloc) { - free(password); - password_alloc = FALSE; - } - password = strdup(tok); - if(!password) { - retcode = NETRC_FAILED; /* allocation failed */ - goto out; - } - password_alloc = TRUE; + else if(keyword == PASSWORD) { + free(password); + password = strdup(tok); + if(!password) { + retcode = NETRC_FAILED; /* allocation failed */ + goto out; } - state_password = 0; + found |= FOUND_PASSWORD; + keyword = NONE; } else if(strcasecompare("login", tok)) - state_login = 1; + keyword = LOGIN; else if(strcasecompare("password", tok)) - state_password = 1; + keyword = PASSWORD; else if(strcasecompare("machine", tok)) { - /* ok, there's machine here go => */ + /* a new machine here */ state = HOSTFOUND; - state_our_login = FALSE; + keyword = NONE; + found = 0; + Curl_safefree(password); + if(!specific_login) + Curl_safefree(login); + } + else if(strcasecompare("default", tok)) { + state = HOSTVALID; + retcode = NETRC_SUCCESS; /* we did find our host */ + Curl_safefree(password); + if(!specific_login) + Curl_safefree(login); + } + if((found == (FOUND_PASSWORD|FOUND_LOGIN)) && our_login) { + done = TRUE; + break; } break; } /* switch (state) */ @@ -249,24 +263,22 @@ static int parsenetrc(const char *host, out: Curl_dyn_free(&buf); + if(!retcode && !password && our_login) { + /* success without a password, set a blank one */ + password = strdup(""); + if(!password) + retcode = 1; /* out of memory */ + } if(!retcode) { /* success */ - if(login_alloc) { - if(*loginp) - free(*loginp); + if(!specific_login) *loginp = login; - } - if(password_alloc) { - if(*passwordp) - free(*passwordp); - *passwordp = password; - } + *passwordp = password; } else { - if(login_alloc) + if(!specific_login) free(login); - if(password_alloc) - free(password); + free(password); } fclose(file); } diff --git a/lib/url.c b/lib/url.c index 05431b9..1439c9e 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2699,6 +2699,17 @@ static CURLcode parse_remote_port(struct Curl_easy *data, return CURLE_OK; } +static bool str_has_ctrl(const char *input) +{ + const unsigned char *str = (const unsigned char *)input; + while(*str) { + if(*str < 0x20) + return TRUE; + str++; + } + return FALSE; +} + /* * Override the login details from the URL with that in the CURLOPT_USERPWD * option or a .netrc file, if applicable. @@ -2730,29 +2741,39 @@ static CURLcode override_login(struct Curl_easy *data, if(data->state.aptr.user && (data->state.creds_from != CREDS_NETRC)) { - /* there was a user name in the URL. Use the URL decoded version */ + /* there was a username with a length in the URL. Use the URL decoded + version */ userp = &data->state.aptr.user; url_provided = TRUE; } - ret = Curl_parsenetrc(conn->host.name, - userp, passwdp, - data->set.str[STRING_NETRC_FILE]); - if(ret > 0) { - infof(data, "Couldn't find host %s in the %s file; using defaults", - conn->host.name, - (data->set.str[STRING_NETRC_FILE] ? - data->set.str[STRING_NETRC_FILE] : ".netrc")); - } - else if(ret < 0) { - failf(data, ".netrc parser error"); - return CURLE_READ_ERROR; - } - else { - /* set bits.netrc TRUE to remember that we got the name from a .netrc - file, so that it is safe to use even if we followed a Location: to a - different host or similar. */ - conn->bits.netrc = TRUE; + if(!*passwdp) { + ret = Curl_parsenetrc(conn->host.name, userp, passwdp, + data->set.str[STRING_NETRC_FILE]); + if(ret > 0) { + infof(data, "Couldn't find host %s in the %s file; using defaults", + conn->host.name, + (data->set.str[STRING_NETRC_FILE] ? + data->set.str[STRING_NETRC_FILE] : ".netrc")); + } + else if(ret < 0) { + failf(data, ".netrc parser error"); + return CURLE_READ_ERROR; + } + else { + if(!(conn->handler->flags&PROTOPT_USERPWDCTRL)) { + /* if the protocol can't handle control codes in credentials, make + sure there are none */ + if(str_has_ctrl(*userp) || str_has_ctrl(*passwdp)) { + failf(data, "control code detected in .netrc credentials"); + return CURLE_READ_ERROR; + } + } + /* set bits.netrc TRUE to remember that we got the name from a .netrc + file, so that it is safe to use even if we followed a Location: to a + different host or similar. */ + conn->bits.netrc = TRUE; + } } if(url_provided) { Curl_safefree(conn->user); diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 03cb6a0..e3508cb 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -73,7 +73,7 @@ test426 test427 test428 test429 test430 test431 test432 test433 test434 \ test435 test436 test437 test438 test439 test440 test441 test442 test443 \ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ test453 test454 test455 test456 test457 test458 test459 test460 test461 \ -test462 test463 test467 test468 \ +test462 test463 test467 test468 test478 test479 test480 \ \ test490 test491 test492 test493 test494 test495 test496 test497 test498 \ test499 test500 test501 test502 test503 test504 test505 test506 test507 \ diff --git a/tests/data/test478 b/tests/data/test478 new file mode 100644 index 0000000..4acc72e --- /dev/null +++ b/tests/data/test478 @@ -0,0 +1,73 @@ + + + + netrc + HTTP + + + # + # Server-side + + + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake + Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT + ETag: "21025-dc7-39462498" + Accept-Ranges: bytes + Content-Length: 6 + Connection: close + Content-Type: text/html + Funny-head: yesyes + + -foo- + + + + # + # Client-side + + + http + + + proxy + + + .netrc with multiple accounts for same host + + + --netrc --netrc-file log/netrc%TESTNUMBER -x http://%HOSTIP:%HTTPPORT/ http://debbie@github.com/ + + + + machine github.com + password weird + password firstone + login daniel + + machine github.com + + machine github.com + login debbie + + machine github.com + password weird + password "second\r" + login debbie + + + + + + + GET http://github.com/ HTTP/1.1 + Host: github.com + Authorization: Basic %b64[debbie:second%0D]b64% + User-Agent: curl/%VERSION + Accept: */* + Proxy-Connection: Keep-Alive + + + + diff --git a/tests/data/test479 b/tests/data/test479 new file mode 100644 index 0000000..62a2057 --- /dev/null +++ b/tests/data/test479 @@ -0,0 +1,107 @@ + + + + netrc + HTTP + + + # + # Server-side + + + HTTP/1.1 301 Follow this you fool + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake + Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT + ETag: "21025-dc7-39462498" + Accept-Ranges: bytes + Content-Length: 6 + Connection: close + Location: http://b.com/%TESTNUMBER0002 + + -foo- + + + + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake + Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT + ETag: "21025-dc7-39462498" + Accept-Ranges: bytes + Content-Length: 7 + Connection: close + + target + + + + HTTP/1.1 301 Follow this you fool + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake + Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT + ETag: "21025-dc7-39462498" + Accept-Ranges: bytes + Content-Length: 6 + Connection: close + Location: http://b.com/%TESTNUMBER0002 + + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake + Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT + ETag: "21025-dc7-39462498" + Accept-Ranges: bytes + Content-Length: 7 + Connection: close + + target + + + + # + # Client-side + + + http + + + proxy + + + .netrc with redirect and default without password + + + --netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ + + + + machine a.com + login alice + password alicespassword + + default + login bob + + + + + + + GET http://a.com/ HTTP/1.1 + Host: a.com + Authorization: Basic %b64[alice:alicespassword]b64% + User-Agent: curl/%VERSION + Accept: */* + Proxy-Connection: Keep-Alive + + GET http://b.com/%TESTNUMBER0002 HTTP/1.1 + Host: b.com + Authorization: Basic %b64[bob:]b64% + User-Agent: curl/%VERSION + Accept: */* + Proxy-Connection: Keep-Alive + + + + diff --git a/tests/data/test480 b/tests/data/test480 new file mode 100644 index 0000000..47db7ab --- /dev/null +++ b/tests/data/test480 @@ -0,0 +1,38 @@ + + + + netrc + pop3 + + + # + # Server-side + + + + + # + # Client-side + + + pop3 + + + Reject .netrc with credentials using CRLF for POP3 + + + --netrc --netrc-file log/netrc%TESTNUMBER pop3://%HOSTIP:%POP3PORT/%TESTNUMBER + + + machine %HOSTIP + login alice + password "password\r\ncommand" + + + + + + 26 + + + diff --git a/tests/unit/unit1304.c b/tests/unit/unit1304.c index 0288562..b2b4366 100644 --- a/tests/unit/unit1304.c +++ b/tests/unit/unit1304.c @@ -32,13 +32,8 @@ static char *password; static CURLcode unit_setup(void) { - password = strdup(""); - login = strdup(""); - if(!password || !login) { - Curl_safefree(password); - Curl_safefree(login); - return CURLE_OUT_OF_MEMORY; - } + password = NULL; + login = NULL; return CURLE_OK; } @@ -56,76 +51,48 @@ UNITTEST_START */ result = Curl_parsenetrc("test.example.com", &login, &password, arg); fail_unless(result == 1, "Host not found should return 1"); - abort_unless(password != NULL, "returned NULL!"); - fail_unless(password[0] == 0, "password should not have been changed"); - abort_unless(login != NULL, "returned NULL!"); - fail_unless(login[0] == 0, "login should not have been changed"); + abort_unless(password == NULL, "password did not return NULL!"); + abort_unless(login == NULL, "user did not return NULL!"); /* * Test a non existent login in our netrc file. */ - free(login); - login = strdup("me"); - abort_unless(login != NULL, "returned NULL!"); + login = (char *)"me"; result = Curl_parsenetrc("example.com", &login, &password, arg); fail_unless(result == 0, "Host should have been found"); - abort_unless(password != NULL, "returned NULL!"); - fail_unless(password[0] == 0, "password should not have been changed"); - abort_unless(login != NULL, "returned NULL!"); - fail_unless(strncmp(login, "me", 2) == 0, - "login should not have been changed"); + abort_unless(password == NULL, "password is not NULL!"); /* * Test a non existent login and host in our netrc file. */ - free(login); - login = strdup("me"); - abort_unless(login != NULL, "returned NULL!"); + login = (char *)"me"; result = Curl_parsenetrc("test.example.com", &login, &password, arg); fail_unless(result == 1, "Host not found should return 1"); - abort_unless(password != NULL, "returned NULL!"); - fail_unless(password[0] == 0, "password should not have been changed"); - abort_unless(login != NULL, "returned NULL!"); - fail_unless(strncmp(login, "me", 2) == 0, - "login should not have been changed"); + abort_unless(password == NULL, "password is not NULL!"); /* * Test a non existent login (substring of an existing one) in our * netrc file. */ - free(login); - login = strdup("admi"); - abort_unless(login != NULL, "returned NULL!"); + login = (char *)"admi"; result = Curl_parsenetrc("example.com", &login, &password, arg); fail_unless(result == 0, "Host should have been found"); - abort_unless(password != NULL, "returned NULL!"); - fail_unless(password[0] == 0, "password should not have been changed"); - abort_unless(login != NULL, "returned NULL!"); - fail_unless(strncmp(login, "admi", 4) == 0, - "login should not have been changed"); + abort_unless(password == NULL, "password is not NULL!"); /* * Test a non existent login (superstring of an existing one) * in our netrc file. */ - free(login); - login = strdup("adminn"); - abort_unless(login != NULL, "returned NULL!"); + login = (char *)"adminn"; result = Curl_parsenetrc("example.com", &login, &password, arg); fail_unless(result == 0, "Host should have been found"); - abort_unless(password != NULL, "returned NULL!"); - fail_unless(password[0] == 0, "password should not have been changed"); - abort_unless(login != NULL, "returned NULL!"); - fail_unless(strncmp(login, "adminn", 6) == 0, - "login should not have been changed"); + abort_unless(password == NULL, "password is not NULL!"); /* * Test for the first existing host in our netrc file * with login[0] = 0. */ - free(login); - login = strdup(""); - abort_unless(login != NULL, "returned NULL!"); + login = NULL; result = Curl_parsenetrc("example.com", &login, &password, arg); fail_unless(result == 0, "Host should have been found"); abort_unless(password != NULL, "returned NULL!"); @@ -139,8 +106,9 @@ UNITTEST_START * with login[0] != 0. */ free(password); - password = strdup(""); - abort_unless(password != NULL, "returned NULL!"); + free(login); + password = NULL; + login = NULL; result = Curl_parsenetrc("example.com", &login, &password, arg); fail_unless(result == 0, "Host should have been found"); abort_unless(password != NULL, "returned NULL!"); @@ -154,11 +122,9 @@ UNITTEST_START * with login[0] = 0. */ free(password); - password = strdup(""); - abort_unless(password != NULL, "returned NULL!"); + password = NULL; free(login); - login = strdup(""); - abort_unless(login != NULL, "returned NULL!"); + login = NULL; result = Curl_parsenetrc("curl.example.com", &login, &password, arg); fail_unless(result == 0, "Host should have been found"); abort_unless(password != NULL, "returned NULL!"); @@ -172,8 +138,9 @@ UNITTEST_START * with login[0] != 0. */ free(password); - password = strdup(""); - abort_unless(password != NULL, "returned NULL!"); + free(login); + password = NULL; + login = NULL; result = Curl_parsenetrc("curl.example.com", &login, &password, arg); fail_unless(result == 0, "Host should have been found"); abort_unless(password != NULL, "returned NULL!"); -- 2.40.0