transfer: strip credentials from the auto-referer header field

CVE-2021-22876

Patch taken from Ubuntu curl 7.68.0-1ubuntu2.5.

Bug: https://curl.se/docs/CVE-2021-22876.html
Upstream-Status: backport
---
 lib/transfer.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/lib/transfer.c b/lib/transfer.c
index e76834eb3..744e1c00b 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1570,6 +1570,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
       data->set.followlocation++; /* count location-followers */
 
       if(data->set.http_auto_referer) {
+        CURLU *u;
+        char *referer;
+
         /* We are asked to automatically set the previous URL as the referer
            when we get the next URL. We pick the ->url field, which may or may
            not be 100% correct */
@@ -1579,9 +1582,27 @@ CURLcode Curl_follow(struct Curl_easy *data,
           data->change.referer_alloc = FALSE;
         }
 
-        data->change.referer = strdup(data->change.url);
-        if(!data->change.referer)
+        /* Make a copy of the URL without crenditals and fragment */
+        u = curl_url();
+        if(!u)
+          return CURLE_OUT_OF_MEMORY;
+
+        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
+        if(!uc)
+          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
+        if(!uc)
+          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
+
+        curl_url_cleanup(u);
+
+        if(uc || referer == NULL)
           return CURLE_OUT_OF_MEMORY;
+
+        data->change.referer = referer;
         data->change.referer_alloc = TRUE; /* yes, free this later */
       }
     }
-- 
2.20.1