From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 19 Dec 2022 08:36:55 +0100 Subject: [PATCH] http: use the IDN decoded name in HSTS checks Otherwise it stores the info HSTS into the persistent cache for the IDN name which will not match when the HSTS status is later checked for using the decoded name. Reported-by: Hiroki Kurosawa Closes #10111 CVE: CVE-2022-43551 Upstream-Status: Backport [https://github.com/curl/curl/commit/9e71901634e276dd050481c4320f046bebb1bc28] Signed-off-by: Ranjitsinh Rathod Comments: Hunk refresh to remove patch-fuzz warning --- lib/http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/http.c b/lib/http.c index 85528a2218eee..a784745a8d505 100644 --- a/lib/http.c +++ b/lib/http.c @@ -3652,7 +3652,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && (conn->handler->flags & PROTOPT_SSL)) { CURLcode check = - Curl_hsts_parse(data->hsts, data->state.up.hostname, + Curl_hsts_parse(data->hsts, conn->host.name, headp + strlen("Strict-Transport-Security:")); if(check) infof(data, "Illegal STS header skipped");