Re: CVE-2021-31879

[Josef Moellers]

On 04.05.21 08:59, Josef Moellers wrote:
> Hi,
> 
> I'm currently trying to tackle the CVE about passing credentials to
> redirected servers.
> I wonder if it may be necessary to be able to disable this feature, if
> one trusts the servers, ie if some kind of command-line option might be
> necessary.

After having run up and down the wrong alley for a few days (I had been
thinking that these were the "real" credentials, eg passed with
"https://user:pass@host/";), I have finally found a solution:

1) initializing "location_changed" to 0 in src/retr.c::retrieve_url()
2) passing the current value of "location_changed" to
src/http.c::http_loop()
3) passing it on to gethttp()
4) preventing setting up any dangerous user header lines (eg
"Authorization:", "Cookie:") when "location_changed" is non-0.

An alternative could be to just set up every header as is done now and
THEN discard anything dangerous, ie after adding the user headers go
through req->headers[] and throw away any header with name
"Authorization" or "Cookie".

The question remains is if this should be done unconditionally or
whether it should be made configurable, eg through a
"--trust-redirections" option.

Thanks,

Josef
-- 
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer