diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch')
| -rw-r--r-- | meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch new file mode 100644 index 0000000000..4afd755149 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch @@ -0,0 +1,86 @@ +Backport of: + +From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 21 Sep 2020 09:15:51 +0200 +Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy" + +When using HTTPS proxy, SSL is used but not in the view of the FTP +protocol handler itself so separate the connection's use of SSL from the +FTP control connection's sue. + +Reported-by: Mingtao Yang +Fixes #5523 +Closes #6006 + +Upstream-Status: backport from 7.68.0-1ubuntu2.7 +Signed-off-by: Mike Crowe <mac@mcrowe.com> +--- + lib/ftp.c | 13 ++++++------- + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index 3382772..677527f 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn) + { + CURLcode result = CURLE_OK; + +- if(conn->ssl[FIRSTSOCKET].use) { ++ if(conn->bits.ftp_use_control_ssl) { + /* PBSZ = PROTECTION BUFFER SIZE. + + The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says: +@@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + } + #endif + +- if(data->set.use_ssl && +- (!conn->ssl[FIRSTSOCKET].use || +- (conn->bits.proxy_ssl_connected[FIRSTSOCKET] && +- !conn->proxy_ssl[FIRSTSOCKET].use))) { +- /* We don't have a SSL/TLS connection yet, but FTPS is ++ if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) { ++ /* We don't have a SSL/TLS control connection yet, but FTPS is + requested. Try a FTPS connection now */ + + ftpc->count3 = 0; +@@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) + result = Curl_ssl_connect(conn, FIRSTSOCKET); + if(!result) { + conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */ ++ conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */ + result = ftp_state_user(conn); + } + } +@@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn) + * + */ + static CURLcode ftp_connect(struct connectdata *conn, +- bool *done) /* see description above */ ++ bool *done) /* see description above */ + { + CURLcode result; + struct ftp_conn *ftpc = &conn->proto.ftpc; +@@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn, + result = Curl_ssl_connect(conn, FIRSTSOCKET); + if(result) + return result; ++ conn->bits.ftp_use_control_ssl = TRUE; + } + + Curl_pp_init(pp); /* init the generic pingpong data */ +diff --git a/lib/urldata.h b/lib/urldata.h +index ff2d686..d1fb4a9 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -461,6 +461,7 @@ struct ConnectBits { + EPRT doesn't work we disable it for the forthcoming + requests */ + BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */ ++ BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */ + #endif + BIT(netrc); /* name+password provided by netrc */ + BIT(userpwd_in_url); /* name+password found in url */ |