CVE-2021-38165.diff 866 B

1234567891011121314151617181920212223242526272829303132333435
  1. --- a/WWW/Library/Implementation/HTTP.c
  2. +++ b/WWW/Library/Implementation/HTTP.c
  3. @@ -764,6 +764,23 @@ static char *StripIpv6Brackets(char *host)
  4. }
  5. #endif
  6. +/*
  7. + * Remove user/password, if any, from the given host-string.
  8. + */
  9. +#ifdef USE_SSL
  10. +static char *StripUserAuthents(char *host)
  11. +{
  12. + char *p = strchr(host, '@');
  13. +
  14. + if (p != NULL) {
  15. + char *q = host;
  16. +
  17. + while ((*q++ = *++p) != '\0') ;
  18. + }
  19. + return host;
  20. +}
  21. +#endif
  22. +
  23. /* Load Document from HTTP Server HTLoadHTTP()
  24. * ==============================
  25. *
  26. @@ -959,6 +976,7 @@ static int HTLoadHTTP(const char *arg,
  27. /* get host we're connecting to */
  28. ssl_host = HTParse(url, "", PARSE_HOST);
  29. ssl_host = StripIpv6Brackets(ssl_host);
  30. + ssl_host = StripUserAuthents(ssl_host);
  31. #if defined(USE_GNUTLS_FUNCS)
  32. ret = gnutls_server_name_set(handle->gnutls_state,
  33. GNUTLS_NAME_DNS,