1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
|
From c419542d956a2607bbce5df64b9d378a8588d778 Mon Sep 17 00:00:00 2001
From: Tim Rühsen <tim.ruehsen@gmx.de>
Date: Sun, 27 Oct 2024 19:53:14 +0100
Subject: Fix CVE-2024-10524 (drop support for shorthand URLs)
* doc/wget.texi: Add documentation for removed support for shorthand URLs.
* src/html-url.c (src/html-url.c): Call maybe_prepend_scheme.
* src/main.c (main): Likewise.
* src/retr.c (getproxy): Likewise.
* src/url.c: Rename definition of rewrite_shorthand_url to maybe_prepend_scheme,
add new function is_valid_port.
* src/url.h: Rename declaration of rewrite_shorthand_url to maybe_prepend_scheme.
Reported-by: Goni Golan <gonig@jfrog.com>
---
doc/wget.texi | 12 ++++--------
src/html-url.c | 2 +-
src/main.c | 2 +-
src/retr.c | 2 +-
src/url.c | 57 ++++++++++++++++++---------------------------------------
src/url.h | 2 +-
6 files changed, 26 insertions(+), 51 deletions(-)
diff --git a/doc/wget.texi b/doc/wget.texi
index 1d026d72..d46da375 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -314,8 +314,8 @@ for text files. Here is an example:
ftp://host/directory/file;type=a
@end example
-Two alternative variants of @sc{url} specification are also supported,
-because of historical (hysterical?) reasons and their widespreaded use.
+The two alternative variants of @sc{url} specifications are no longer
+supported because of security considerations:
@sc{ftp}-only syntax (supported by @code{NcFTP}):
@example
@@ -327,12 +327,8 @@ host:/dir/file
host[:port]/dir/file
@end example
-These two alternative forms are deprecated, and may cease being
-supported in the future.
-
-If you do not understand the difference between these notations, or do
-not know which one to use, just use the plain ordinary format you use
-with your favorite browser, like @code{Lynx} or @code{Netscape}.
+These two alternative forms have been deprecated long time ago,
+and support is removed with version 1.22.0.
@c man begin OPTIONS
diff --git a/src/html-url.c b/src/html-url.c
index 8e960092..99914943 100644
--- a/src/html-url.c
+++ b/src/html-url.c
@@ -932,7 +932,7 @@ get_urls_file (const char *file, bool *read_again)
url_text = merged;
}
- new_url = rewrite_shorthand_url (url_text);
+ new_url = maybe_prepend_scheme (url_text);
if (new_url)
{
xfree (url_text);
diff --git a/src/main.c b/src/main.c
index 77b1a0b6..6858d2da 100644
--- a/src/main.c
+++ b/src/main.c
@@ -2126,7 +2126,7 @@ only if outputting to a regular file.\n"));
struct iri *iri = iri_new ();
struct url *url_parsed;
- t = rewrite_shorthand_url (argv[optind]);
+ t = maybe_prepend_scheme (argv[optind]);
if (!t)
t = argv[optind];
diff --git a/src/retr.c b/src/retr.c
index 5422963c..26eb9f17 100644
--- a/src/retr.c
+++ b/src/retr.c
@@ -1546,7 +1546,7 @@ getproxy (struct url *u)
/* Handle shorthands. `rewritten_storage' is a kludge to allow
getproxy() to return static storage. */
- rewritten_url = rewrite_shorthand_url (proxy);
+ rewritten_url = maybe_prepend_scheme (proxy);
if (rewritten_url)
return rewritten_url;
diff --git a/src/url.c b/src/url.c
index 07c3bc87..2f27c48a 100644
--- a/src/url.c
+++ b/src/url.c
@@ -594,60 +594,39 @@ parse_credentials (const char *beg, const char *end, char **user, char **passwd)
return true;
}
-/* Used by main.c: detect URLs written using the "shorthand" URL forms
- originally popularized by Netscape and NcFTP. HTTP shorthands look
- like this:
-
- www.foo.com[:port]/dir/file -> http://www.foo.com[:port]/dir/file
- www.foo.com[:port] -> http://www.foo.com[:port]
-
- FTP shorthands look like this:
-
- foo.bar.com:dir/file -> ftp://foo.bar.com/dir/file
- foo.bar.com:/absdir/file -> ftp://foo.bar.com//absdir/file
+static bool is_valid_port(const char *p)
+{
+ unsigned port = (unsigned) atoi (p);
+ if (port == 0 || port > 65535)
+ return false;
- If the URL needs not or cannot be rewritten, return NULL. */
+ int digits = strspn (p, "0123456789");
+ return digits && (p[digits] == '/' || p[digits] == '\0');
+}
+/* Prepend "http://" to url if scheme is missing, otherwise return NULL. */
char *
-rewrite_shorthand_url (const char *url)
+maybe_prepend_scheme (const char *url)
{
- const char *p;
- char *ret;
-
if (url_scheme (url) != SCHEME_INVALID)
return NULL;
- /* Look for a ':' or '/'. The former signifies NcFTP syntax, the
- latter Netscape. */
- p = strpbrk (url, ":/");
+ const char *p = strchr (url, ':');
if (p == url)
return NULL;
/* If we're looking at "://", it means the URL uses a scheme we
don't support, which may include "https" when compiled without
- SSL support. Don't bogusly rewrite such URLs. */
+ SSL support. Don't bogusly prepend "http://" to such URLs. */
if (p && p[0] == ':' && p[1] == '/' && p[2] == '/')
return NULL;
- if (p && *p == ':')
- {
- /* Colon indicates ftp, as in foo.bar.com:path. Check for
- special case of http port number ("localhost:10000"). */
- int digits = strspn (p + 1, "0123456789");
- if (digits && (p[1 + digits] == '/' || p[1 + digits] == '\0'))
- goto http;
-
- /* Turn "foo.bar.com:path" to "ftp://foo.bar.com/path". */
- if ((ret = aprintf ("ftp://%s", url)) != NULL)
- ret[6 + (p - url)] = '/';
- }
- else
- {
- http:
- /* Just prepend "http://" to URL. */
- ret = aprintf ("http://%s", url);
- }
- return ret;
+ if (p && p[0] == ':' && !is_valid_port (p + 1))
+ return NULL;
+
+
+ fprintf(stderr, "Prepended http:// to '%s'\n", url);
+ return aprintf ("http://%s", url);
}
static void split_path (const char *, char **, char **);
diff --git a/src/url.h b/src/url.h
index 2dfbf30b..7796a21c 100644
--- a/src/url.h
+++ b/src/url.h
@@ -128,7 +128,7 @@ char *uri_merge (const char *, const char *);
int mkalldirs (const char *);
-char *rewrite_shorthand_url (const char *);
+char *maybe_prepend_scheme (const char *);
bool schemes_are_similar_p (enum url_scheme a, enum url_scheme b);
bool are_urls_equal (const char *u1, const char *u2);
--
cgit v1.2.3-70-g09d2
|
