100-CVE-2017-2629.patch 1.2 KB

123456789101112131415161718192021222324252627282930313233
  1. From a00a42b4abe8363a46071bb3b43b1b7138f5259b Mon Sep 17 00:00:00 2001
  2. From: Daniel Stenberg <daniel@haxx.se>
  3. Date: Sun, 22 Jan 2017 18:11:55 +0100
  4. Subject: [PATCH] TLS: make SSL_VERIFYSTATUS work again
  5. The CURLOPT_SSL_VERIFYSTATUS option was not properly handled by libcurl
  6. and thus even if the status couldn't be verified, the connection would
  7. be allowed and the user would not be told about the failed verification.
  8. Regression since cb4e2be7c6d42ca
  9. CVE-2017-2629
  10. Bug: https://curl.haxx.se/docs/adv_20170222.html
  11. Reported-by: Marcus Hoffmann
  12. ---
  13. lib/url.c | 3 +++
  14. 1 file changed, 3 insertions(+)
  15. --- a/lib/url.c
  16. +++ b/lib/url.c
  17. @@ -4141,8 +4141,11 @@ static struct connectdata *allocate_conn
  18. conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
  19. conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
  20. + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
  21. conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
  22. conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
  23. + conn->proxy_ssl_config.verifystatus =
  24. + data->set.proxy_ssl.primary.verifystatus;
  25. conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
  26. conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;