From 4a4bb874f63741026bd26264c43bb32b1099f060 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 22 Nov 2018 22:27:56 +0100
Subject: dirmngr: Avoid possible CSRF attacks via http redirects.

* dirmngr/http.h (parsed_uri_s): Add fields off_host and off_path.
(http_redir_info_t): New.
* dirmngr/http.c (do_parse_uri): Set new fields.
(same_host_p): New.
(http_prepare_redirect): New.
* dirmngr/t-http-basic.c: New test.
* dirmngr/ks-engine-hkp.c (send_request): Use http_prepare_redirect
instead of the open code.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
--

With this change a http query will not follow a redirect unless the
Location header gives the same host.  If the host is different only
the host and port is taken from the Location header and the original
path and query parts are kept.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit fa1b1eaa4241ff3f0634c8bdf8591cbc7c464144)
---
 dirmngr/t-http.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'dirmngr/t-http.c')

diff --git a/dirmngr/t-http.c b/dirmngr/t-http.c
index 440633db4..3cf08ada2 100644
--- a/dirmngr/t-http.c
+++ b/dirmngr/t-http.c
@@ -394,9 +394,9 @@ main (int argc, char **argv)
   else
     {
       printf ("Auth  : %s\n", uri->auth? uri->auth:"[none]");
-      printf ("Host  : %s\n", uri->host);
+      printf ("Host  : %s (off=%hu)\n", uri->host, uri->off_host);
       printf ("Port  : %u\n", uri->port);
-      printf ("Path  : %s\n", uri->path);
+      printf ("Path  : %s (off=%hu)\n", uri->path, uri->off_path);
       for (r = uri->params; r; r = r->next)
         {
           printf ("Params: %s", r->name);
-- 
cgit v1.2.3