diff options
author | Julian Andres Klode <julian.klode@canonical.com> | 2019-01-18 09:13:52 +0100 |
---|---|---|
committer | Julian Andres Klode <julian.klode@canonical.com> | 2019-01-22 19:50:36 +0100 |
commit | c31d65e76810f72c356e381818174bf100605de7 (patch) | |
tree | 91deefa61a51fb765246c0e3e6d19accd545dd50 /apt-pkg/acquire-method.cc | |
parent | 68362f7996f4e72d73b40d61dc821610a1a4a148 (diff) |
SECURITY UPDATE: content injection in http method (CVE-2019-3462)
This fixes a security issue that can be exploited to inject arbritrary debs
or other files into a signed repository as followed:
(1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is
\n encoded)
(2) apt method decodes the redirect (because the method encodes the URLs before
sending them out), writting something like
somewhere\n
<headers>
into its output
(3) apt then uses the headers injected for validation purposes.
Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec
LP: #1812353
(cherry picked from commit 5eb01ec13f3ede4bae5e60eb16bd8cffb7c03e1b)
Diffstat (limited to 'apt-pkg/acquire-method.cc')
-rw-r--r-- | apt-pkg/acquire-method.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/apt-pkg/acquire-method.cc b/apt-pkg/acquire-method.cc index c9cd48bb6..c67c47ab8 100644 --- a/apt-pkg/acquire-method.cc +++ b/apt-pkg/acquire-method.cc @@ -470,6 +470,12 @@ void pkgAcqMethod::Status(const char *Format,...) * the worker will enqueue again later on to the right queue */ void pkgAcqMethod::Redirect(const string &NewURI) { + if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos) + { + _error->Error("SECURITY: URL redirect target contains control characters, rejecting."); + Fail(); + return; + } std::unordered_map<std::string, std::string> fields; try_emplace(fields, "URI", Queue->Uri); try_emplace(fields, "New-URI", NewURI); |