SECURITY UPDATE: content injection in http method (CVE-2019-3462)

This fixes a security issue that can be exploited to inject arbritrary debs
or other files into a signed repository as followed:

(1) Server sends a redirect to somewhere%0a<headers for the apt method> (where %0a is
    \n encoded)
(2) apt method decodes the redirect (because the method encodes the URLs before
    sending them out), writting something like
    somewhere\n
    <headers>
    into its output
(3) apt then uses the headers injected for validation purposes.

Regression-Of: c34ea12ad509cb34c954ed574a301c3cbede55ec
LP: #1812353

1 files changed, 6 insertions, 0 deletions

diff --git a/apt-pkg/acquire-method.cc b/apt-pkg/acquire-method.cc
index ab0908014..bd947209b 100644
--- a/apt-pkg/acquire-method.cc
+++ b/apt-pkg/acquire-method.cc
@@ -458,6 +458,12 @@ void pkgAcqMethod::Status(const char *Format,...)
  * the worker will enqueue again later on to the right queue */
 void pkgAcqMethod::Redirect(const string &NewURI)
 {
+   if (NewURI.find_first_not_of(" !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~") != std::string::npos)
+   {
+      _error->Error("SECURITY: URL redirect target contains control characters, rejecting.");
+      Fail();
+      return;
+   }
    std::cout << "103 Redirect\nURI: " << Queue->Uri << "\n"
 	     << "New-URI: " << NewURI << "\n"
 	     << "\n" << std::flush;