dirmngr: Avoid possible CSRF attacks via http redirects.

* dirmngr/http.h (parsed_uri_s): Add fields off_host and off_path. (http_redir_info_t): New. * dirmngr/http.c (do_parse_uri): Set new fields. (same_host_p): New. (http_prepare_redirect): New. * dirmngr/t-http-basic.c: New test. * dirmngr/ks-engine-hkp.c (send_request): Use http_prepare_redirect instead of the open code. * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. -- With this change a http query will not follow a redirect unless the Location header gives the same host. If the host is different only the host and port is taken from the Location header and the original path and query parts are kept. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-03 22:56:33 +02:00 · 2018-11-22 22:27:56 +01:00 · 2018-11-22 22:27:56 +01:00 · fa1b1eaa42
commit fa1b1eaa42
parent e5c3a6999a
7 changed files with 434 additions and 94 deletions
--- a/dirmngr/http.h
+++ b/dirmngr/http.h
@ -58,6 +58,8 @@ struct parsed_uri_s
  char *auth;           /* username/password for basic auth.  */
  char *host; 	        /* Host (converted to lowercase). */
  unsigned short port;  /* Port (always set if the host is set). */
+  unsigned short off_host; /* Offset to the HOST respective PATH parts  */
+  unsigned short off_path; /* in the original URI buffer.               */
  char *path; 	        /* Path. */
  uri_tuple_t params;	/* ";xxxxx" */
  uri_tuple_t query;	/* "?xxx=yyy" */
@ -100,6 +102,21 @@ typedef struct http_session_s *http_session_t;
 struct http_context_s;
 typedef struct http_context_s *http_t;

+/* An object used to track redirection infos.  */
+struct http_redir_info_s
+{
+  unsigned int redirects_left;   /* Number of still possible redirects.    */
+  const char *orig_url;          /* The original requested URL.            */
+  unsigned int orig_onion:1;     /* Original request was an onion address. */
+  unsigned int orig_https:1;     /* Original request was a http address.   */
+  unsigned int silent:1;         /* No diagnostics.                        */
+  unsigned int allow_downgrade:1;/* Allow a downgrade from https to http.  */
+  unsigned int trust_location:1; /* Trust the received Location header.    */
+};
+typedef struct http_redir_info_s http_redir_info_t;
+
+
+
 /* A TLS verify callback function.  */
 typedef gpg_error_t (*http_verify_cb_t) (void *opaque,
                                         http_t http,
@ -176,5 +193,9 @@ gpg_error_t http_verify_server_credentials (http_session_t sess);
 char *http_escape_string (const char *string, const char *specials);
 char *http_escape_data (const void *data, size_t datalen, const char *specials);

+gpg_error_t http_prepare_redirect (http_redir_info_t *info,
+                                   unsigned int status_code,
+                                   const char *location, char **r_url);
+

 #endif /*GNUPG_COMMON_HTTP_H*/