Commit 8d87f7af authored by Kartik Mistry's avatar Kartik Mistry 🇮🇳

Added patch to fix CVE-2019-3500 (Closes: #918058)

parent 003dff4b
Pipeline #38336 passed with stages
in 28 minutes and 38 seconds
......@@ -2,8 +2,11 @@ aria2 (1.34.0-4) unstable; urgency=low
* debian/control:
+ Added Multi-Arch: same for libaria2-0 and libaria2-0-dev.
* Added debian/gitlab-ci.
* Added patch to fix CVE-2019-3500: Metadata and potential password leaks via
--log= (Closes: #918058)
-- Kartik Mistry <kartik@debian.org> Tue, 19 Feb 2019 17:51:05 +0530
-- Kartik Mistry <kartik@debian.org> Thu, 28 Feb 2019 21:06:13 +0530
aria2 (1.34.0-3) unstable; urgency=medium
......
Description: Patch to fix Metadata and potential password leaks via --log=
Author: Tatsuhiro Tsujikawa
--- a/src/HttpConnection.cc 2018-07-09 20:20:16.255593545 +0530
+++ b/src/HttpConnection.cc 2019-02-28 21:10:04.711258745 +0530
@@ -102,11 +102,17 @@
std::string result;
std::string line;
while (getline(istr, line)) {
- if (util::startsWith(line, "Authorization: Basic")) {
- result += "Authorization: Basic ********\n";
+ if (util::istartsWith(line, "Authorization: ")) {
+ result += "Authorization: <snip>\n";
}
- else if (util::startsWith(line, "Proxy-Authorization: Basic")) {
- result += "Proxy-Authorization: Basic ********\n";
+ else if (util::istartsWith(line, "Proxy-Authorization: ")) {
+ result += "Proxy-Authorization: <snip>\n";
+ }
+ else if (util::istartsWith(line, "Cookie: ")) {
+ result += "Cookie: <snip>\n";
+ }
+ else if (util::istartsWith(line, "Set-Cookie: ")) {
+ result += "Set-Cookie: <snip>\n";
}
else {
result += line;
@@ -154,8 +160,8 @@
const auto& proc = outstandingHttpRequests_.front()->getHttpHeaderProcessor();
if (proc->parse(socketRecvBuffer_->getBuffer(),
socketRecvBuffer_->getBufferLength())) {
- A2_LOG_INFO(
- fmt(MSG_RECEIVE_RESPONSE, cuid_, proc->getHeaderString().c_str()));
+ A2_LOG_INFO(fmt(MSG_RECEIVE_RESPONSE, cuid_,
+ eraseConfidentialInfo(proc->getHeaderString()).c_str()));
auto result = proc->getResult();
if (result->getStatusCode() / 100 == 1) {
socketRecvBuffer_->drain(proc->getLastBytesProcessed());
CVE-2019-3500.diff
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment