File: soup-server-http2-Correct-check-of-the-validity-of-the-co.patch

package info (click to toggle)
libsoup3 3.6.5-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 7,316 kB
  • sloc: ansic: 61,968; python: 202; xml: 97; sh: 84; makefile: 33; javascript: 5
file content (48 lines) | stat: -rw-r--r-- 2,326 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
From: Milan Crha <mcrha@redhat.com>
Date: Mon, 28 Apr 2025 10:55:42 +0200
Subject: soup-server-http2: Correct check of the validity of the constructed
 connection URI

RFC 5740: the CONNECT has unset the "scheme" and "path", thus allow them unset.

The commit a792b23ab87cacbf4dd9462bf7b675fa678efbae also missed to decrement
the `io->in_callback` in the early returns.

Related to #429

Origin: upstream, 3.7.0, commit:a792b23ab87cacbf4dd9462bf7b675fa678efbae
Bug: https://gitlab.gnome.org/GNOME/libsoup/-/issues/429
Bug-CVE: https://security-tracker.debian.org/tracker/CVE-2025-32908
Bug-Debian: https://bugs.debian.org/1103265
---
 libsoup/server/http2/soup-server-message-io-http2.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/libsoup/server/http2/soup-server-message-io-http2.c b/libsoup/server/http2/soup-server-message-io-http2.c
index f1fe2d5..913afb4 100644
--- a/libsoup/server/http2/soup-server-message-io-http2.c
+++ b/libsoup/server/http2/soup-server-message-io-http2.c
@@ -771,13 +771,18 @@ on_frame_recv_callback (nghttp2_session     *session,
                 char *uri_string;
                 GUri *uri;
 
-		if (msg_io->scheme == NULL || msg_io->authority == NULL || msg_io->path == NULL)
-			return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
-                uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path);
+                if (msg_io->authority == NULL) {
+                        io->in_callback--;
+                        return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+                }
+                /* RFC 5740: the CONNECT has unset the "scheme" and "path", but the GUri requires the scheme, thus let it be "(null)" */
+                uri_string = g_strdup_printf ("%s://%s%s", msg_io->scheme, msg_io->authority, msg_io->path == NULL ? "" : msg_io->path);
                 uri = g_uri_parse (uri_string, SOUP_HTTP_URI_FLAGS, NULL);
                 g_free (uri_string);
-		if (uri == NULL)
-			return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+                if (uri == NULL) {
+                        io->in_callback--;
+                        return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+                }
                 soup_server_message_set_uri (msg_io->msg, uri);
                 g_uri_unref (uri);