Date: Wed, 9 May 2007 22:01:05 GMT From: Ighighi<ighighi@gmail.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/112555: curl reveals too much info in the User-Agent string Message-ID: <200705092201.l49M15iB080039@www.freebsd.org> Resent-Message-ID: <200705092210.l49MA3Hp083684@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 112555
>Category: ports
>Synopsis: curl reveals too much info in the User-Agent string
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed May 09 22:10:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Ighighi
>Release: 6.2-STABLE
>Organization:
>Environment:
FreeBSD orion 6.2-STABLE FreeBSD 6.2-STABLE #1: Sat May 5 10:13:59 VET 2007 root@orion:/usr/obj/usr/src/sys/CUSTOM i386
>Description:
Currently, curl(1) reveals the following information in the HTTP User-Agent string (the first line of the output from "curl --version" in my system):
curl 7.16.1 (i386-portbld-freebsd6.2) libcurl/7.16.1 OpenSSL/0.9.7m zlib/1.2.3 libidn/0.6.10 libssh2/0.14
The attached patch makes it send "curl 7.16.1" and adds support for the CURL_HTTP_USER_AGENT environment variable. It could be easily changed to use HTTP_USER_AGENT instead, as is used by fetch(1) / fetch(3) but the following comment found in curl-7.16.1/lib/url.c made me wonder whether fetch(3) should be modified to use different names for some variables that could be set by remote users in CGI scripts, so fetch(1) or any commands using libfetch could be run safely in a CGI environment.
/*
* We don't try the uppercase version of HTTP_PROXY because of
* security reasons:
*
* When curl is used in a webserver application
* environment (cgi or php), this environment variable can
* be controlled by the web server user by setting the
* http header 'Proxy:' to some value.
*
* This can cause 'internal' http/ftp requests to be
* arbitrarily redirected by any external attacker.
*/
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
--- docs/curl.1.orig Thu Jan 25 11:58:00 2007
+++ docs/curl.1 Tue May 8 14:08:04 2007
@@ -1286,6 +1286,8 @@
Default config file, see \fI-K/--config\fP for details.
.SH ENVIRONMENT
+.IP "CURL_HTTP_USER_AGENT
+Sets the User-Agent string to use for HTTP requests.
.IP "http_proxy [protocol://]<host>[:port]"
Sets proxy server to use for HTTP.
.IP "HTTPS_PROXY [protocol://]<host>[:port]"
--- src/main.c.orig Sat Jan 27 19:02:18 2007
+++ src/main.c Tue May 8 15:26:40 2007
@@ -3569,9 +3569,13 @@
return CURLE_FAILED_INIT;
}
if(NULL == config->useragent) {
+ char *s = getenv("CURL_HTTP_USER_AGENT");
+ if (s != NULL)
+ config->useragent = strdup(s);
+ }
+ if(NULL == config->useragent) {
/* set non-zero default values: */
- snprintf(useragent, sizeof(useragent),
- CURL_NAME "/" CURL_VERSION " (" OS ") " "%s", curl_version());
+ snprintf(useragent, sizeof(useragent), CURL_NAME "/" CURL_VERSION);
config->useragent= useragent;
}
else
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200705092201.l49M15iB080039>