percent-encoded path separator in URL host
Project curl Security Advisory, May 11 2022 - Permalink
The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a different URL using the wrong host name when it is later retrieved.
For example, a URL like
http://example.com%2F10.0.0.1/, would be allowed by the parser and get transposed into
http://example.com/10.0.0.1/. This flaw can be used to circumvent filters, checks and more.
This flaw was introduced in commit 9a8564a920188e, shipped in curl 7.80.0 when curl added support for percent-encoded host names in URLs.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2022-27780 to this issue.
CWE-177: Improper Handling of URL Encoding
- Affected versions: curl 7.80.0 to and including 7.83.0
- Not affected versions: curl < 7.83.0 and curl >= 7.83.1
- Introduced-in: https://github.com/curl/curl/commit/9a8564a920188e
libcurl is used by many applications, but not always advertised as such!
The URL parser now rejects host names that percent-decode into URL separator characters.
A - Upgrade curl to version 7.83.1
B - Apply the patch to your local version
This issue was reported to the curl project on April 28, 2022. We contacted distros@openwall on May 5.
libcurl 7.83.1 was released on May 11 2022, coordinated with the publication of this advisory.
- Reported-by: Axel Chong
- Patched-by: Daniel Stenberg
Thanks a lot!