package/busybox: wget: URL-decode user:password before base64-encoding it into auth hdr (upstream fix)

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@29299 3c298f89-4303-0410-b956-a3cf2f4a3e73

7 files changed, 246 insertions, 9 deletions

diff --git a/package/busybox/Makefile b/package/busybox/Makefile
index 2a92d5731..528631a24 100644
--- a/package/busybox/Makefile
+++ b/package/busybox/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=busybox
 PKG_VERSION:=1.19.3
-PKG_RELEASE:=8
+PKG_RELEASE:=9
 PKG_FLAGS:=essential
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
diff --git a/package/busybox/patches/004-upstream-percent_decode_in_place.patch b/package/busybox/patches/004-upstream-percent_decode_in_place.patch
new file mode 100644
index 000000000..83d68f347
--- /dev/null
+++ b/package/busybox/patches/004-upstream-percent_decode_in_place.patch
@@ -0,0 +1,237 @@
+http://git.busybox.net/busybox/commit/?id=dd1061b6a79b0161597799e825bfefc27993ace5
+
+From dd1061b6a79b0161597799e825bfefc27993ace5 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Sun, 11 Sep 2011 21:04:02 +0200
+Subject: [PATCH] wget: URL-decode user:password before base64-encoding it into auth hdr. Closes 3625.
+
+function                                             old     new   delta
+percent_decode_in_place                                -     152    +152
+parse_url                                            304     317     +13
+handle_incoming_and_exit                            2795    2798      +3
+httpd_main                                           763     760      -3
+decodeString                                         152       -    -152
+------------------------------------------------------------------------------
+(add/remove: 2/1 grow/shrink: 2/1 up/down: 168/-155)           Total: 13 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+--- a/include/libbb.h
++++ b/include/libbb.h
+@@ -1570,6 +1570,15 @@ int starts_with_cpu(const char *str) FAS
+ unsigned get_cpu_count(void) FAST_FUNC;
+ 
+ 
++/* Use strict=1 if you process input from untrusted source:
++ * it will return NULL on invalid %xx (bad hex chars)
++ * and str + 1 if decoded char is / or NUL.
++ * In non-strict mode, it always succeeds (returns str),
++ * and also it additionally decoded '+' to space.
++ */
++char *percent_decode_in_place(char *str, int strict) FAST_FUNC;
++
++
+ extern const char bb_uuenc_tbl_base64[];
+ extern const char bb_uuenc_tbl_std[];
+ void bb_uuencode(char *store, const void *s, int length, const char *tbl) FAST_FUNC;
+--- /dev/null
++++ b/libbb/percent_decode.c
+@@ -0,0 +1,69 @@
++/* vi: set sw=4 ts=4: */
++/*
++ * Licensed under GPLv2 or later, see file LICENSE in this source tree.
++ */
++
++//kbuild:lib-y += percent_decode.o
++
++#include "libbb.h"
++
++static unsigned hex_to_bin(unsigned char c)
++{
++	unsigned v;
++
++	v = c - '0';
++	if (v <= 9)
++		return v;
++	/* c | 0x20: letters to lower case, non-letters
++	 * to (potentially different) non-letters */
++	v = (unsigned)(c | 0x20) - 'a';
++	if (v <= 5)
++		return v + 10;
++	return ~0;
++/* For testing:
++void t(char c) { printf("'%c'(%u) %u\n", c, c, hex_to_bin(c)); }
++int main() { t(0x10); t(0x20); t('0'); t('9'); t('A'); t('F'); t('a'); t('f');
++t('0'-1); t('9'+1); t('A'-1); t('F'+1); t('a'-1); t('f'+1); return 0; }
++*/
++}
++
++char* FAST_FUNC percent_decode_in_place(char *str, int strict)
++{
++	/* note that decoded string is always shorter than original */
++	char *src = str;
++	char *dst = str;
++	char c;
++
++	while ((c = *src++) != '\0') {
++		unsigned v;
++
++		if (!strict && c == '+') {
++			*dst++ = ' ';
++			continue;
++		}
++		if (c != '%') {
++			*dst++ = c;
++			continue;
++		}
++		v = hex_to_bin(src[0]);
++		if (v > 15) {
++ bad_hex:
++			if (strict)
++				return NULL;
++			*dst++ = '%';
++			continue;
++		}
++		v = (v * 16) | hex_to_bin(src[1]);
++		if (v > 255)
++			goto bad_hex;
++		if (strict && (v == '/' || v == '\0')) {
++			/* caller takes it as indication of invalid
++			 * (dangerous wrt exploits) chars */
++			return str + 1;
++		}
++		*dst++ = v;
++		src += 2;
++	}
++	*dst = '\0';
++	return str;
++}
+--- a/networking/httpd.c
++++ b/networking/httpd.c
+@@ -820,78 +820,6 @@ static char *encodeString(const char *st
+ }
+ #endif
+ 
+-/*
+- * Given a URL encoded string, convert it to plain ascii.
+- * Since decoding always makes strings smaller, the decode is done in-place.
+- * Thus, callers should xstrdup() the argument if they do not want the
+- * argument modified.  The return is the original pointer, allowing this
+- * function to be easily used as arguments to other functions.
+- *
+- * string    The first string to decode.
+- * option_d  1 if called for httpd -d
+- *
+- * Returns a pointer to the decoded string (same as input).
+- */
+-static unsigned hex_to_bin(unsigned char c)
+-{
+-	unsigned v;
+-
+-	v = c - '0';
+-	if (v <= 9)
+-		return v;
+-	/* c | 0x20: letters to lower case, non-letters
+-	 * to (potentially different) non-letters */
+-	v = (unsigned)(c | 0x20) - 'a';
+-	if (v <= 5)
+-		return v + 10;
+-	return ~0;
+-/* For testing:
+-void t(char c) { printf("'%c'(%u) %u\n", c, c, hex_to_bin(c)); }
+-int main() { t(0x10); t(0x20); t('0'); t('9'); t('A'); t('F'); t('a'); t('f');
+-t('0'-1); t('9'+1); t('A'-1); t('F'+1); t('a'-1); t('f'+1); return 0; }
+-*/
+-}
+-static char *decodeString(char *orig, int option_d)
+-{
+-	/* note that decoded string is always shorter than original */
+-	char *string = orig;
+-	char *ptr = string;
+-	char c;
+-
+-	while ((c = *ptr++) != '\0') {
+-		unsigned v;
+-
+-		if (option_d && c == '+') {
+-			*string++ = ' ';
+-			continue;
+-		}
+-		if (c != '%') {
+-			*string++ = c;
+-			continue;
+-		}
+-		v = hex_to_bin(ptr[0]);
+-		if (v > 15) {
+- bad_hex:
+-			if (!option_d)
+-				return NULL;
+-			*string++ = '%';
+-			continue;
+-		}
+-		v = (v * 16) | hex_to_bin(ptr[1]);
+-		if (v > 255)
+-			goto bad_hex;
+-		if (!option_d && (v == '/' || v == '\0')) {
+-			/* caller takes it as indication of invalid
+-			 * (dangerous wrt exploits) chars */
+-			return orig + 1;
+-		}
+-		*string++ = v;
+-		ptr += 2;
+-	}
+-	*string = '\0';
+-	return orig;
+-}
+-
+ #if ENABLE_FEATURE_HTTPD_BASIC_AUTH
+ /*
+  * Decode a base64 data stream as per rfc1521.
+@@ -1949,7 +1877,7 @@ static void handle_incoming_and_exit(con
+ 	}
+ 
+ 	/* Decode URL escape sequences */
+-	tptr = decodeString(urlcopy, 0);
++	tptr = percent_decode_in_place(urlcopy, /*strict:*/ 1);
+ 	if (tptr == NULL)
+ 		send_headers_and_exit(HTTP_BAD_REQUEST);
+ 	if (tptr == urlcopy + 1) {
+@@ -2408,7 +2336,7 @@ int httpd_main(int argc UNUSED_PARAM, ch
+ 			, &verbose
+ 		);
+ 	if (opt & OPT_DECODE_URL) {
+-		fputs(decodeString(url_for_decode, 1), stdout);
++		fputs(percent_decode_in_place(url_for_decode, /*strict:*/ 0), stdout);
+ 		return 0;
+ 	}
+ #if ENABLE_FEATURE_HTTPD_ENCODE_URL_STR
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -298,8 +298,13 @@ static void parse_url(const char *src_ur
+ 
+ 	sp = strrchr(h->host, '@');
+ 	if (sp != NULL) {
+-		h->user = h->host;
++		// URL-decode "user:password" string before base64-encoding:
++		// wget http://test:my%20pass@example.com should send
++		// Authorization: Basic dGVzdDpteSBwYXNz
++		// which decodes to "test:my pass".
++		// Standard wget and curl do this too.
+ 		*sp = '\0';
++		h->user = percent_decode_in_place(h->host, /*strict:*/ 0);
+ 		h->host = sp + 1;
+ 	}
+ 
+@@ -660,12 +665,6 @@ static void download_one_url(const char 
+ 
+ #if ENABLE_FEATURE_WGET_AUTHENTICATION
+ 		if (target.user) {
+-//TODO: URL-decode "user:password" string before base64-encoding:
+-//wget http://test:my%20pass@example.com should send
+-// Authorization: Basic dGVzdDpteSBwYXNz
+-//which decodes to "test:my pass", instead of what we send now:
+-// Authorization: Basic dGVzdDpteSUyMHBhc3M=
+-//Can reuse decodeString() from httpd.c
+ 			fprintf(sfp, "Proxy-Authorization: Basic %s\r\n"+6,
+ 				base64enc(target.user));
+ 		}
diff --git a/package/busybox/patches/110-wget_getopt_fix.patch b/package/busybox/patches/110-wget_getopt_fix.patch
index e679870b9..52b9d94be 100644
--- a/package/busybox/patches/110-wget_getopt_fix.patch
+++ b/package/busybox/patches/110-wget_getopt_fix.patch
@@ -1,6 +1,6 @@
 --- a/networking/wget.c
 +++ b/networking/wget.c
-@@ -872,7 +872,7 @@ int wget_main(int argc UNUSED_PARAM, cha
+@@ -871,7 +871,7 @@ int wget_main(int argc UNUSED_PARAM, cha
  		/* Ignored: */
  		// "tries\0"            Required_argument "t"
  		/* Ignored (we always use PASV): */
diff --git a/package/busybox/patches/310-passwd_access.patch b/package/busybox/patches/310-passwd_access.patch
index 6d0affd16..b995599de 100644
--- a/package/busybox/patches/310-passwd_access.patch
+++ b/package/busybox/patches/310-passwd_access.patch
@@ -3,7 +3,7 @@
 
 --- a/networking/httpd.c
 +++ b/networking/httpd.c
-@@ -1772,21 +1772,32 @@ static int check_user_passwd(const char 
+@@ -1700,21 +1700,32 @@ static int check_user_passwd(const char 
  
  		if (ENABLE_FEATURE_HTTPD_AUTH_MD5) {
  			char *md5_passwd;
diff --git a/package/busybox/patches/350-httpd_redir.patch b/package/busybox/patches/350-httpd_redir.patch
index d5f64e332..11125e71f 100644
--- a/package/busybox/patches/350-httpd_redir.patch
+++ b/package/busybox/patches/350-httpd_redir.patch
@@ -35,7 +35,7 @@
  #define last_mod          (G.last_mod         )
  #define ip_a_d            (G.ip_a_d           )
  #define g_realm           (G.g_realm          )
-@@ -1028,8 +1035,11 @@ static void send_headers(int responseNum
+@@ -956,8 +963,11 @@ static void send_headers(int responseNum
  	}
  #endif
  	if (responseNum == HTTP_MOVED_TEMPORARILY) {
@@ -48,7 +48,7 @@
  				(g_query ? "?" : ""),
  				(g_query ? g_query : ""));
  	}
-@@ -1997,8 +2007,12 @@ static void handle_incoming_and_exit(con
+@@ -1925,8 +1935,12 @@ static void handle_incoming_and_exit(con
  	} while (*++tptr);
  	*++urlp = '\0';       /* terminate after last character */
  
@@ -62,7 +62,7 @@
  		if (is_directory(urlcopy + 1, 1, NULL)) {
  			found_moved_temporarily = urlcopy;
  		}
-@@ -2355,7 +2369,9 @@ static void sighup_handler(int sig UNUSE
+@@ -2283,7 +2297,9 @@ static void sighup_handler(int sig UNUSE
  }
  
  enum {
@@ -73,7 +73,7 @@
  	d_opt_decode_url,
  	h_opt_home_httpd,
  	IF_FEATURE_HTTPD_ENCODE_URL_STR(e_opt_encode_url,)
-@@ -2404,12 +2420,13 @@ int httpd_main(int argc UNUSED_PARAM, ch
+@@ -2332,12 +2348,13 @@ int httpd_main(int argc UNUSED_PARAM, ch
  	/* We do not "absolutize" path given by -h (home) opt.
  	 * If user gives relative path in -h,
  	 * $SCRIPT_FILENAME will not be set. */
diff --git a/package/busybox/patches/410-httpd_cgi_headers.patch b/package/busybox/patches/410-httpd_cgi_headers.patch
index 7cc4f936a..b02a5b9d7 100644
--- a/package/busybox/patches/410-httpd_cgi_headers.patch
+++ b/package/busybox/patches/410-httpd_cgi_headers.patch
@@ -1,6 +1,6 @@
 --- a/networking/httpd.c
 +++ b/networking/httpd.c
-@@ -1294,10 +1294,10 @@ static NOINLINE void cgi_io_loop_and_exi
+@@ -1222,10 +1222,10 @@ static NOINLINE void cgi_io_loop_and_exi
  						if (full_write(STDOUT_FILENO, HTTP_200, sizeof(HTTP_200)-1) != sizeof(HTTP_200)-1)
  							break;
  					}
diff --git a/package/busybox/patches/440-httpd_chdir.patch b/package/busybox/patches/440-httpd_chdir.patch
index da069f6ff..401c6eb5d 100644
--- a/package/busybox/patches/440-httpd_chdir.patch
+++ b/package/busybox/patches/440-httpd_chdir.patch
@@ -1,6 +1,6 @@
 --- a/networking/httpd.c
 +++ b/networking/httpd.c
-@@ -1886,6 +1886,7 @@ static void handle_incoming_and_exit(con
+@@ -1814,6 +1814,7 @@ static void handle_incoming_and_exit(con
  	char *header_ptr = header_ptr;
  	Htaccess_Proxy *proxy_entry;
  #endif