Fix CVE-2019-3500: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3500 https://github.com/aria2/aria2/issues/1329 Patch copied from upstream source repository: https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a From 37368130ca7de5491a75fd18a20c5c5cc641824a Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sat, 5 Jan 2019 09:32:40 +0900 Subject: [PATCH] Mask headers --- src/HttpConnection.cc | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/HttpConnection.cc b/src/HttpConnection.cc index 77cb9d27a..be5b97723 100644 --- a/src/HttpConnection.cc +++ b/src/HttpConnection.cc @@ -102,11 +102,17 @@ std::string HttpConnection::eraseConfidentialInfo(const std::string& request) std::string result; std::string line; while (getline(istr, line)) { - if (util::startsWith(line, "Authorization: Basic")) { - result += "Authorization: Basic ********\n"; + if (util::istartsWith(line, "Authorization: ")) { + result += "Authorization: \n"; } - else if (util::startsWith(line, "Proxy-Authorization: Basic")) { - result += "Proxy-Authorization: Basic ********\n"; + else if (util::istartsWith(line, "Proxy-Authorization: ")) { + result += "Proxy-Authorization: \n"; + } + else if (util::istartsWith(line, "Cookie: ")) { + result += "Cookie: \n"; + } + else if (util::istartsWith(line, "Set-Cookie: ")) { + result += "Set-Cookie: \n"; } else { result += line; @@ -154,8 +160,8 @@ std::unique_ptr HttpConnection::receiveResponse() const auto& proc = outstandingHttpRequests_.front()->getHttpHeaderProcessor(); if (proc->parse(socketRecvBuffer_->getBuffer(), socketRecvBuffer_->getBufferLength())) { - A2_LOG_INFO( - fmt(MSG_RECEIVE_RESPONSE, cuid_, proc->getHeaderString().c_str())); + A2_LOG_INFO(fmt(MSG_RECEIVE_RESPONSE, cuid_, + eraseConfidentialInfo(proc->getHeaderString()).c_str())); auto result = proc->getResult(); if (result->getStatusCode() / 100 == 1) { socketRecvBuffer_->drain(proc->getLastBytesProcessed());