grub2/0220-http-Prepend-prefix-when-the-HTTP-path-is-relative-a.patch
Peter Jones 47cf63735c "Minor" bug fixes
Resolves: CVE-2020-10713
Resolves: CVE-2020-14308
Resolves: CVE-2020-14309
Resolves: CVE-2020-14310
Resolves: CVE-2020-14311
Resolves: CVE-2020-15705
Resolves: CVE-2020-15706
Resolves: CVE-2020-15707

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-08-10 22:02:39 -04:00

55 lines
1.7 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 2 Jun 2020 13:25:01 +0200
Subject: [PATCH] http: Prepend prefix when the HTTP path is relative as done
in efi/http
There are two different HTTP drivers that can be used when requesting an
HTTP resource: the efi/http that uses the EFI_HTTP_PROTOCOL and the http
that uses GRUB's HTTP and TCP/IP implementation.
The efi/http driver appends a prefix that is defined in the variable
http_path, but the http driver doesn't.
So using this driver and attempting to fetch a resource using a relative
path fails.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
grub-core/net/http.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/grub-core/net/http.c b/grub-core/net/http.c
index b52b558d631..598961afbb5 100644
--- a/grub-core/net/http.c
+++ b/grub-core/net/http.c
@@ -26,6 +26,7 @@
#include <grub/dl.h>
#include <grub/file.h>
#include <grub/i18n.h>
+#include <grub/env.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -501,13 +502,20 @@ http_open (struct grub_file *file, const char *filename)
{
grub_err_t err;
struct http_data *data;
+ const char *http_path;
data = grub_zalloc (sizeof (*data));
if (!data)
return grub_errno;
file->size = GRUB_FILE_SIZE_UNKNOWN;
- data->filename = grub_strdup (filename);
+ /* If path is relative, prepend http_path */
+ http_path = grub_env_get ("http_path");
+ if (http_path && filename[0] != '/')
+ data->filename = grub_xasprintf ("%s/%s", http_path, filename);
+ else
+ data->filename = grub_strdup (filename);
+
if (!data->filename)
{
grub_free (data);