OSSL_HTTP_adapt_proxy(): fix handling of escaped IPv6 host addresses and of whitespace in no_proxy

Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25010)
2024-08-01 21:33:18 +02:00 · 2024-08-01 21:33:18 +02:00 · fe004a09ac
commit fe004a09ac
parent 1c90d36ab1
2 changed files with 21 additions and 3 deletions
--- a/crypto/http/http_lib.c
+++ b/crypto/http/http_lib.c
@ -14,6 +14,13 @@
 #include <openssl/bio.h> /* for BIO_snprintf() */
 #include <openssl/err.h>
 #include "internal/cryptlib.h" /* for ossl_assert() */
+#ifndef OPENSSL_NO_SOCK
+# include "internal/bio_addr.h" /* for NI_MAXHOST */
+#endif
+#ifndef NI_MAXHOST
+# define NI_MAXHOST 255
+#endif
+#include "crypto/ctype.h" /* for ossl_isspace() */

 static void init_pstring(char **pstr)
 {
@ -251,10 +258,17 @@ static int use_proxy(const char *no_proxy, const char *server)
 {
    size_t sl;
    const char *found = NULL;
+    char host[NI_MAXHOST];

    if (!ossl_assert(server != NULL))
        return 0;
    sl = strlen(server);
+    if (sl >= 2 && sl < sizeof(host) + 2 && server[0] == '[' && server[sl - 1] == ']') {
+        /* strip leading '[' and trailing ']' from escaped IPv6 address */
+        sl -= 2;
+        strncpy(host, server + 1, sl);
+        server = host;
+    }

    /*
     * using environment variable names, both lowercase and uppercase variants,
@ -268,8 +282,8 @@ static int use_proxy(const char *no_proxy, const char *server)
    if (no_proxy != NULL)
        found = strstr(no_proxy, server);
    while (found != NULL
-           && ((found != no_proxy && found[-1] != ' ' && found[-1] != ',')
-               || (found[sl] != '\0' && found[sl] != ' ' && found[sl] != ',')))
+           && ((found != no_proxy && !ossl_isspace(found[-1]) && found[-1] != ',')
+               || (found[sl] != '\0' && !ossl_isspace(found[sl]) && found[sl] != ',')))
        found = strstr(found + 1, server);
    return found == NULL;
 }
--- a/doc/man3/OSSL_HTTP_parse_url.pod
+++ b/doc/man3/OSSL_HTTP_parse_url.pod
@ -42,8 +42,12 @@ take any further default value from the C<HTTP_PROXY>
 environment variable, or from C<HTTPS_PROXY> if I<use_ssl> is nonzero.
 If I<no_proxy> is NULL, take any default exclusion value from the C<no_proxy>
 environment variable, or else from C<NO_PROXY>.
-Return the determined proxy hostname unless the exclusion contains I<server>.
+Return the determined proxy host unless the exclusion value,
+which is a list of proxy hosts separated by C<,> and/or whitespace,
+contains I<server>.
 Otherwise return NULL.
+In case I<server> is a string enclosed with C<[> and C<]>, it is assumed to be
+an escaped IPv6 address and so the C<[> and C<]> are ignored for the comparison.

 OSSL_parse_url() parses its input string I<url> as a URL of the form
 C<[scheme://][userinfo@]host[:port][/path][?query][#fragment]> and splits it up