[pkg-lynx-maint] Bug#991971: [oss-security] Re: [Lynx-dev] bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)

Sat Aug 7 15:17:55 BST 2021

Hi,

On Sat, 7 Aug 2021, Thorsten Glaser wrote:

> Axel Beckert dixit:
>
>> This is more severe than it initially looked like: Due to TLS Server
>> Name Indication (SNI) the hostname as parsed by Lynx (i.e with
>> "user:pass@" included) is sent in _clear_ text over the wire even
>
> I *ALWAYS* SAID SNI IS A SHIT THING ONLY USED AS BAD EXCUSE FOR NAT
> BY PEOPLE WHO ARE TOO STUPID TO CONFIGURE THEIR SERVERS RIGHT AND AS
> BAD EXCUSE FOR LACKING IPv6 SUPPORT, AND THEN THE FUCKING IDIOTS WENT
> AND MADE SNI *MANDATORY* FOR TLSv1.3, AND I FEEL *SO* VINDICATED RIGHT
> NOW! IDIOTS IN CHARGE OF SECURITY, FUCKING IDIOTS…

It turns out SNI is only marginally related to this issue.  The issue 
itself is far more severe: HTParse() does not understand the authn part of 
the URI at all.  And so, when you call:

   HTParse("https://foo:bar@example.com", "", PARSE_HOST)

It returns:

   foo:bar at example.com

Which is then handed directly to SSL_set_tlsext_host_name() or 
gnutls_server_name_set().  But it will also leak in the Host: header on 
unencrypted connections, and also probably SSL ones too.

As a workaround, I taught HTParse() how to parse the authn part of URIs, 
but Lynx itself needs to actually properly support the authn part really.

I have attached the patch Alpine is using to work around this infoleak.

Ariadne
-------------- next part --------------

--- lynx2.8.9rel.1.orig/WWW/Library/Implementation/HTParse.c
+++ lynx2.8.9rel.1/WWW/Library/Implementation/HTParse.c
@@ -31,6 +31,7 @@
 
 struct struct_parts {
     char *access;
+    char *auth;
     char *host;
     char *absolute;
     char *relative;
@@ -121,6 +122,18 @@
     }
 
     /*
+     * Scan left-to-right for an authentication username/password combination (auth).
+     */
+    for (p = after_access; *p; p++) {
+       if (*p == '@') {
+           parts->auth = after_access;
+           *p = '\0';
+           after_access = (p + 1); /* advance base pointer forward */
+           break;
+       }
+    }
+
+    /*
      * Scan left-to-right for a fragment (anchor).
      */
     for (p = after_access; *p; p++) {
@@ -135,10 +148,14 @@
      * Scan left-to-right for a host or absolute path.
      */
     p = after_access;
-    if (*p == '/') {
-	if (p[1] == '/') {
-	    parts->host = (p + 2);	/* host has been specified    */
-	    *p = '\0';		/* Terminate access           */
+    if (*p == '/' || parts->auth) {
+	if (p[1] == '/' || parts->auth) {
+            if (!parts->auth) {
+	         parts->host = (p + 2);	/* host has been specified    */
+	         *p = '\0';		/* Terminate access           */
+            } else {
+                parts->host = p;
+            }
 	    p = StrChr(parts->host, '/');	/* look for end of host name if any */
 	    if (p != NULL) {
 		*p = '\0';	/* Terminate host */
