openGauss-third_party/dependency/libcurl/CVE-2026-3784.patch-代码预览-openGauss-third_party:基于开源生态的数据库依赖编译项目 - AtomGit

lin-qiang123fix: 添加CVE-2026-1965、CVE-2026-3783、CVE-2026-3784安全补丁
From 5f13a7645e565c5c1a06f3ef86e97afb856fb364 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Fri, 6 Mar 2026 14:54:09 +0100
Subject: [PATCH] proxy-auth: fix wrong proxy connection reuse with credentials

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT
to a server, even if the new request uses different credentials for the
HTTP proxy. Fix by adding credential comparison into proxy_info_matches()
and eliminating the now-redundant socks_proxy_info_matches() function.

Closes #20837

Conflict: adapt for curl-7.78.0, logic and structure identical to upstream.
Note: upstream test changes (tests/http/test_13_proxy_auth.py and testenv/curl.py)
are NOT included as curl-7.78.0 does not have the tests/http/ framework.
Reference: https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3ef86e97afb856fb364
---
 lib/url.c | 29 +++++++----------------------
 1 file changed, 7 insertions(+), 22 deletions(-)

--- curl-7.78.0/lib/url.c	2021-07-19 15:19:57.000000000 +0800
+++ curl-7.78.0-patched/lib/url.c	2026-03-14 00:00:00.000000000 +0800
@@ -920,29 +920,18 @@
 {
   if((data->proxytype == needle->proxytype) &&
      (data->port == needle->port) &&
-     Curl_safe_strcasecompare(data->host.name, needle->host.name))
+     Curl_safe_strcasecompare(data->host.name, needle->host.name)) {
+    /* the user information is case-sensitive
+       or at least it is not defined as case-insensitive
+       see https://tools.ietf.org/html/rfc3986#section-3.2.1 */
+    if(Curl_timestrcmp(data->user, needle->user) ||
+       Curl_timestrcmp(data->passwd, needle->passwd))
+      return FALSE;
     return TRUE;
+  }
 
   return FALSE;
 }
-
-static bool
-socks_proxy_info_matches(const struct proxy_info *data,
-                         const struct proxy_info *needle)
-{
-  if(!proxy_info_matches(data, needle))
-    return FALSE;
-
-  /* the user information is case-sensitive
-     or at least it is not defined as case-insensitive
-     see https://tools.ietf.org/html/rfc3986#section-3.2.1 */
-
-  /* curl_strequal does a case insentive comparison, so do not use it here! */
-  if(Curl_timestrcmp(data->user, needle->user) ||
-     Curl_timestrcmp(data->passwd, needle->passwd))
-    return FALSE;
-  return TRUE;
-}
 #else
 /* disabled, won't get called */
 #define proxy_info_matches(x,y) FALSE
@@ -1256,8 +1245,8 @@
         continue;
 
       if(needle->bits.socksproxy &&
-        !socks_proxy_info_matches(&needle->socks_proxy,
-                                  &check->socks_proxy))
+        !proxy_info_matches(&needle->socks_proxy,
+                            &check->socks_proxy))
         continue;
 #endif
       if(needle->bits.conn_to_host != check->bits.conn_to_host)