|
| 1 | +From 11d1dffc2525be8ec078bfb0af61e02c0abfda0f Mon Sep 17 00:00:00 2001 |
| 2 | +From: Balakumaran Kannan <kumaran.4353@gmail.com> |
| 3 | +Date: Thu, 1 Aug 2024 08:17:06 +0000 |
| 4 | +Subject: [PATCH] Patch CVE-2024-6104 |
| 5 | + |
| 6 | +--- |
| 7 | + .../hashicorp/go-retryablehttp/client.go | 26 ++++++++++++++----- |
| 8 | + 1 file changed, 20 insertions(+), 6 deletions(-) |
| 9 | + |
| 10 | +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go |
| 11 | +index 7bfa759..aead5e1 100644 |
| 12 | +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go |
| 13 | ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go |
| 14 | +@@ -467,9 +467,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { |
| 15 | + if logger != nil { |
| 16 | + switch v := logger.(type) { |
| 17 | + case Logger: |
| 18 | +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) |
| 19 | ++ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) |
| 20 | + case LeveledLogger: |
| 21 | +- v.Debug("performing request", "method", req.Method, "url", req.URL) |
| 22 | ++ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) |
| 23 | + } |
| 24 | + } |
| 25 | + |
| 26 | +@@ -516,9 +516,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { |
| 27 | + if err != nil { |
| 28 | + switch v := logger.(type) { |
| 29 | + case Logger: |
| 30 | +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) |
| 31 | ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) |
| 32 | + case LeveledLogger: |
| 33 | +- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) |
| 34 | ++ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) |
| 35 | + } |
| 36 | + } else { |
| 37 | + // Call this here to maintain the behavior of logging all requests, |
| 38 | +@@ -558,7 +558,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { |
| 39 | + } |
| 40 | + |
| 41 | + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) |
| 42 | +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) |
| 43 | ++ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) |
| 44 | + if code > 0 { |
| 45 | + desc = fmt.Sprintf("%s (status: %d)", desc, code) |
| 46 | + } |
| 47 | +@@ -590,7 +590,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { |
| 48 | + } |
| 49 | + c.HTTPClient.CloseIdleConnections() |
| 50 | + return nil, fmt.Errorf("%s %s giving up after %d attempts", |
| 51 | +- req.Method, req.URL, c.RetryMax+1) |
| 52 | ++ req.Method, redactURL(req.URL), c.RetryMax+1) |
| 53 | + } |
| 54 | + |
| 55 | + // Try to read the response body so we can reuse this connection. |
| 56 | +@@ -663,3 +663,17 @@ func PostForm(url string, data url.Values) (*http.Response, error) { |
| 57 | + func (c *Client) PostForm(url string, data url.Values) (*http.Response, error) { |
| 58 | + return c.Post(url, "application/x-www-form-urlencoded", strings.NewReader(data.Encode())) |
| 59 | + } |
| 60 | ++ |
| 61 | ++ |
| 62 | ++// Taken from url.URL#Redacted() which was introduced in go 1.15. |
| 63 | ++func redactURL(u *url.URL) string { |
| 64 | ++ if u == nil { |
| 65 | ++ return "" |
| 66 | ++ } |
| 67 | ++ |
| 68 | ++ ru := *u |
| 69 | ++ if _, has := ru.User.Password(); has { |
| 70 | ++ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") |
| 71 | ++ } |
| 72 | ++ return ru.String() |
| 73 | ++} |
| 74 | +-- |
| 75 | +2.33.8 |
| 76 | + |
0 commit comments