cURL ipurojekiti yesoftware ine raibhurari uye muturikiri wekuraira ane chinangwa chekufambisa faira.
Daniel Stenberg (munyori we cURL project) ichangobva kuziviswa kuburikidza ne blog post, ruzivo nezve kusagadzikana kwakaonekwa mukati chishandiso chekugamuchira uye kutumira data pane network curl uye libcurl raibhurari.
Zvinonzi kusazvibata (kwakatonyorwa pasi peCVE-2023-38545) imhaka yebug mune rezita rekugadzirisa kodhi usati wawana iyo SOCKS5 proxy.
SOCKS5 iproxy protocol. Iyo iri nyore kwazvo protocol yekumisikidza network network kuburikidza neakazvitsaurira "broker". Semuenzaniso, iyo protocol inowanzo shandiswa pakumisikidza kutaurirana kuburikidza neTor, asiwo kuwana iyo Internet kubva kumasangano nemakambani.
SOCKS5 ine maviri akasiyana mazita ekugadzirisa maitiro. Mutengi anogadzirisa zita remugamuchiri munharaunda uye opfuudza kwainoenda sekero yakagadziriswa, kana mutengi anopfuudza zita remugamuchiri rinonyatsokwanisa kumumiririri uye anobvumira mumiriri kugadzirisa mugamuchiri ari kure.
Saizvozvo kukundikana inogona kukonzera kuti buffer ifashuke uye uchikwanisa kuuraya munhu anorwisa-padivi kodhi kana uchiwana HTTPS sevha inodzorwa neanorwisa kuburikidza ne curl utility kana application inoshandisa libcurl. asi dambudziko iripo chete kana kuwana kuburikidza neSOCKS5 proxy inogoneswa mu curl. Kana uchiwana zvakananga pasina proxy, kusagadzikana hakuoneki.
Muridzi wesaiti inowanikwa necurl kuburikidza neSOCKS5 proxy anotsanangurwa sekukwanisa:
Tambai kupfachukira kweclient-side buffer nekudzorera chikumbiro chekutungamira kodhi (HTTP 30x) uye kuseta "Nzvimbo:" musoro kune URL ine zita remugamuchiri ane saizi inotangira pa16 kusvika 64 KB (16 KB ndiyo yakakura saizi). kupfachukira iyo yakagoverwa buffer uye 65 KB ndiyo inobvumirwa kureba kwezita rezita muURL).
Kana chikumbiro chekutungamira chikagoneswa mukugadziriswa kwe libcurl uye proxy yeSOCKS5 yakashandiswa inononoka zvakakwana, ipapo zita remugamuchiri refu richanyorwa kune diki buffer, zviri pachena yehukuru diki.
Mune yake blog post, Daniel Stenberg akataura kuti kusagadzikana kwakaramba kusingaonekwe kwemazuva 1315. Inotaurawo kuti 41% yezvakambozivikanwa kusadzivirirwa mu curl pamwe ingadai yakadziviswa dai curl yakanyorwa mumutauro wakachengeteka mundangariro, asi hapana hurongwa hwekunyorazve curl mune mumwe mutauro mune ramangwana rinoonekwa.
Kusagadzikana kunonyanya kukanganisa libcurl-based application uye inoonekwa mune curl utility chete kana uchishandisa iyo "-limit-rate" sarudzo ine kukosha isingasviki 65541, sezvo libcurl inogovera 16 KB buffer nekukasira uye 100 KB mu curl, asi saizi iyi inoshanduka zvichienderana nekukosha kwe " -muganhu-chiyero" parameter.
Zvinonzi kana zita remuenzi richisvika mazana maviri nemakumi mashanu nenhanhatu, curl rinobva raendesa zita kuSOCKS256 proxy kuti rigadziriswe, uye kana zita racho richipfuura 5 mavara, rinochinjira kumugadziri wenzvimbo uye rinopfuudza kero yakatsanangurwa kare kuSOCKS255. . Nekuda kwebug mukodhi, mureza unoratidza kudiwa kwegadziriso yenzvimbo unogona kuiswa kune iyo isiriyo kukosha panguva yekunonoka kutaurirana kwekubatana pamusoro peSOCKS5, zvichiita kuti zita remugamuchiri rinyorwe kune buffer yakapihwa netarisiro yekuchengetedza IP. kero kana zita, kwete kudarika mabhii 5.
Chekupedzisira, zvinonzi izvo kusagadzikana kwakagadziriswa mu curl version 8.4.0 uye sematanho ekuvandudza kuchengetedzeka kweiyo kodhi base, inokurudzirwa kuwedzera maturusi ekuyedza iyo kodhi uye zvakanyanya kushingaira kushandisa zvinoenderana zvakanyorwa mumitauro yepurogiramu inovimbisa kushanda kwakachengeteka nendangariro. Iri kufungawo kutsiva zvishoma nezvishoma zvikamu zve curl nesarudzo dzakanyorwa mumitauro yakachengeteka, seyeyedzo Hyper HTTP backend inoiswa muRust.
Kana uri kufarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.