Ngoku iyafumaneka Inguqulelo entsha yohlaziyo dkunye ne "cURL 7.71.0", apho bajolise ekusombululeni iimpazamo ezimbini ezinzulu evumela iiphasiwedi zokufikelela kunye nokukwazi ukubhala ngaphezulu iifayile. Kungenxa yoko le nto isimemo sokuphucula kwinguqulelo entsha senziwa.
Kulabo abangazi oku kuluncedo, kufuneka bayazi loo nto isebenza ukufumana nokuthumela idatha kunethiwekhi, ibonelela ngokwazi ukwenza isicelo ngokulula ngokuseta iiparameter ezinje ngecookie, umsebenzisi_agent, umfaki-sicelo, nayo nayiphi na enye intloko.
cURL ixhasa i-HTTP, i-HTTPS, i-HTTP / 2.0, i-HTTP / 3, i-SMTP, i-IMAP, i-POP3, i-Telnet, i-FTP, i-LDAP, i-RTSP, i-RTMP, kunye nezinye iiprotokholi zenethiwekhi. Kwangelo xesha, uhlaziyo olufanayo lwakhutshwa kwilayibrari ye-libcurl, ebonelela nge-API yokusebenzisa yonke imisebenzi ye-curl kwiinkqubo ngeelwimi ezinje ngeC, Perl, PHP, Python.
Utshintsho oluphambili kwi-cURL 7.71.0
Le nguqulo intsha luhlaziyo kwaye njengoko bekutshiwo ekuqaleni iza kusombulula iimpazamo ezimbini, ezi zilandelayo:
- Ukuba sesichengeni kweCVE-2020-8177-Oku kuvumela umhlaseli ukuba abhale ngaphezulu ifayile yendawo kwinkqubo xa ufikelela kwiseva ehlaselweyo. Ingxaki ibonakala kuphela xa "-J" ("-remote-header-name") kunye "-i" ("-head") zisetyenziswa ngaxeshanye.
Ikhetho "-J" ikuvumela ukuba ugcine ifayile enegama elichaziweyo kwi "Content-Disposition" umbhalo ophezulu ephepheni. SSele ndikho ifayile enegama elifanayo, inkqubo curl ngesiqhelo iyala ukubhala ngaphezulu, kodwa ukuba ukhetho "-I" ikho, ingqiqo yokuqinisekisa yaphulwe kwaye yabhalwa ngaphezulu ifayile (ukungqinisisa kwenziwa kwinqanaba lokumkela umzimba, kodwa ngokukhetha "-i" izihloko ze-HTTP ziphuma kuqala kwaye zibe nexesha lokuzingisa ngaphambi kokuqhubekeka komzimba wokuphendula). Ziintloko zeHTTP kuphela ezibhalwe kwifayile.
- Umngcipheko we-CVE-2020-8169: Oku kunokubangela ukuvuza kwiseva ye-DNS yamanye amaphasiwedi ukufikelela kule ndawo (esisiseko, iDigest, i-NTLM, njl.).
Xa usebenzisa u - "@" igama eligqithisiweyo, elikwasetyenziswa njengesiqwengana segama eligqithisiweyo kwi-URL, xa ukuhanjiswa kwakhona kwe-HTTP kushukunyiswa, curl iya kuthumela inxenye yegama eligqithisiweyo emva kwegama elithi "@" kunye nedomain ukumisela igama.
Umzekelo, ukuba ucacisa igama eligqithisiweyo "passw @ passw" kunye negama lomsebenzisi "umsebenzisi", curl izakuvelisa i-URL "https: // user: passw @ passw @ example.com / path" endaweni ka "https: user: passw % 40passw@example.com/path "kwaye uthumele isicelo sokusombulula umphathi" pasww@example.com "endaweni ye" example.com ".
Ingxaki iyazibonakalisa xa ivumela inkxaso kubalawuli beHTTP Isalamane (sikhubazekile nge-CURLOPT_FOLLOWLOCATION).
Kwimeko yokusebenzisa i-DNS yemveli, Umboneleli we-DNS kunye nomhlaseli unokufumana ulwazi malunga nenxalenye yegama eligqithisiweyo. Xa usebenzisa i-DNS ngaphezulu kwe-HTTPS (DoH), ukuvuza kunqunyelwe kwisiteyitimenti se-DoH.
Okokugqibela, olunye utshintsho oludityanisiwe kwinguqulelo entsha kukongezwa "-kuzama kwakhona-zonke iimpazamo" kwimizamo ephindiweyo yokwenza imisebenzi xa kukho impazamo.
Uyifaka njani i-cURL kwiLinux?
Kulungiselelwe abo banomdla wokukwazi ukufaka le nguqulo intsha ye-cURL Banokukwenza ngokukhuphela ikhowudi yemvelaphi kwaye bayidibanise.
Ukwenza oku, into yokuqala esiza kuyenza kukukhuphela iphakheji ye-cURL yamva nje ngoncedo lwesiphelo sendlela, kuyo masichwetheze:
wget https://curl.haxx.se/download/curl-7.71.0.tar.xz
Emva koko, siza kukhupha iphakheji yokukhuphela nge:
tar -xzvf curl-7.71.0.tar.xz
Singena kwifolda esandula ukwenziwa nge:
cd curl-7.71.0
Singena njengengcambu nge:
sudo su
Kwaye sichwetheza oku kulandelayo:
./configure --prefix=/usr \ --disable-static \ --enable-threaded-resolver \ --with-ca-path=/etc/ssl/certs &&
make make install && rm -rf docs/examples/.deps &&
find docs \( -name Makefile\* -o -name \*.1 -o -name \*.3 \) -exec rm {} \; &&
install -v -d -m755 /usr/share/doc/curl-7.71.0 && cp -v -R docs/* /usr/share/doc/curl-7.71.0
Okokugqibela sinokujonga ingxelo kunye:
curl --version
Ukuba ufuna ukwazi ngakumbi ngayo, unokuthetha eli khonkco lilandelayo.