From 608bb3c77fd3e52c7efda4dbc35ce04d540c42a4 Mon Sep 17 00:00:00 2001
From: job <job@openbsd.org>
Date: Tue, 12 Mar 2024 16:02:30 +0000
Subject: [PATCH] Enforce same-origin policy for HTTP redirects

Isolate resources from different RRDP servers to avoid
inappropriately increasing resource consumption for both
RRDP clients and the referenced server.

OK claudio@ tb@
---
 usr.sbin/rpki-client/http.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/rpki-client/http.c b/usr.sbin/rpki-client/http.c
index 282487aa1e3..2d76f67d926 100644
--- a/usr.sbin/rpki-client/http.c
+++ b/usr.sbin/rpki-client/http.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: http.c,v 1.80 2024/01/30 11:15:05 claudio Exp $ */
+/*	$OpenBSD: http.c,v 1.81 2024/03/12 16:02:30 job Exp $ */
 /*
  * Copyright (c) 2020 Nils Fisher <nils_fisher@hotmail.com>
  * Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
@@ -1417,6 +1417,11 @@ http_parse_header(struct http_connection *conn, char *buf)
 		if (loctail != NULL)
 			*loctail = '\0';
 		conn->redir_uri = redirurl;
+		if (!valid_origin(redirurl, conn->req->uri)) {
+			warnx("%s: cross origin redirect to %s", conn->req->uri,
+			    http_info(redirurl));
+			return -1;
+		}
 	} else if (strncasecmp(cp, TRANSFER_ENCODING,
 	    sizeof(TRANSFER_ENCODING) - 1) == 0) {
 		cp += sizeof(TRANSFER_ENCODING) - 1;
-- 
2.20.1