generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

http_done: close Negotiate connections when done

Browse Source 
When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.

CVE-2015-3148

Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris
This commit is contained in:
Daniel Stenberg 2015-04-18 23:50:16 +02:00
parent 0583e87ada
commit 79b9d5f1a4
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/http.c
View File

@ -1435,8 +1435,14 @@ CURLcode Curl_http_done(struct connectdata *conn,
#ifdef USE_SPNEGO #ifdef USE_SPNEGO
if(data->state.proxyneg.state == GSS_AUTHSENT || if(data->state.proxyneg.state == GSS_AUTHSENT ||
data->state.negotiate.state == GSS_AUTHSENT) data->state.negotiate.state == GSS_AUTHSENT) {
/* add forbid re-use if http-code != 401/407 as a WA only needed for
* 401/407 that signal auth failure (empty) otherwise state will be RECV
* with current code */
if((data->req.httpcode != 401) && (data->req.httpcode != 407))
connclose(conn, "Negotiate transfer completed");
Curl_cleanup_negotiate(data); Curl_cleanup_negotiate(data);
}
#endif #endif
/* set the proper values (possibly modified on POST) */ /* set the proper values (possibly modified on POST) */