forked from curl/curl-www
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2015-3148.patch
46 lines (38 loc) · 1.58 KB
/
CVE-2015-3148.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
From 6abfb512ed22c2de891a4398616d81a2a0690b5a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Sat, 18 Apr 2015 23:50:16 +0200
Subject: [PATCH] http_done: close Negotiate connections when done
When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.
CVE-2015-3148
Bug: https://curl.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris
---
lib/http.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/lib/http.c b/lib/http.c
index 4c1cfc5..2a226fb 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1433,12 +1433,18 @@ CURLcode Curl_http_done(struct connectdata *conn,
Curl_unencode_cleanup(conn);
#ifdef USE_SPNEGO
if(data->state.proxyneg.state == GSS_AUTHSENT ||
- data->state.negotiate.state == GSS_AUTHSENT)
+ data->state.negotiate.state == GSS_AUTHSENT) {
+ /* add forbid re-use if http-code != 401 as a WA
+ * only needed for 401 that failed handling
+ * otherwie state will be RECV with current code */
+ if((data->req.httpcode != 401) && (data->req.httpcode != 407))
+ connclose(conn, "Negotiate transfer completed");
Curl_cleanup_negotiate(data);
+ }
#endif
/* set the proper values (possibly modified on POST) */
conn->fread_func = data->set.fread_func; /* restore */
conn->fread_in = data->set.in; /* restore */
--
2.1.4