ConnectionExists: for NTLM re-use, require credentials to match

CVE-2015-3143 Bug: http://curl.haxx.se/docs/adv_20150422A.html Reported-by: Paras Sethia
author: Daniel Stenberg <daniel@haxx.se> 2015-04-16 13:26:46 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2015-04-21 23:20:36 +0200
commit: 31be461c6b659312100c47be6ddd5f0f569290f6 (patch)
tree: a3a964c7b9418ad58f88661d3cb645fcd804fdf4
parent: 6088fbce06ea32ef86a999092e36415a550d140a (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/url.c b/lib/url.c
index 018bb8876..ee3d176d9 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3209,7 +3209,7 @@ ConnectionExists(struct SessionHandle *data,
       }
 
       if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
-         wantNTLMhttp) {
+         (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
         /* This protocol requires credentials per connection or is HTTP+NTLM,
            so verify that we're using the same name and password as well */
         if(!strequal(needle->user, check->user) ||
author	Daniel Stenberg <daniel@haxx.se>	2015-04-16 13:26:46 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2015-04-21 23:20:36 +0200
commit	31be461c6b659312100c47be6ddd5f0f569290f6 (patch)
tree	a3a964c7b9418ad58f88661d3cb645fcd804fdf4
parent	6088fbce06ea32ef86a999092e36415a550d140a (diff)