aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-09-27 18:01:53 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-10-31 08:46:35 +0100
commitb3ee26c5df75d97f6895e6ec4538894ebaf76e48 (patch)
tree4560be3a48d0b1c8f8010ecfbfcba7a4f6dbc202
parentefd24d57426bd77c9b5860e6b297904703750412 (diff)
connectionexists: use case sensitive user/password comparisons
CVE-2016-8616 Bug: https://curl.haxx.se/docs/adv_20161102B.html Reported-by: Cure53
-rw-r--r--lib/url.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/lib/url.c b/lib/url.c
index 737d6bfed..b2490fe15 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3394,8 +3394,8 @@ ConnectionExists(struct Curl_easy *data,
if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
/* This protocol requires credentials per connection,
so verify that we're using the same name and password as well */
- if(!strequal(needle->user, check->user) ||
- !strequal(needle->passwd, check->passwd)) {
+ if(strcmp(needle->user, check->user) ||
+ strcmp(needle->passwd, check->passwd)) {
/* one of them was different */
continue;
}
@@ -3455,8 +3455,8 @@ ConnectionExists(struct Curl_easy *data,
possible. (Especially we must not reuse the same connection if
partway through a handshake!) */
if(wantNTLMhttp) {
- if(!strequal(needle->user, check->user) ||
- !strequal(needle->passwd, check->passwd))
+ if(strcmp(needle->user, check->user) ||
+ strcmp(needle->passwd, check->passwd))
continue;
}
else if(check->ntlm.state != NTLMSTATE_NONE) {
@@ -3470,8 +3470,8 @@ ConnectionExists(struct Curl_easy *data,
if(!check->proxyuser || !check->proxypasswd)
continue;
- if(!strequal(needle->proxyuser, check->proxyuser) ||
- !strequal(needle->proxypasswd, check->proxypasswd))
+ if(strcmp(needle->proxyuser, check->proxyuser) ||
+ strcmp(needle->proxypasswd, check->proxypasswd))
continue;
}
else if(check->proxyntlm.state != NTLMSTATE_NONE) {