diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2018-01-19 13:19:25 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-01-22 10:00:00 +0100 |
| commit | af32cd3859336ab963591ca0df9b1e33a7ee066b (patch) | |
| tree | ae91ca52a3cbbfabe89c74dda181abbbc40c1150 /lib | |
| parent | 993dd5651a6c853bfe3870f6a69c7b329fa4e8ce (diff) | |
http: prevent custom Authorization headers in redirects
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
curl already handles Authorization headers created internally.
Note: this changes behavior slightly, for the sake of reducing mistakes.
Added test 317 and 318 to verify.
Reported-by: Craig de Stigter
Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/http.c | 10 | ||||
| -rw-r--r-- | lib/setopt.c | 2 | ||||
| -rw-r--r-- | lib/urldata.h | 2 |
3 files changed, 11 insertions, 3 deletions
diff --git a/lib/http.c b/lib/http.c index c1cdf2da0..a5007670d 100644 --- a/lib/http.c +++ b/lib/http.c @@ -714,7 +714,7 @@ Curl_http_output_auth(struct connectdata *conn, if(!data->state.this_is_a_follow || conn->bits.netrc || !data->state.first_host || - data->set.http_disable_hostname_check_before_authentication || + data->set.allow_auth_to_other_hosts || strcasecompare(data->state.first_host, conn->host.name)) { result = output_auth_headers(conn, authhost, request, path, FALSE); } @@ -1636,6 +1636,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, checkprefix("Transfer-Encoding:", headers->data)) /* HTTP/2 doesn't support chunked requests */ ; + else if(checkprefix("Authorization:", headers->data) && + /* be careful of sending this potentially sensitive header to + other hosts */ + (data->state.this_is_a_follow && + data->state.first_host && + !data->set.allow_auth_to_other_hosts && + !strcasecompare(data->state.first_host, conn->host.name))) + ; else { CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", headers->data); diff --git a/lib/setopt.c b/lib/setopt.c index 66f30ea65..a5ef75c72 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -442,7 +442,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, * Send authentication (user+password) when following locations, even when * hostname changed. */ - data->set.http_disable_hostname_check_before_authentication = + data->set.allow_auth_to_other_hosts = (0 != va_arg(param, long)) ? TRUE : FALSE; break; diff --git a/lib/urldata.h b/lib/urldata.h index 4dcd1a322..5c04ad172 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1599,7 +1599,7 @@ struct UserDefined { bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */ bool http_follow_location; /* follow HTTP redirects */ bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ - bool http_disable_hostname_check_before_authentication; + bool allow_auth_to_other_hosts; bool include_header; /* include received protocol headers in data output */ bool http_set_referer; /* is a custom referer used */ bool http_auto_referer; /* set "correct" referer when following location: */ |