diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2019-01-02 20:18:27 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2019-01-10 10:49:51 +0100 |
| commit | 98e6629154044e4ab1ee7cff8351c7ebcb131e88 (patch) | |
| tree | e02c52b9eab8cce69bbd885c3b52202451290f75 /src/tool_xattr.c | |
| parent | afeb8d99022255279ee63125f2fa0f69810ce9c3 (diff) | |
xattr: strip credentials from any URL that is stored
Both user and password are cleared uncondtitionally.
Added unit test 1621 to verify.
Fixes #3423
Closes #3433
Diffstat (limited to 'src/tool_xattr.c')
| -rw-r--r-- | src/tool_xattr.c | 63 |
1 files changed, 55 insertions, 8 deletions
diff --git a/src/tool_xattr.c b/src/tool_xattr.c index 92b99db60..730381ba9 100644 --- a/src/tool_xattr.c +++ b/src/tool_xattr.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -49,6 +49,46 @@ static const struct xattr_mapping { { NULL, CURLINFO_NONE } /* last element, abort loop here */ }; +/* returns TRUE if a new URL is returned, that then needs to be freed */ +/* @unittest: 1621 */ +#ifdef UNITTESTS +bool stripcredentials(char **url); +#else +static +#endif +bool stripcredentials(char **url) +{ + CURLU *u; + CURLUcode uc; + char *nurl; + u = curl_url(); + if(u) { + uc = curl_url_set(u, CURLUPART_URL, *url, 0); + if(uc) + goto error; + + uc = curl_url_set(u, CURLUPART_USER, NULL, 0); + if(uc) + goto error; + + uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); + if(uc) + goto error; + + uc = curl_url_get(u, CURLUPART_URL, &nurl, 0); + if(uc) + goto error; + + curl_url_cleanup(u); + + *url = nurl; + return TRUE; + } + error: + curl_url_cleanup(u); + return FALSE; +} + /* store metadata from the curl request alongside the downloaded * file using extended attributes */ @@ -62,17 +102,24 @@ int fwrite_xattr(CURL *curl, int fd) char *value = NULL; CURLcode result = curl_easy_getinfo(curl, mappings[i].info, &value); if(!result && value) { + bool freeptr = FALSE; + if(CURLINFO_EFFECTIVE_URL == mappings[i].info) + freeptr = stripcredentials(&value); + if(value) { #ifdef HAVE_FSETXATTR_6 - err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0); + err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0, 0); #elif defined(HAVE_FSETXATTR_5) - err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0); + err = fsetxattr(fd, mappings[i].attr, value, strlen(value), 0); #elif defined(__FreeBSD_version) - err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr, value, - strlen(value)); - /* FreeBSD's extattr_set_fd returns the length of the extended attribute - */ - err = err < 0 ? err : 0; + err = extattr_set_fd(fd, EXTATTR_NAMESPACE_USER, mappings[i].attr, + value, strlen(value)); + /* FreeBSD's extattr_set_fd returns the length of the extended + attribute */ + err = err < 0 ? err : 0; #endif + if(freeptr) + curl_free(value); + } } i++; } |