From 679654bd47b401a1463bbaefac097d1212ea2ba9 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 17 Oct 2003 09:28:00 +0000
Subject: o the name and password arrays are 256 bytes, so let's accept that
 lengthy   input o have ->passwd and ->name be NULL if no name/passwd was
 given o only set default user+password for FTP if no userpwd was given

---
 lib/url.c | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/lib/url.c b/lib/url.c
index 7271af1da..b4cfc798e 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2119,7 +2119,9 @@ static CURLcode CreateConnection(struct SessionHandle *data,
     char proxyuser[MAX_CURL_USER_LENGTH]="";
     char proxypasswd[MAX_CURL_PASSWORD_LENGTH]="";
 
-    sscanf(data->set.proxyuserpwd, "%127[^:]:%127[^\n]",
+    sscanf(data->set.proxyuserpwd,
+           "%" MAX_CURL_USER_LENGTH_TXT "[^:]:"
+           "%" MAX_CURL_PASSWORD_LENGTH_TXT "[^\n]",
            proxyuser, proxypasswd);
 
     conn->proxyuser = strdup(proxyuser);
@@ -2730,7 +2732,9 @@ static CURLcode CreateConnection(struct SessionHandle *data,
    */
   if (data->set.userpwd != NULL) {
     /* the name is given, get user+password */
-    sscanf(data->set.userpwd, "%127[^:]:%127[^\n]",
+    sscanf(data->set.userpwd,
+           "%" MAX_CURL_USER_LENGTH_TXT "[^:]:"
+           "%" MAX_CURL_PASSWORD_LENGTH_TXT "[^\n]",
            user, passwd);
   }
 
@@ -2745,18 +2749,19 @@ static CURLcode CreateConnection(struct SessionHandle *data,
   }
 
   /* If our protocol needs a password and we have none, use the defaults */
-  if ( (conn->protocol & (PROT_FTP|PROT_HTTP)) &&
+  if ( (conn->protocol & PROT_FTP) &&
        !conn->bits.user_passwd) {
 
-    strcpy(user, CURL_DEFAULT_USER);
-    strcpy(passwd, CURL_DEFAULT_PASSWORD);
+    conn->user = strdup(CURL_DEFAULT_USER);
+    conn->passwd = strdup(CURL_DEFAULT_PASSWORD);
 
     /* This is the default password, so DON'T set conn->bits.user_passwd */
   }
-
-  /* store user + password */
-  conn->user = strdup(user);
-  conn->passwd = strdup(passwd);
+  else {
+    /* store user + password */
+    conn->user = user[0]?strdup(user):NULL;
+    conn->passwd = passwd[0]?strdup(passwd):NULL;
+  }
 
   /*************************************************************
    * Check the current list of connections to see if we can
@@ -2817,8 +2822,8 @@ static CURLcode CreateConnection(struct SessionHandle *data,
                                  otherwise */
     conn->maxdownload = -1;  /* might have been used previously! */
 
-    free(old_conn->user);
-    free(old_conn->passwd);
+    Curl_safefree(old_conn->user);
+    Curl_safefree(old_conn->passwd);
     Curl_safefree(old_conn->proxyuser);
     Curl_safefree(old_conn->proxypasswd);
 
-- 
cgit v1.2.3