|
 |
9d7d3f |
From 55689681595d76ee53d76d6698f5a99e18395857 Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: David Woodhouse <David.Woodhouse@intel.com>
|
|
|
9d7d3f |
Date: Fri, 11 Jul 2014 11:09:34 +0100
|
|
|
9d7d3f |
Subject: [PATCH 1/2] Don't clear GSSAPI state between each exchange in the
|
|
|
9d7d3f |
negotiation
|
|
|
9d7d3f |
|
|
|
9d7d3f |
GSSAPI doesn't work very well if we forget everything ever time.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
XX: Is Curl_http_done() the right place to do the final cleanup?
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Upstream-commit: f78ae415d24b9bd89d6c121c556e411fdb21c6aa
|
|
|
9d7d3f |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
lib/http.c | 6 ++++++
|
|
|
9d7d3f |
lib/http_negotiate.c | 1 -
|
|
|
9d7d3f |
lib/http_negotiate_sspi.c | 1 -
|
|
|
9d7d3f |
3 files changed, 6 insertions(+), 2 deletions(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/http.c b/lib/http.c
|
|
|
9d7d3f |
index e2448bc..c32eae0 100644
|
|
|
9d7d3f |
--- a/lib/http.c
|
|
|
9d7d3f |
+++ b/lib/http.c
|
|
|
9d7d3f |
@@ -1404,6 +1404,12 @@ CURLcode Curl_http_done(struct connectdata *conn,
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Curl_unencode_cleanup(conn);
|
|
|
9d7d3f |
|
|
|
9d7d3f |
+#ifdef USE_HTTP_NEGOTIATE
|
|
|
9d7d3f |
+ if(data->state.proxyneg.state == GSS_AUTHSENT ||
|
|
|
9d7d3f |
+ data->state.negotiate.state == GSS_AUTHSENT)
|
|
|
9d7d3f |
+ Curl_cleanup_negotiate(data);
|
|
|
9d7d3f |
+#endif
|
|
|
9d7d3f |
+
|
|
|
9d7d3f |
/* set the proper values (possibly modified on POST) */
|
|
|
9d7d3f |
conn->fread_func = data->set.fread_func; /* restore */
|
|
|
9d7d3f |
conn->fread_in = data->set.in; /* restore */
|
|
|
9d7d3f |
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
|
|
|
9d7d3f |
index 535a427..b56e7d0 100644
|
|
|
9d7d3f |
--- a/lib/http_negotiate.c
|
|
|
9d7d3f |
+++ b/lib/http_negotiate.c
|
|
|
9d7d3f |
@@ -343,7 +343,6 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
|
|
|
9d7d3f |
else
|
|
|
9d7d3f |
conn->allocptr.userpwd = userp;
|
|
|
9d7d3f |
free(encoded);
|
|
|
9d7d3f |
- Curl_cleanup_negotiate (conn->data);
|
|
|
9d7d3f |
return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c
|
|
|
9d7d3f |
index 1381d52..678e605 100644
|
|
|
9d7d3f |
--- a/lib/http_negotiate_sspi.c
|
|
|
9d7d3f |
+++ b/lib/http_negotiate_sspi.c
|
|
|
9d7d3f |
@@ -271,7 +271,6 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
|
|
|
9d7d3f |
else
|
|
|
9d7d3f |
conn->allocptr.userpwd = userp;
|
|
|
9d7d3f |
free(encoded);
|
|
|
9d7d3f |
- Curl_cleanup_negotiate (conn->data);
|
|
|
9d7d3f |
return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
|
|
|
9d7d3f |
}
|
|
|
9d7d3f |
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
2.3.6
|
|
|
9d7d3f |
|
|
|
9d7d3f |
|
|
|
9d7d3f |
From 28e84254779c0d4b31844d928e5dae8941128f05 Mon Sep 17 00:00:00 2001
|
|
|
9d7d3f |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
9d7d3f |
Date: Sat, 18 Apr 2015 23:50:16 +0200
|
|
|
9d7d3f |
Subject: [PATCH 2/2] http_done: close Negotiate connections when done
|
|
|
9d7d3f |
|
|
|
9d7d3f |
When doing HTTP requests Negotiate authenticated, the entire connnection
|
|
|
9d7d3f |
may become authenticated and not just the specific HTTP request which is
|
|
|
9d7d3f |
otherwise how HTTP works, as Negotiate can basically use NTLM under the
|
|
|
9d7d3f |
hood. curl was not adhering to this fact but would assume that such
|
|
|
9d7d3f |
requests would also be authenticated per request.
|
|
|
9d7d3f |
|
|
|
9d7d3f |
CVE-2015-3148
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Bug: http://curl.haxx.se/docs/adv_20150422B.html
|
|
|
9d7d3f |
Reported-by: Isaac Boukris
|
|
|
9d7d3f |
|
|
|
9d7d3f |
Upstream-commit: 79b9d5f1a42578f807a6c94914bc65cbaa304b6d
|
|
|
9d7d3f |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
9d7d3f |
---
|
|
|
9d7d3f |
lib/http.c | 8 +++++++-
|
|
|
9d7d3f |
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
9d7d3f |
|
|
|
9d7d3f |
diff --git a/lib/http.c b/lib/http.c
|
|
|
9d7d3f |
index c32eae0..04beeb1 100644
|
|
|
9d7d3f |
--- a/lib/http.c
|
|
|
9d7d3f |
+++ b/lib/http.c
|
|
|
9d7d3f |
@@ -1406,8 +1406,14 @@ CURLcode Curl_http_done(struct connectdata *conn,
|
|
|
9d7d3f |
|
|
|
9d7d3f |
#ifdef USE_HTTP_NEGOTIATE
|
|
|
9d7d3f |
if(data->state.proxyneg.state == GSS_AUTHSENT ||
|
|
|
9d7d3f |
- data->state.negotiate.state == GSS_AUTHSENT)
|
|
|
9d7d3f |
+ data->state.negotiate.state == GSS_AUTHSENT) {
|
|
|
9d7d3f |
+ /* add forbid re-use if http-code != 401/407 as a WA only needed for
|
|
|
9d7d3f |
+ * 401/407 that signal auth failure (empty) otherwise state will be RECV
|
|
|
9d7d3f |
+ * with current code */
|
|
|
9d7d3f |
+ if((data->req.httpcode != 401) && (data->req.httpcode != 407))
|
|
|
9d7d3f |
+ conn->bits.close = TRUE; /* Negotiate transfer completed */
|
|
|
9d7d3f |
Curl_cleanup_negotiate(data);
|
|
|
9d7d3f |
+ }
|
|
|
9d7d3f |
#endif
|
|
|
9d7d3f |
|
|
|
9d7d3f |
/* set the proper values (possibly modified on POST) */
|
|
|
9d7d3f |
--
|
|
|
9d7d3f |
2.3.6
|
|
|
9d7d3f |
|