|
|
f0f8d7 |
From e6968d1d220891230bcca5340bfd364183ceaa31 Mon Sep 17 00:00:00 2001
|
|
|
f0f8d7 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
f0f8d7 |
Date: Fri, 19 Jan 2018 13:19:25 +0100
|
|
|
f0f8d7 |
Subject: [PATCH] http: prevent custom Authorization headers in redirects
|
|
|
f0f8d7 |
|
|
|
f0f8d7 |
... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how
|
|
|
f0f8d7 |
curl already handles Authorization headers created internally.
|
|
|
f0f8d7 |
|
|
|
f0f8d7 |
Note: this changes behavior slightly, for the sake of reducing mistakes.
|
|
|
f0f8d7 |
|
|
|
f0f8d7 |
Added test 317 and 318 to verify.
|
|
|
f0f8d7 |
|
|
|
f0f8d7 |
Reported-by: Craig de Stigter
|
|
|
f0f8d7 |
Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html
|
|
|
f0f8d7 |
|
|
|
f0f8d7 |
Upstream-commit: af32cd3859336ab963591ca0df9b1e33a7ee066b
|
|
|
f0f8d7 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
f0f8d7 |
---
|
|
|
f0f8d7 |
docs/libcurl/curl_easy_setopt.3 | 10 +++++
|
|
|
f0f8d7 |
lib/http.c | 10 ++++-
|
|
|
f0f8d7 |
lib/url.c | 2 +-
|
|
|
f0f8d7 |
lib/urldata.h | 2 +-
|
|
|
f0f8d7 |
tests/data/Makefile.am | 3 +-
|
|
|
f0f8d7 |
tests/data/test317 | 94 ++++++++++++++++++++++++++++++++++++++++
|
|
|
f0f8d7 |
tests/data/test318 | 95 +++++++++++++++++++++++++++++++++++++++++
|
|
|
f0f8d7 |
7 files changed, 212 insertions(+), 4 deletions(-)
|
|
|
f0f8d7 |
create mode 100644 tests/data/test317
|
|
|
f0f8d7 |
create mode 100644 tests/data/test318
|
|
|
f0f8d7 |
|
|
|
f0f8d7 |
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
|
|
|
f0f8d7 |
index 4ce8207..cbebfba 100644
|
|
|
f0f8d7 |
--- a/docs/libcurl/curl_easy_setopt.3
|
|
|
f0f8d7 |
+++ b/docs/libcurl/curl_easy_setopt.3
|
|
|
f0f8d7 |
@@ -67,6 +67,16 @@ this when you debug/report problems. Another neat option for debugging is the
|
|
|
f0f8d7 |
A parameter set to 1 tells the library to include the header in the body
|
|
|
f0f8d7 |
output. This is only relevant for protocols that actually have headers
|
|
|
f0f8d7 |
preceding the data (like HTTP).
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+Custom headers are sent in all requests done by the easy handles, which
|
|
|
f0f8d7 |
+implies that if you tell libcurl to follow redirects
|
|
|
f0f8d7 |
+(\fICURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent
|
|
|
f0f8d7 |
+in the subsequent request. Redirects can of course go to other hosts and thus
|
|
|
f0f8d7 |
+those servers will get all the contents of your custom headers too.
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers
|
|
|
f0f8d7 |
+from being sent to other hosts than the first used one, unless specifically
|
|
|
f0f8d7 |
+permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option.
|
|
|
f0f8d7 |
.IP CURLOPT_NOPROGRESS
|
|
|
f0f8d7 |
Pass a long. If set to 1, it tells the library to shut off the progress meter
|
|
|
f0f8d7 |
completely. It will also prevent the \fICURLOPT_PROGRESSFUNCTION\fP from
|
|
|
f0f8d7 |
diff --git a/lib/http.c b/lib/http.c
|
|
|
f0f8d7 |
index b73e58c..c15208d 100644
|
|
|
f0f8d7 |
--- a/lib/http.c
|
|
|
f0f8d7 |
+++ b/lib/http.c
|
|
|
f0f8d7 |
@@ -666,7 +666,7 @@ Curl_http_output_auth(struct connectdata *conn,
|
|
|
f0f8d7 |
if(!data->state.this_is_a_follow ||
|
|
|
f0f8d7 |
conn->bits.netrc ||
|
|
|
f0f8d7 |
!data->state.first_host ||
|
|
|
f0f8d7 |
- data->set.http_disable_hostname_check_before_authentication ||
|
|
|
f0f8d7 |
+ data->set.allow_auth_to_other_hosts ||
|
|
|
f0f8d7 |
Curl_raw_equal(data->state.first_host, conn->host.name)) {
|
|
|
f0f8d7 |
result = output_auth_headers(conn, authhost, request, path, FALSE);
|
|
|
f0f8d7 |
}
|
|
|
f0f8d7 |
@@ -1550,6 +1550,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn,
|
|
|
f0f8d7 |
Connection: */
|
|
|
f0f8d7 |
checkprefix("Connection", headers->data))
|
|
|
f0f8d7 |
;
|
|
|
f0f8d7 |
+ else if(checkprefix("Authorization:", headers->data) &&
|
|
|
f0f8d7 |
+ /* be careful of sending this potentially sensitive header to
|
|
|
f0f8d7 |
+ other hosts */
|
|
|
f0f8d7 |
+ (conn->data->state.this_is_a_follow &&
|
|
|
f0f8d7 |
+ conn->data->state.first_host &&
|
|
|
f0f8d7 |
+ !conn->data->set.allow_auth_to_other_hosts &&
|
|
|
f0f8d7 |
+ !strequal(conn->data->state.first_host, conn->host.name)))
|
|
|
f0f8d7 |
+ ;
|
|
|
f0f8d7 |
else {
|
|
|
f0f8d7 |
CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n",
|
|
|
f0f8d7 |
headers->data);
|
|
|
f0f8d7 |
diff --git a/lib/url.c b/lib/url.c
|
|
|
f0f8d7 |
index 71d4d8b..ba53131 100644
|
|
|
f0f8d7 |
--- a/lib/url.c
|
|
|
f0f8d7 |
+++ b/lib/url.c
|
|
|
f0f8d7 |
@@ -912,7 +912,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
|
|
|
f0f8d7 |
* Send authentication (user+password) when following locations, even when
|
|
|
f0f8d7 |
* hostname changed.
|
|
|
f0f8d7 |
*/
|
|
|
f0f8d7 |
- data->set.http_disable_hostname_check_before_authentication =
|
|
|
f0f8d7 |
+ data->set.allow_auth_to_other_hosts =
|
|
|
f0f8d7 |
(0 != va_arg(param, long))?TRUE:FALSE;
|
|
|
f0f8d7 |
break;
|
|
|
f0f8d7 |
|
|
|
f0f8d7 |
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
|
f0f8d7 |
index b4f18e7..1dd62ae 100644
|
|
|
f0f8d7 |
--- a/lib/urldata.h
|
|
|
f0f8d7 |
+++ b/lib/urldata.h
|
|
|
f0f8d7 |
@@ -1528,7 +1528,7 @@ struct UserDefined {
|
|
|
f0f8d7 |
bool http_fail_on_error; /* fail on HTTP error codes >= 300 */
|
|
|
f0f8d7 |
bool http_follow_location; /* follow HTTP redirects */
|
|
|
f0f8d7 |
bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */
|
|
|
f0f8d7 |
- bool http_disable_hostname_check_before_authentication;
|
|
|
f0f8d7 |
+ bool allow_auth_to_other_hosts;
|
|
|
f0f8d7 |
bool include_header; /* include received protocol headers in data output */
|
|
|
f0f8d7 |
bool http_set_referer; /* is a custom referer used */
|
|
|
f0f8d7 |
bool http_auto_referer; /* set "correct" referer when following location: */
|
|
|
f0f8d7 |
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
|
|
|
f0f8d7 |
index 3b31581..56cb286 100644
|
|
|
f0f8d7 |
--- a/tests/data/Makefile.am
|
|
|
f0f8d7 |
+++ b/tests/data/Makefile.am
|
|
|
f0f8d7 |
@@ -36,7 +36,8 @@ test276 test277 test278 test279 test280 test281 test282 test283 test284 \
|
|
|
f0f8d7 |
test285 test286 test287 test288 test289 test290 test291 test292 test293 \
|
|
|
f0f8d7 |
test294 test295 test296 test297 test298 test299 test300 test301 test302 \
|
|
|
f0f8d7 |
test303 test304 test305 test306 test307 test308 test309 test310 test311 \
|
|
|
f0f8d7 |
-test312 test313 test320 test321 test322 test323 test324 test350 test351 \
|
|
|
f0f8d7 |
+test312 test313 test317 test318 \
|
|
|
f0f8d7 |
+test320 test321 test322 test323 test324 test350 test351 \
|
|
|
f0f8d7 |
test352 test353 test354 test400 test401 test402 test403 test404 test405 \
|
|
|
f0f8d7 |
test406 test407 test408 test409 test500 test501 test502 test503 test504 \
|
|
|
f0f8d7 |
test505 test506 test507 test508 test510 test511 test512 test513 test514 \
|
|
|
f0f8d7 |
diff --git a/tests/data/test317 b/tests/data/test317
|
|
|
f0f8d7 |
new file mode 100644
|
|
|
f0f8d7 |
index 0000000..c6d8697
|
|
|
f0f8d7 |
--- /dev/null
|
|
|
f0f8d7 |
+++ b/tests/data/test317
|
|
|
f0f8d7 |
@@ -0,0 +1,94 @@
|
|
|
f0f8d7 |
+<testcase>
|
|
|
f0f8d7 |
+<info>
|
|
|
f0f8d7 |
+<keywords>
|
|
|
f0f8d7 |
+HTTP
|
|
|
f0f8d7 |
+HTTP proxy
|
|
|
f0f8d7 |
+HTTP Basic auth
|
|
|
f0f8d7 |
+HTTP proxy Basic auth
|
|
|
f0f8d7 |
+followlocation
|
|
|
f0f8d7 |
+</keywords>
|
|
|
f0f8d7 |
+</info>
|
|
|
f0f8d7 |
+#
|
|
|
f0f8d7 |
+# Server-side
|
|
|
f0f8d7 |
+<reply>
|
|
|
f0f8d7 |
+<data>
|
|
|
f0f8d7 |
+HTTP/1.1 302 OK
|
|
|
f0f8d7 |
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
|
f0f8d7 |
+Server: test-server/fake swsclose
|
|
|
f0f8d7 |
+Content-Type: text/html
|
|
|
f0f8d7 |
+Funny-head: yesyes
|
|
|
f0f8d7 |
+Location: http://goto.second.host.now/3170002
|
|
|
f0f8d7 |
+Content-Length: 8
|
|
|
f0f8d7 |
+Connection: close
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+contents
|
|
|
f0f8d7 |
+</data>
|
|
|
f0f8d7 |
+<data2>
|
|
|
f0f8d7 |
+HTTP/1.1 200 OK
|
|
|
f0f8d7 |
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
|
f0f8d7 |
+Server: test-server/fake swsclose
|
|
|
f0f8d7 |
+Content-Type: text/html
|
|
|
f0f8d7 |
+Funny-head: yesyes
|
|
|
f0f8d7 |
+Content-Length: 9
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+contents
|
|
|
f0f8d7 |
+</data2>
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+<datacheck>
|
|
|
f0f8d7 |
+HTTP/1.1 302 OK
|
|
|
f0f8d7 |
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
|
f0f8d7 |
+Server: test-server/fake swsclose
|
|
|
f0f8d7 |
+Content-Type: text/html
|
|
|
f0f8d7 |
+Funny-head: yesyes
|
|
|
f0f8d7 |
+Location: http://goto.second.host.now/3170002
|
|
|
f0f8d7 |
+Content-Length: 8
|
|
|
f0f8d7 |
+Connection: close
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+HTTP/1.1 200 OK
|
|
|
f0f8d7 |
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
|
f0f8d7 |
+Server: test-server/fake swsclose
|
|
|
f0f8d7 |
+Content-Type: text/html
|
|
|
f0f8d7 |
+Funny-head: yesyes
|
|
|
f0f8d7 |
+Content-Length: 9
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+contents
|
|
|
f0f8d7 |
+</datacheck>
|
|
|
f0f8d7 |
+</reply>
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+#
|
|
|
f0f8d7 |
+# Client-side
|
|
|
f0f8d7 |
+<client>
|
|
|
f0f8d7 |
+<server>
|
|
|
f0f8d7 |
+http
|
|
|
f0f8d7 |
+</server>
|
|
|
f0f8d7 |
+ <name>
|
|
|
f0f8d7 |
+HTTP with custom Authorization: and redirect to new host
|
|
|
f0f8d7 |
+ </name>
|
|
|
f0f8d7 |
+ <command>
|
|
|
f0f8d7 |
+http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location
|
|
|
f0f8d7 |
+</command>
|
|
|
f0f8d7 |
+</client>
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+#
|
|
|
f0f8d7 |
+# Verify data after the test has been "shot"
|
|
|
f0f8d7 |
+<verify>
|
|
|
f0f8d7 |
+<strip>
|
|
|
f0f8d7 |
+^User-Agent:.*
|
|
|
f0f8d7 |
+</strip>
|
|
|
f0f8d7 |
+<protocol>
|
|
|
f0f8d7 |
+GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1
|
|
|
f0f8d7 |
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
|
|
|
f0f8d7 |
+Host: first.host.it.is
|
|
|
f0f8d7 |
+Accept: */*
|
|
|
f0f8d7 |
+Proxy-Connection: Keep-Alive
|
|
|
f0f8d7 |
+Authorization: s3cr3t
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+GET http://goto.second.host.now/3170002 HTTP/1.1
|
|
|
f0f8d7 |
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
|
|
|
f0f8d7 |
+Host: goto.second.host.now
|
|
|
f0f8d7 |
+Accept: */*
|
|
|
f0f8d7 |
+Proxy-Connection: Keep-Alive
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+</protocol>
|
|
|
f0f8d7 |
+</verify>
|
|
|
f0f8d7 |
+</testcase>
|
|
|
f0f8d7 |
diff --git a/tests/data/test318 b/tests/data/test318
|
|
|
f0f8d7 |
new file mode 100644
|
|
|
f0f8d7 |
index 0000000..838d1ba
|
|
|
f0f8d7 |
--- /dev/null
|
|
|
f0f8d7 |
+++ b/tests/data/test318
|
|
|
f0f8d7 |
@@ -0,0 +1,95 @@
|
|
|
f0f8d7 |
+<testcase>
|
|
|
f0f8d7 |
+<info>
|
|
|
f0f8d7 |
+<keywords>
|
|
|
f0f8d7 |
+HTTP
|
|
|
f0f8d7 |
+HTTP proxy
|
|
|
f0f8d7 |
+HTTP Basic auth
|
|
|
f0f8d7 |
+HTTP proxy Basic auth
|
|
|
f0f8d7 |
+followlocation
|
|
|
f0f8d7 |
+</keywords>
|
|
|
f0f8d7 |
+</info>
|
|
|
f0f8d7 |
+#
|
|
|
f0f8d7 |
+# Server-side
|
|
|
f0f8d7 |
+<reply>
|
|
|
f0f8d7 |
+<data>
|
|
|
f0f8d7 |
+HTTP/1.1 302 OK
|
|
|
f0f8d7 |
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
|
f0f8d7 |
+Server: test-server/fake swsclose
|
|
|
f0f8d7 |
+Content-Type: text/html
|
|
|
f0f8d7 |
+Funny-head: yesyes
|
|
|
f0f8d7 |
+Location: http://goto.second.host.now/3180002
|
|
|
f0f8d7 |
+Content-Length: 8
|
|
|
f0f8d7 |
+Connection: close
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+contents
|
|
|
f0f8d7 |
+</data>
|
|
|
f0f8d7 |
+<data2>
|
|
|
f0f8d7 |
+HTTP/1.1 200 OK
|
|
|
f0f8d7 |
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
|
f0f8d7 |
+Server: test-server/fake swsclose
|
|
|
f0f8d7 |
+Content-Type: text/html
|
|
|
f0f8d7 |
+Funny-head: yesyes
|
|
|
f0f8d7 |
+Content-Length: 9
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+contents
|
|
|
f0f8d7 |
+</data2>
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+<datacheck>
|
|
|
f0f8d7 |
+HTTP/1.1 302 OK
|
|
|
f0f8d7 |
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
|
f0f8d7 |
+Server: test-server/fake swsclose
|
|
|
f0f8d7 |
+Content-Type: text/html
|
|
|
f0f8d7 |
+Funny-head: yesyes
|
|
|
f0f8d7 |
+Location: http://goto.second.host.now/3180002
|
|
|
f0f8d7 |
+Content-Length: 8
|
|
|
f0f8d7 |
+Connection: close
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+HTTP/1.1 200 OK
|
|
|
f0f8d7 |
+Date: Thu, 09 Nov 2010 14:49:00 GMT
|
|
|
f0f8d7 |
+Server: test-server/fake swsclose
|
|
|
f0f8d7 |
+Content-Type: text/html
|
|
|
f0f8d7 |
+Funny-head: yesyes
|
|
|
f0f8d7 |
+Content-Length: 9
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+contents
|
|
|
f0f8d7 |
+</datacheck>
|
|
|
f0f8d7 |
+</reply>
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+#
|
|
|
f0f8d7 |
+# Client-side
|
|
|
f0f8d7 |
+<client>
|
|
|
f0f8d7 |
+<server>
|
|
|
f0f8d7 |
+http
|
|
|
f0f8d7 |
+</server>
|
|
|
f0f8d7 |
+ <name>
|
|
|
f0f8d7 |
+HTTP with custom Authorization: and redirect to new host
|
|
|
f0f8d7 |
+ </name>
|
|
|
f0f8d7 |
+ <command>
|
|
|
f0f8d7 |
+http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted
|
|
|
f0f8d7 |
+</command>
|
|
|
f0f8d7 |
+</client>
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+#
|
|
|
f0f8d7 |
+# Verify data after the test has been "shot"
|
|
|
f0f8d7 |
+<verify>
|
|
|
f0f8d7 |
+<strip>
|
|
|
f0f8d7 |
+^User-Agent:.*
|
|
|
f0f8d7 |
+</strip>
|
|
|
f0f8d7 |
+<protocol>
|
|
|
f0f8d7 |
+GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1
|
|
|
f0f8d7 |
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
|
|
|
f0f8d7 |
+Host: first.host.it.is
|
|
|
f0f8d7 |
+Accept: */*
|
|
|
f0f8d7 |
+Proxy-Connection: Keep-Alive
|
|
|
f0f8d7 |
+Authorization: s3cr3t
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+GET http://goto.second.host.now/3180002 HTTP/1.1
|
|
|
f0f8d7 |
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
|
|
|
f0f8d7 |
+Host: goto.second.host.now
|
|
|
f0f8d7 |
+Accept: */*
|
|
|
f0f8d7 |
+Proxy-Connection: Keep-Alive
|
|
|
f0f8d7 |
+Authorization: s3cr3t
|
|
|
f0f8d7 |
+
|
|
|
f0f8d7 |
+</protocol>
|
|
|
f0f8d7 |
+</verify>
|
|
|
f0f8d7 |
+</testcase>
|
|
|
f0f8d7 |
--
|
|
|
f0f8d7 |
2.13.6
|
|
|
f0f8d7 |
|