diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2022-04-25 17:59:15 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2022-04-25 22:34:40 +0200 |
| commit | 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08 (patch) | |
| tree | 10143a686295e7dfdc881ed6e3fa20fd2afc8f7d | |
| parent | aad7d9f9a63ab34a9cce20b4701c4315d26dc64b (diff) | |
| download | curl-139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08.tar.gz | |
openssl: don't leak the SRP credentials in redirects either
Follow-up to 620ea21410030
Reported-by: Harry Sintonen
Closes #8751
| -rw-r--r-- | lib/http.c | 10 | ||||
| -rw-r--r-- | lib/http.h | 6 | ||||
| -rw-r--r-- | lib/vtls/openssl.c | 3 |
3 files changed, 13 insertions, 6 deletions
diff --git a/lib/http.c b/lib/http.c index f0476f3b9..0d5c449bc 100644 --- a/lib/http.c +++ b/lib/http.c @@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, } /* - * allow_auth_to_host() tells if autentication, cookies or other "sensitive - * data" can (still) be sent to this host. + * Curl_allow_auth_to_host() tells if authentication, cookies or other + * "sensitive data" can (still) be sent to this host. */ -static bool allow_auth_to_host(struct Curl_easy *data) +bool Curl_allow_auth_to_host(struct Curl_easy *data) { struct connectdata *conn = data->conn; return (!data->state.this_is_a_follow || @@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, /* To prevent the user+password to get sent to other than the original host due to a location-follow */ - if(allow_auth_to_host(data) + if(Curl_allow_auth_to_host(data) #ifndef CURL_DISABLE_NETRC || conn->bits.netrc #endif @@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, checkprefix("Cookie:", compare)) && /* be careful of sending this potentially sensitive header to other hosts */ - !allow_auth_to_host(data)) + !Curl_allow_auth_to_host(data)) ; else { #ifdef USE_HYPER diff --git a/lib/http.h b/lib/http.h index 0972261e6..c4ab3c22d 100644 --- a/lib/http.h +++ b/lib/http.h @@ -364,4 +364,10 @@ Curl_http_output_auth(struct Curl_easy *data, bool proxytunnel); /* TRUE if this is the request setting up the proxy tunnel */ +/* + * Curl_allow_auth_to_host() tells if authentication, cookies or other + * "sensitive data" can (still) be sent to this host. + */ +bool Curl_allow_auth_to_host(struct Curl_easy *data); + #endif /* HEADER_CURL_HTTP_H */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 5d8e2d39d..3722005d4 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2924,7 +2924,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #endif #ifdef USE_OPENSSL_SRP - if(ssl_authtype == CURL_TLSAUTH_SRP) { + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { char * const ssl_username = SSL_SET_OPTION(username); infof(data, "Using TLS-SRP username: %s", ssl_username); |