summaryrefslogtreecommitdiff
path: root/lib/curl_sspi.c
diff options
context:
space:
mode:
authorSteve Holme <steve_holme@hotmail.com>2016-05-29 22:57:40 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-05-30 08:14:27 +0200
commit6df916d751e72fc9a1febc07bb59c4ddd886c043 (patch)
tree4719db7dad6c1a8068988e22f5569a120a602091 /lib/curl_sspi.c
parentddf25f6b28c944702792b9555d47cdeb8217fece (diff)
downloadcurl-6df916d751e72fc9a1febc07bb59c4ddd886c043.tar.gz
loadlibrary: Only load system DLLs from the system directory
Inspiration provided by: Daniel Stenberg and Ray Satiro Bug: https://curl.haxx.se/docs/adv_20160530.html Ref: Windows DLL hijacking with curl, CVE-2016-4802
Diffstat (limited to 'lib/curl_sspi.c')
-rw-r--r--lib/curl_sspi.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/curl_sspi.c b/lib/curl_sspi.c
index 04eac489b..54bbef6f6 100644
--- a/lib/curl_sspi.c
+++ b/lib/curl_sspi.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -27,6 +27,7 @@
#include <curl/curl.h>
#include "curl_sspi.h"
#include "curl_multibyte.h"
+#include "system_win32.h"
#include "warnless.h"
/* The last #include files should be: */
@@ -117,9 +118,9 @@ CURLcode Curl_sspi_global_init(void)
/* Load SSPI dll into the address space of the calling process */
if(securityDll)
- s_hSecDll = LoadLibrary(TEXT("security.dll"));
+ s_hSecDll = Curl_load_library(TEXT("security.dll"));
else
- s_hSecDll = LoadLibrary(TEXT("secur32.dll"));
+ s_hSecDll = Curl_load_library(TEXT("secur32.dll"));
if(!s_hSecDll)
return CURLE_FAILED_INIT;