diff options
| author | Patrick Monnerat <patrick@monnerat.net> | 2021-09-08 11:56:22 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-09-13 16:51:31 +0200 |
| commit | 364f174724ef115c63d5e5dc1d3342c8a43b1cca (patch) | |
| tree | 9856fb764ee026d4c55c9525496b541a79af7800 /lib/ftp.c | |
| parent | 43157490a5054bd24256fe12876931e8abc9df49 (diff) | |
| download | curl-364f174724ef115c63d5e5dc1d3342c8a43b1cca.tar.gz | |
ftp,imap,pop3: do not ignore --ssl-reqd
In imap and pop3, check if TLS is required even when capabilities
request has failed.
In ftp, ignore preauthentication (230 status of server greeting) if TLS
is required.
Bug: https://curl.se/docs/CVE-2021-22946.html
CVE-2021-22946
Diffstat (limited to 'lib/ftp.c')
| -rw-r--r-- | lib/ftp.c | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -2681,9 +2681,12 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, /* we have now received a full FTP server response */ switch(ftpc->state) { case FTP_WAIT220: - if(ftpcode == 230) - /* 230 User logged in - already! */ - return ftp_state_user_resp(data, ftpcode, ftpc->state); + if(ftpcode == 230) { + /* 230 User logged in - already! Take as 220 if TLS required. */ + if(data->set.use_ssl <= CURLUSESSL_TRY || + conn->bits.ftp_use_control_ssl) + return ftp_state_user_resp(data, ftpcode, ftpc->state); + } else if(ftpcode != 220) { failf(data, "Got a %03d ftp-server response when 220 was expected", ftpcode); |