84 lines
2.9 KiB
Diff
84 lines
2.9 KiB
Diff
From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 25 Apr 2022 17:59:15 +0200
|
|
Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either
|
|
|
|
Follow-up to 620ea21410030
|
|
|
|
Reported-by: Harry Sintonen
|
|
Closes #8751
|
|
|
|
Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08]
|
|
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
|
|
---
|
|
lib/http.c | 10 +++++-----
|
|
lib/http.h | 6 ++++++
|
|
lib/vtls/openssl.c | 3 ++-
|
|
3 files changed, 13 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/lib/http.c b/lib/http.c
|
|
index 0791dcf..4433824 100644
|
|
--- a/lib/http.c
|
|
+++ b/lib/http.c
|
|
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
|
|
}
|
|
|
|
/*
|
|
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
|
|
- * data" can (still) be sent to this host.
|
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
|
+ * "sensitive data" can (still) be sent to this host.
|
|
*/
|
|
-static bool allow_auth_to_host(struct Curl_easy *data)
|
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
|
|
{
|
|
struct connectdata *conn = data->conn;
|
|
return (!data->state.this_is_a_follow ||
|
|
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
|
|
|
|
/* To prevent the user+password to get sent to other than the original host
|
|
due to a location-follow */
|
|
- if(allow_auth_to_host(data)
|
|
+ if(Curl_allow_auth_to_host(data)
|
|
#ifndef CURL_DISABLE_NETRC
|
|
|| conn->bits.netrc
|
|
#endif
|
|
@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
|
|
checkprefix("Cookie:", compare)) &&
|
|
/* be careful of sending this potentially sensitive header to
|
|
other hosts */
|
|
- !allow_auth_to_host(data))
|
|
+ !Curl_allow_auth_to_host(data))
|
|
;
|
|
else {
|
|
#ifdef USE_HYPER
|
|
diff --git a/lib/http.h b/lib/http.h
|
|
index 07e963d..9000bae 100644
|
|
--- a/lib/http.h
|
|
+++ b/lib/http.h
|
|
@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data,
|
|
bool proxytunnel); /* TRUE if this is the request setting
|
|
up the proxy tunnel */
|
|
|
|
+/*
|
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
|
+ * "sensitive data" can (still) be sent to this host.
|
|
+ */
|
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
|
|
+
|
|
#endif /* HEADER_CURL_HTTP_H */
|
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
|
index 616a510..e8633f4 100644
|
|
--- a/lib/vtls/openssl.c
|
|
+++ b/lib/vtls/openssl.c
|
|
@@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
|
#endif
|
|
|
|
#ifdef USE_OPENSSL_SRP
|
|
- if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
|
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
|
+ Curl_allow_auth_to_host(data)) {
|
|
char * const ssl_username = SSL_SET_OPTION(username);
|
|
|
|
infof(data, "Using TLS-SRP username: %s", ssl_username);
|