From e6968d1d220891230bcca5340bfd364183ceaa31 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 19 Jan 2018 13:19:25 +0100 Subject: [PATCH] http: prevent custom Authorization headers in redirects ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Note: this changes behavior slightly, for the sake of reducing mistakes. Added test 317 and 318 to verify. Reported-by: Craig de Stigter Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html Upstream-commit: af32cd3859336ab963591ca0df9b1e33a7ee066b Signed-off-by: Kamil Dudka --- docs/libcurl/curl_easy_setopt.3 | 10 +++++ lib/http.c | 10 ++++- lib/url.c | 2 +- lib/urldata.h | 2 +- tests/data/Makefile.am | 3 +- tests/data/test317 | 94 ++++++++++++++++++++++++++++++++++++++++ tests/data/test318 | 95 +++++++++++++++++++++++++++++++++++++++++ 7 files changed, 212 insertions(+), 4 deletions(-) create mode 100644 tests/data/test317 create mode 100644 tests/data/test318 diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 index 4ce8207..cbebfba 100644 --- a/docs/libcurl/curl_easy_setopt.3 +++ b/docs/libcurl/curl_easy_setopt.3 @@ -67,6 +67,16 @@ this when you debug/report problems. Another neat option for debugging is the A parameter set to 1 tells the library to include the header in the body output. This is only relevant for protocols that actually have headers preceding the data (like HTTP). + +Custom headers are sent in all requests done by the easy handles, which +implies that if you tell libcurl to follow redirects +(\fICURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent +in the subsequent request. Redirects can of course go to other hosts and thus +those servers will get all the contents of your custom headers too. + +Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers +from being sent to other hosts than the first used one, unless specifically +permitted with the \fICURLOPT_UNRESTRICTED_AUTH(3)\fP option. .IP CURLOPT_NOPROGRESS Pass a long. If set to 1, it tells the library to shut off the progress meter completely. It will also prevent the \fICURLOPT_PROGRESSFUNCTION\fP from diff --git a/lib/http.c b/lib/http.c index b73e58c..c15208d 100644 --- a/lib/http.c +++ b/lib/http.c @@ -666,7 +666,7 @@ Curl_http_output_auth(struct connectdata *conn, if(!data->state.this_is_a_follow || conn->bits.netrc || !data->state.first_host || - data->set.http_disable_hostname_check_before_authentication || + data->set.allow_auth_to_other_hosts || Curl_raw_equal(data->state.first_host, conn->host.name)) { result = output_auth_headers(conn, authhost, request, path, FALSE); } @@ -1550,6 +1550,14 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, Connection: */ checkprefix("Connection", headers->data)) ; + else if(checkprefix("Authorization:", headers->data) && + /* be careful of sending this potentially sensitive header to + other hosts */ + (conn->data->state.this_is_a_follow && + conn->data->state.first_host && + !conn->data->set.allow_auth_to_other_hosts && + !strequal(conn->data->state.first_host, conn->host.name))) + ; else { CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", headers->data); diff --git a/lib/url.c b/lib/url.c index 71d4d8b..ba53131 100644 --- a/lib/url.c +++ b/lib/url.c @@ -912,7 +912,7 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, * Send authentication (user+password) when following locations, even when * hostname changed. */ - data->set.http_disable_hostname_check_before_authentication = + data->set.allow_auth_to_other_hosts = (0 != va_arg(param, long))?TRUE:FALSE; break; diff --git a/lib/urldata.h b/lib/urldata.h index b4f18e7..1dd62ae 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1528,7 +1528,7 @@ struct UserDefined { bool http_fail_on_error; /* fail on HTTP error codes >= 300 */ bool http_follow_location; /* follow HTTP redirects */ bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ - bool http_disable_hostname_check_before_authentication; + bool allow_auth_to_other_hosts; bool include_header; /* include received protocol headers in data output */ bool http_set_referer; /* is a custom referer used */ bool http_auto_referer; /* set "correct" referer when following location: */ diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 3b31581..56cb286 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -36,7 +36,8 @@ test276 test277 test278 test279 test280 test281 test282 test283 test284 \ test285 test286 test287 test288 test289 test290 test291 test292 test293 \ test294 test295 test296 test297 test298 test299 test300 test301 test302 \ test303 test304 test305 test306 test307 test308 test309 test310 test311 \ -test312 test313 test320 test321 test322 test323 test324 test350 test351 \ +test312 test313 test317 test318 \ +test320 test321 test322 test323 test324 test350 test351 \ test352 test353 test354 test400 test401 test402 test403 test404 test405 \ test406 test407 test408 test409 test500 test501 test502 test503 test504 \ test505 test506 test507 test508 test510 test511 test512 test513 test514 \ diff --git a/tests/data/test317 b/tests/data/test317 new file mode 100644 index 0000000..c6d8697 --- /dev/null +++ b/tests/data/test317 @@ -0,0 +1,94 @@ + + + +HTTP +HTTP proxy +HTTP Basic auth +HTTP proxy Basic auth +followlocation + + +# +# Server-side + + +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3170002 +Content-Length: 8 +Connection: close + +contents + + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents + + + +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3170002 +Content-Length: 8 +Connection: close + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents + + + +# +# Client-side + + +http + + +HTTP with custom Authorization: and redirect to new host + + +http://first.host.it.is/we/want/that/page/317 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location + + + +# +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET http://first.host.it.is/we/want/that/page/317 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: first.host.it.is +Accept: */* +Proxy-Connection: Keep-Alive +Authorization: s3cr3t + +GET http://goto.second.host.now/3170002 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: goto.second.host.now +Accept: */* +Proxy-Connection: Keep-Alive + + + + diff --git a/tests/data/test318 b/tests/data/test318 new file mode 100644 index 0000000..838d1ba --- /dev/null +++ b/tests/data/test318 @@ -0,0 +1,95 @@ + + + +HTTP +HTTP proxy +HTTP Basic auth +HTTP proxy Basic auth +followlocation + + +# +# Server-side + + +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3180002 +Content-Length: 8 +Connection: close + +contents + + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents + + + +HTTP/1.1 302 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Location: http://goto.second.host.now/3180002 +Content-Length: 8 +Connection: close + +HTTP/1.1 200 OK +Date: Thu, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake swsclose +Content-Type: text/html +Funny-head: yesyes +Content-Length: 9 + +contents + + + +# +# Client-side + + +http + + +HTTP with custom Authorization: and redirect to new host + + +http://first.host.it.is/we/want/that/page/318 -x %HOSTIP:%HTTPPORT -H "Authorization: s3cr3t" --proxy-user testing:this --location-trusted + + + +# +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET http://first.host.it.is/we/want/that/page/318 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: first.host.it.is +Accept: */* +Proxy-Connection: Keep-Alive +Authorization: s3cr3t + +GET http://goto.second.host.now/3180002 HTTP/1.1 +Proxy-Authorization: Basic dGVzdGluZzp0aGlz +Host: goto.second.host.now +Accept: */* +Proxy-Connection: Keep-Alive +Authorization: s3cr3t + + + + -- 2.13.6