From a4c6f86f94e7b86026770e8b9da034daf514e5bc Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 16 Apr 2015 13:26:46 +0200 Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to match CVE-2015-3143 Bug: http://curl.haxx.se/docs/adv_20150422A.html Reported-by: Paras Sethia Upstream-commit: 31be461c6b659312100c47be6ddd5f0f569290f6 Signed-off-by: Kamil Dudka --- lib/url.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/url.c b/lib/url.c index 22e3856..2dc56ae 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2973,7 +2973,7 @@ ConnectionExists(struct SessionHandle *data, } } if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || - ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { + (wantNTLM || check->ntlm.state != NTLMSTATE_NONE)) { /* This proto requires credentials per connection or is HTTP+NTLM, so verify that we're using the same name and password as well */ if(!strequal(needle->user, check->user) || -- 2.3.6