cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SECURITY VULNERABILITY: inappropriate GSSAPI delegation

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Fri, 8 Jul 2011 16:19:03 +0200

On Thu July 7 2011 21:42:26 Dan Fandrich wrote:
> On Thu, Jul 07, 2011 at 03:14:15PM -0400, Rob Crittenden wrote:
> > This completely disables delegation in libcurl. Are there plans to
> > add an option for this or would you accept a patch to add this? The
> > freeipa project needs to be able to do delegation in libcurl.
>
> That was a limitation we accepted in the interests of releasing a timely
> fix and avoiding prematurely publicising the issue. Since none of the
> core curl developers uses Kerberos, it would have been a bit risky to
> develop a proper API without public feedback. I believe that patches
> to add such an API would be welcome.

I think this patch should go on top of the Julien's patchset, which is not yet
in. Could we make at least some consensus on the API change at this point?
Chances are that Red Hat will need to fix this prior to the usptream fix. My
proposal is a new easy option CURLOPT_GSSAPI_DELEGATION that given 1L enables
the old behavior. Any objections? Thanks in advance.

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-07-08