curl-library
[PATCH curl 5/7] Curl_setopt: handle arbitrary-length username and password
Date: Tue, 20 Aug 2013 00:51:12 -0700
libcurl truncates usernames, passwords, and options set with
curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters.
This doesn't affect the return value from curl_easy_setopt(), so from
the caller's point of view, there is no sign anything strange has
happened, except that authentication fails.
For example:
# Prepare a long (300-char) password.
s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s;
# Start a server.
nc -l -p 8888 | tee out & pid=$!
# Tell curl to pass the password to the server.
curl --user me:$s http://localhost:8888 & sleep 1; kill $pid
# Extract the password.
userpass=$(
awk '/Authorization: Basic/ {print $3}' <out |
tr -d '\r' |
base64 -d
)
password=${userpass#me:}
echo ${#password}
Expected result: 300
Actual result: 255
The fix is simple: allocate appropriately sized buffers on the heap
instead of trying to squeeze the provided values into fixed-size
on-stack buffers.
Bug: http://bugs.debian.org/719856
Reported-by: Colby Ranger
---
Unchanged.
lib/url.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index 8b628582..73bee68b 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4793,23 +4793,29 @@ static CURLcode parse_remote_port(struct SessionHandle *data,
* Override the login details from the URL with that in the CURLOPT_USERPWD
* option or a .netrc file, if applicable.
*/
-static void override_login(struct SessionHandle *data,
- struct connectdata *conn,
- char **userp, char **passwdp, char **optionsp)
+static int override_login(struct SessionHandle *data,
+ struct connectdata *conn,
+ char **userp, char **passwdp, char **optionsp)
{
if(data->set.str[STRING_USERNAME]) {
- strncpy(*userp, data->set.str[STRING_USERNAME], MAX_CURL_USER_LENGTH);
- (*userp)[MAX_CURL_USER_LENGTH - 1] = '\0'; /* To be on safe side */
+ free(*userp);
+ *userp = strdup(data->set.str[STRING_USERNAME]);
+ if(!*userp)
+ return CURLE_OUT_OF_MEMORY;
}
if(data->set.str[STRING_PASSWORD]) {
- strncpy(*passwdp, data->set.str[STRING_PASSWORD], MAX_CURL_PASSWORD_LENGTH);
- (*passwdp)[MAX_CURL_PASSWORD_LENGTH - 1] = '\0'; /* To be on safe side */
+ free(*passwdp);
+ *passwdp = strdup(data->set.str[STRING_PASSWORD]);
+ if(!*passwdp)
+ return CURLE_OUT_OF_MEMORY;
}
if(data->set.str[STRING_OPTIONS]) {
- strncpy(*optionsp, data->set.str[STRING_OPTIONS], MAX_CURL_OPTIONS_LENGTH);
- (*optionsp)[MAX_CURL_OPTIONS_LENGTH - 1] = '\0'; /* To be on safe side */
+ free(*optionsp);
+ *optionsp = strdup(data->set.str[STRING_OPTIONS]);
+ if(!*optionsp)
+ return CURLE_OUT_OF_MEMORY;
}
conn->bits.netrc = FALSE;
@@ -4830,6 +4836,7 @@ static void override_login(struct SessionHandle *data,
conn->bits.user_passwd = TRUE; /* enable user+password */
}
}
+ return CURLE_OK;
}
/*
@@ -5278,7 +5285,9 @@ static CURLcode create_conn(struct SessionHandle *data,
/* Check for overridden login details and set them accordingly so they
they are known when protocol->setup_connection is called! */
- override_login(data, conn, &user, &passwd, &options);
+ result = override_login(data, conn, &user, &passwd, &options);
+ if(result != CURLE_OK)
+ goto out;
result = set_login(conn, user, passwd, options);
if(result != CURLE_OK)
goto out;
--
1.8.4.rc4
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-08-20