cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Regression on FTP connections with --anyauth

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 11 Feb 2014 23:11:40 +0100 (CET)

On Tue, 11 Feb 2014, Dan Fandrich wrote:

> curl 7.35.0 in commit 8ae35102c (the fix for CVE-2014-0015) introduces a
> serious regression in handling reuse of FTP connections. The following
> example shows the problem:

Ugha.

> In prior versions, libcurl would reuse the FTP control connection for the
> second URL. After that commit, it opens a new control connection, leaving
> the old one open as well. After downloading a few files (i.e. opening a few
> connections), FTP servers will often prevent further connections from the
> same IP address as DOS protection, which causes all remaining downloads to
> fail.

A first quick patch that might have some merrit, and makes your test command
line work follows. I'll ponder a bit more...

diff --git a/lib/url.c b/lib/url.c
index 3f2112d..91aa9e0 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3123,7 +3123,7 @@ ConnectionExists(struct SessionHandle *data,
              *force_reuse = TRUE;
              break;
            }
- else
+ else if(check->ntlm.state != NTLMSTATE_NONE)
              continue;
          }

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-02-11