curl-library
RE: CURL SMTP - Bypass Authentication
Date: Wed, 26 Mar 2014 23:04:59 +0000
On Wed, 26 Mar 2014, Daniel Stenberg wrote:
> > Does anyone have any views to whether supplying a username
> > and password to a server that doesn't support authentication is a
> > valid use case and should work as if no username/password had
> > been supplied?
>
> Could it be used by a malicious server to trick the client into giving
> away its credentials in a way it wouldn't otherwise do it?
As it stands, no as the server doesn't send the AUTH capability so the
client just gives up and returns CURLE_LOGIN_DENIED.
With my proposed fix, no - it just means the client continues as if no user
credentials had been used.
Currently if...
A) AUTH is sent by the server and no credentials supplied then curl sends
the email
B) AUTH is sent by the server and credentials supplied then curl
authenticates user and sends the email
C) AUTH not sent by the server and no credentials supplied then curl sends
the email
D) AUTH not sent by the server and credentials supplied then curl returns
login denied and doesn't send the email
Tom's bug report was that scenario D should work as per scenario C.
Kind Regards
Steve
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-27