cURL / Mailing Lists / curl-library / Single Mail


RE: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections

From: Steve Holme <>
Date: Tue, 13 May 2014 20:00:55 +0100

On Tue, 13 May 2014, Kamil Dudka wrote:

> > >> Sorry for reopening this thread again. I just spotted that the
> > >> PROTOPT_CREDSPERREQUEST flag is set for HTTPS, but not for HTTP. Is
> > >> that intentionally?
> > >
> > > Oh, ouch. No that's not intended. It'll just make HTTP re-use
> > > connections really badly.
> >
> > It's more than likely that I misinterpreted the existing code when I
> > came up with the patch but isn't that covered by the wantNTLMhttp
> > check in url.c:3086?
> I do not think so. The wantNTLMhttp check makes the rules more strict in
> case NTLM is used.

Looking back over my patch and how HTTPS used to have the CURLPROTO_HTTP
flag (and is now a member of PROTO_FAMILY_HTTP) I think I have incorrectly
added the PROTOPT_CREDSPERREQUEST to HTTPS. I believe taking it off would
make the code compatible with how it was before my patch.

> However, we want to _relax_ the connection re-use rules in case NTLM is
> NOT used (for both HTTPS and HTTP), don't we?

...and relax the connection re-use code.

Would you agree?

Kind Regards

List admin:
Received on 2014-05-13