curl-library
Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections
Date: Wed, 14 May 2014 08:59:24 +0200
On Tuesday, May 13, 2014 20:00:55 Steve Holme wrote:
> On Tue, 13 May 2014, Kamil Dudka wrote:
> > > >> Sorry for reopening this thread again. I just spotted that the
> > > >> PROTOPT_CREDSPERREQUEST flag is set for HTTPS, but not for HTTP. Is
> > > >> that intentionally?
> > > >
> > > > Oh, ouch. No that's not intended. It'll just make HTTP re-use
> > > > connections really badly.
> > >
> > > It's more than likely that I misinterpreted the existing code when I
> > > came up with the patch but isn't that covered by the wantNTLMhttp
> > > check in url.c:3086?
> >
> > I do not think so. The wantNTLMhttp check makes the rules more strict in
> > case NTLM is used.
>
> Looking back over my patch and how HTTPS used to have the CURLPROTO_HTTP
> flag (and is now a member of PROTO_FAMILY_HTTP) I think I have incorrectly
> added the PROTOPT_CREDSPERREQUEST to HTTPS. I believe taking it off would
> make the code compatible with how it was before my patch.
Before your patch, libcurl allowed to re-use connections with non-matching
user/passwd for all protocols except FTP and NTML-authenticated HTTP.
After your patch, libcurl allows to re-use connections with non-matching
user/passwd only for HTTPS.
What you are proposing now is to completely disable re-using of connections
with non-matching user/passwd for all protocols. That sounds as the safest
option to me as we do not need to check all combinations of protocols and
authentication mechanisms to decide whether authentication per request or
per connection is required. Do you mean it such?
Kamil
> > However, we want to _relax_ the connection re-use rules in case NTLM is
> > NOT used (for both HTTPS and HTTP), don't we?
>
> ...and relax the connection re-use code.
>
> Would you agree?
>
> Kind Regards
>
> Steve
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-05-14