cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 14 May 2014 09:18:58 +0200 (CEST)

On Tue, 13 May 2014, Steve Holme wrote:

> Looking back over my patch and how HTTPS used to have the CURLPROTO_HTTP
> flag (and is now a member of PROTO_FAMILY_HTTP) I think I have incorrectly
> added the PROTOPT_CREDSPERREQUEST to HTTPS. I believe taking it off would
> make the code compatible with how it was before my patch.

That doesn't sound correct.

PROTOPT_CREDSPERREQUEST means that the protocol sends full credentials per
request (so that the same connection can be re-used even if the user/password
changes between requests), and HTTP works the same way as HTTPS in that regard
so I really think both should have that bit set.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2014-05-14

This message: [ Message body ]
Next message: Daniel Stenberg: "SFTP is still slow in curl ..."
Previous message: Kamil Dudka: "Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections"
In reply to: Steve Holme: "RE: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections"
Next in thread: Daniel Stenberg: "RE: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections"
Reply: Daniel Stenberg: "RE: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]