diff options
Diffstat (limited to 'main/curl/CVE-2016-8616.patch')
-rw-r--r-- | main/curl/CVE-2016-8616.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/main/curl/CVE-2016-8616.patch b/main/curl/CVE-2016-8616.patch new file mode 100644 index 0000000000..67309bf97f --- /dev/null +++ b/main/curl/CVE-2016-8616.patch @@ -0,0 +1,66 @@ +From cef510beb222ab5750afcac2c74fcbcdc31ada64 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 27 Sep 2016 18:01:53 +0200 +Subject: [PATCH] connectionexists: use case sensitive user/password + comparisons + +CVE-2016-8616 + +Bug: https://curl.haxx.se/docs/adv_20161102B.html +Reported-by: Cure53 +--- + lib/url.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 91b2bf8..cd3335c 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -3401,12 +3401,12 @@ ConnectionExists(struct Curl_easy *data, + } + + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ +- if(!strequal(needle->user, check->user) || +- !strequal(needle->passwd, check->passwd)) { ++ if(strcmp(needle->user, check->user) || ++ strcmp(needle->passwd, check->passwd)) { + /* one of them was different */ + continue; + } + } + +@@ -3462,12 +3462,12 @@ ConnectionExists(struct Curl_easy *data, + already authenticating with the right credentials. If not, keep + looking so that we can reuse NTLM connections if + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(!strequal(needle->user, check->user) || +- !strequal(needle->passwd, check->passwd)) ++ if(strcmp(needle->user, check->user) || ++ strcmp(needle->passwd, check->passwd)) + continue; + } + else if(check->ntlm.state != NTLMSTATE_NONE) { + /* Connection is using NTLM auth but we don't want NTLM */ + continue; +@@ -3477,12 +3477,12 @@ ConnectionExists(struct Curl_easy *data, + if(wantProxyNTLMhttp) { + /* Both check->proxyuser and check->proxypasswd can be NULL */ + if(!check->proxyuser || !check->proxypasswd) + continue; + +- if(!strequal(needle->proxyuser, check->proxyuser) || +- !strequal(needle->proxypasswd, check->proxypasswd)) ++ if(strcmp(needle->proxyuser, check->proxyuser) || ++ strcmp(needle->proxypasswd, check->proxypasswd)) + continue; + } + else if(check->proxyntlm.state != NTLMSTATE_NONE) { + /* Proxy connection is using NTLM auth but we don't want NTLM */ + continue; +-- +2.9.3 + |