cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Regression on FTP connections with --anyauth

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Mon, 24 Feb 2014 22:04:04 +0100

On Wed, Feb 12, 2014 at 10:52:48PM +0100, Daniel Stenberg wrote:
> On Wed, 12 Feb 2014, Dan Fandrich wrote:
>
> >> bool canPipeline = IsPipeliningPossible(data, needle);
> >>- bool wantNTLM = (data->state.authhost.want & CURLAUTH_NTLM) ||
> >>- (data->state.authhost.want & CURLAUTH_NTLM_WB) ? TRUE : FALSE;
> >>+ bool wantNTLMhttp = ((data->state.authhost.want & CURLAUTH_NTLM) ||
> >>+ (data->state.authhost.want & CURLAUTH_NTLM_WB)) &&
> >>+ (needle->handler->protocol & CURLPROTO_FTP) ? TRUE : FALSE;
> >
> >I haven't tried the patch, but I don't follow this logic--shouldn't that be
> >& CURLPROTO_HTTP? The check for FTP is done again below.
>
> Yes it should indeed. Thanks for reviewing it correctly!

It's probably worthwhile updating the security advisory at
http://curl.haxx.se/docs/adv_20140129.html as it advocates applying just
commit 8ae35102 as a fix to the original security issue. By my
reckoning, the fix should be 8ae35102 followed by 378af08c followed by
d7650998. The 7.27.0 patch at http://curl.haxx.se/CVE-2014-0015-7-27.patch
suffers from the same problem.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-02-24