cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: CURL SMTP - Bypass Authentication

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Wed, 26 Mar 2014 23:04:59 +0000

On Wed, 26 Mar 2014, Daniel Stenberg wrote:

> > Does anyone have any views to whether supplying a username
> > and password to a server that doesn't support authentication is a
> > valid use case and should work as if no username/password had
> > been supplied?
>
> Could it be used by a malicious server to trick the client into giving
> away its credentials in a way it wouldn't otherwise do it?

As it stands, no as the server doesn't send the AUTH capability so the
client just gives up and returns CURLE_LOGIN_DENIED.

With my proposed fix, no - it just means the client continues as if no user
credentials had been used.

Currently if...

A) AUTH is sent by the server and no credentials supplied then curl sends
the email
B) AUTH is sent by the server and credentials supplied then curl
authenticates user and sends the email
C) AUTH not sent by the server and no credentials supplied then curl sends
the email
D) AUTH not sent by the server and credentials supplied then curl returns
login denied and doesn't send the email

Tom's bug report was that scenario D should work as per scenario C.

Kind Regards

Steve
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-03-27

This message: [ Message body ]
Next message: Kamil Dudka: "Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections"
Previous message: Daniel Stenberg: "RE: CURL SMTP - Bypass Authentication"
In reply to: Daniel Stenberg: "RE: CURL SMTP - Bypass Authentication"
Next in thread: Steve Holme: "RE: CURL SMTP - Bypass Authentication"
Reply: Steve Holme: "RE: CURL SMTP - Bypass Authentication"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]