cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 13 May 2014 13:08:41 +0200

On Tuesday 13 May 2014 12:30:46 Steve Holme wrote:
> On Tue, 13 May 2014, Daniel Stenberg wrote:
> >> Sorry for reopening this thread again. I just spotted that the
> >> PROTOPT_CREDSPERREQUEST flag is set for HTTPS, but not for HTTP. Is that
> >> intentionally?
> >
> > Oh, ouch. No that's not intended. It'll just make HTTP re-use connections
> > really badly.
>
> It's more than likely that I misinterpreted the existing code when I came
> up with the patch but isn't that covered by the wantNTLMhttp check in
> url.c:3086?

I do not think so. The wantNTLMhttp check makes the rules more strict in case
NTLM is used. However, we want to _relax_ the connection re-use rules in case
NTLM is NOT used (for both HTTPS and HTTP), don't we?

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-05-13