cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH 2/2 v2] ntlm_wb: Avoid invoking ntlm_auth helper with empty username

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Sun, 13 Jul 2014 00:48:13 +0200

On Sat, Jul 12, 2014 at 11:22:38AM +0100, David Woodhouse wrote:
> I note that for finding the home directory in both lib/netrc.c and
> src/tool_homedir.c we use $HOME *before* getpwuid(). And we actually use

That adds flexibility to the user who can switch the location easily without
changing code.

> getpwuid() instead of getpwuid_r(), which probably ought to be fixed.

Good point—that could cause some weird issues with multithreaded programs. I've
just committed a fix for that.

> + /* The real ntlm_auth really doesn't like being invoked with an
> + empty username. It won't make inferences for itself, and expects
> + the client to do so (mostly because it's really designed for
> + servers like squid to use for auth, and client support is an
> + afterthought for it). So try hard to provide a suitable username
> + if we don't already have one. But if we can't, provide the
> + empty one anyway. Perhaps they have an implementation of the
> + ntlm_auth helper which *doesn't* need it so we might as well try */
> + if(!username || !username[0]) {
> + username = getenv("NTLMUSER");
> +#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
> + if((!username || !username[0]) &&
> + !getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) &&
> + pw_res) {
> + username = pw.pw_name;
> + }
> +#endif
> + if(!username || !username[0])
> + username = getenv("LOGNAME");
> + if(!username || !username[0])
> + username = getenv("USER");
> + if(!username || !username[0])
> + username = userp;
> + }

Thinking about it some more, it does seem to make sense to let the
user-overrideable variables come before the system-defined ones. A user
running curl under plain 'su' for example will see a difference between
the two options; geteuid() will return the root user but $LOGNAME will
still contain the original user. I think I'd move the geteuid() method
as the method of last resort.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-13