cURL

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1326 [security] Identical headers are sent to proxy and origin server

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Wed, 22 Jan 2014 19:10:49 +0000

I think it will be best to take it on the mailing list like other patches for a wider audience and more input and review.

One of the trickier parts this change involves is to make sure we preserve backwards compatible behavior for existing applications while introducing this new ability to new ones.

---
** [bugs:#1326] [security] Identical headers are sent to proxy and origin server**
**Status:** open-confirmed
**Labels:** security 
**Created:** Tue Jan 21, 2014 07:09 PM UTC by Maciej 
**Last Updated:** Wed Jan 22, 2014 03:57 PM UTC
**Owner:** Daniel Stenberg
When extra request headers are specified by --header (or -H) options, and the request is to be sent through a proxy, curl sends the same set of extra headers to both the proxy and the origin (destination) server. This is often highly undesirable and may constitute a security issue. An example would be a rather typical situation of handling a https request through a proxy: client issues a plaintext CONNECT request to a proxy, and then opens a secure connection to the origin server through the tunnel provided by the proxy. If client includes user credentials or other authentication information in headers meant for the origin server, these headers will be also sent to the proxy in the CONNECT request. This causes two security issues: 1) sensitive information is leaked to the unintended party (proxy), and 2) it is transmitted in clear text.
I have noticed this problem while testing an authentication scheme that uses non-standard headers, but I believe the problem may also affect HTTP basic authentication (though only when handled with --header, rather than --basic). I did not test this issue on plaintext requests (those that get proxied by GET method).
To fix this problem, I propose to introduce --proxy-header option, that would specify headers for the proxy. In absence of this option, standard headers will be sent to the proxy, rather than those specified by --header. A change in libcurl will be required to handle two sets of headers properly. I have implemented such a change by modifying file lib/http.c, functions Curl_checkheaders and Curl_add_custom_headers, to use SessionHandle->mstate to determine the phase of the request, and then select between two sets of headers. However, my knowledge of curl code internals proved too limited to develop anything more than a quick and dirty hack, and for this reason I do not include a patch.
I will gladly perform additional tests if needed.
curl -V
curl 7.34.0 (x86_64-unknown-linux-gnu) libcurl/7.34.0 OpenSSL/0.9.8k zlib/1.2.3.4
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: Largefile NTLM NTLM_WB SSL libz 
uname -a
Linux tiny 3.2.0-58-generic #88-Ubuntu SMP Tue Dec 3 17:37:58 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-01-22

These mail archives are generated by hypermail.

donate! Page updated December 29, 2013.
web site info

File upload with ASP.NET