cURL

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1326 [security] Identical headers are sent to proxy and origin server

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Tue, 15 Apr 2014 22:24:59 +0000

- **status**: open-confirmed --> closed-fixed
- **Comment**:

This feature is now in git!

---
** [bugs:#1326] [security] Identical headers are sent to proxy and origin server**
**Status:** closed-fixed
**Labels:** security 
**Created:** Tue Jan 21, 2014 07:09 PM UTC by Maciej 
**Last Updated:** Thu Jan 23, 2014 07:21 PM UTC
**Owner:** Daniel Stenberg
When extra request headers are specified by --header (or -H) options, and the request is to be sent through a proxy, curl sends the same set of extra headers to both the proxy and the origin (destination) server. This is often highly undesirable and may constitute a security issue. An example would be a rather typical situation of handling a https request through a proxy: client issues a plaintext CONNECT request to a proxy, and then opens a secure connection to the origin server through the tunnel provided by the proxy. If client includes user credentials or other authentication information in headers meant for the origin server, these headers will be also sent to the proxy in the CONNECT request. This causes two security issues: 1) sensitive information is leaked to the unintended party (proxy), and 2) it is transmitted in clear text.
I have noticed this problem while testing an authentication scheme that uses non-standard headers, but I believe the problem may also affect HTTP basic authentication (though only when handled with --header, rather than --basic). I did not test this issue on plaintext requests (those that get proxied by GET method).
To fix this problem, I propose to introduce --proxy-header option, that would specify headers for the proxy. In absence of this option, standard headers will be sent to the proxy, rather than those specified by --header. A change in libcurl will be required to handle two sets of headers properly. I have implemented such a change by modifying file lib/http.c, functions Curl_checkheaders and Curl_add_custom_headers, to use SessionHandle->mstate to determine the phase of the request, and then select between two sets of headers. However, my knowledge of curl code internals proved too limited to develop anything more than a quick and dirty hack, and for this reason I do not include a patch.
I will gladly perform additional tests if needed.
curl -V
curl 7.34.0 (x86_64-unknown-linux-gnu) libcurl/7.34.0 OpenSSL/0.9.8k zlib/1.2.3.4
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: Largefile NTLM NTLM_WB SSL libz 
uname -a
Linux tiny 3.2.0-58-generic #88-Ubuntu SMP Tue Dec 3 17:37:58 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2014-04-16

These mail archives are generated by hypermail.

donate! Page updated March 21, 2014.
web site info

File upload with ASP.NET