mirror of
https://github.com/moparisthebest/curl
synced 2025-01-11 14:08:07 -05:00
option: disallow username in URL
Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes libcurl reject URLs with a username in them. Closes #2340
This commit is contained in:
parent
71d35e4a1d
commit
946ce5b61f
7
docs/cmdline-opts/disallow-username-in-url.d
Normal file
7
docs/cmdline-opts/disallow-username-in-url.d
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
Long: disallow-username-in-url
|
||||||
|
Help: Disallow username in url
|
||||||
|
Protocols: HTTP
|
||||||
|
Added: 7.61.0
|
||||||
|
See-also: proto
|
||||||
|
---
|
||||||
|
This tells curl to exit if passed a url containing a username.
|
@ -258,6 +258,8 @@ HTTP proxy authentication methods. See \fICURLOPT_PROXYAUTH(3)\fP
|
|||||||
Enable SASL initial response. See \fICURLOPT_SASL_IR(3)\fP
|
Enable SASL initial response. See \fICURLOPT_SASL_IR(3)\fP
|
||||||
.IP CURLOPT_XOAUTH2_BEARER
|
.IP CURLOPT_XOAUTH2_BEARER
|
||||||
OAuth2 bearer token. See \fICURLOPT_XOAUTH2_BEARER(3)\fP
|
OAuth2 bearer token. See \fICURLOPT_XOAUTH2_BEARER(3)\fP
|
||||||
|
.IP CURLOPT_DISALLOW_USERNAME_IN_URL
|
||||||
|
Don't allow username in URL. See \fICURLOPT_DISALLOW_USERNAME_IN_URL(3)\fP
|
||||||
.SH HTTP OPTIONS
|
.SH HTTP OPTIONS
|
||||||
.IP CURLOPT_AUTOREFERER
|
.IP CURLOPT_AUTOREFERER
|
||||||
Automatically set Referer: header. See \fICURLOPT_AUTOREFERER(3)\fP
|
Automatically set Referer: header. See \fICURLOPT_AUTOREFERER(3)\fP
|
||||||
|
56
docs/libcurl/opts/CURLOPT_DISALLOW_USERNAME_IN_URL.3
Normal file
56
docs/libcurl/opts/CURLOPT_DISALLOW_USERNAME_IN_URL.3
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
.\" **************************************************************************
|
||||||
|
.\" * _ _ ____ _
|
||||||
|
.\" * Project ___| | | | _ \| |
|
||||||
|
.\" * / __| | | | |_) | |
|
||||||
|
.\" * | (__| |_| | _ <| |___
|
||||||
|
.\" * \___|\___/|_| \_\_____|
|
||||||
|
.\" *
|
||||||
|
.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
.\" *
|
||||||
|
.\" * This software is licensed as described in the file COPYING, which
|
||||||
|
.\" * you should have received as part of this distribution. The terms
|
||||||
|
.\" * are also available at https://curl.haxx.se/docs/copyright.html.
|
||||||
|
.\" *
|
||||||
|
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||||
|
.\" * copies of the Software, and permit persons to whom the Software is
|
||||||
|
.\" * furnished to do so, under the terms of the COPYING file.
|
||||||
|
.\" *
|
||||||
|
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||||
|
.\" * KIND, either express or implied.
|
||||||
|
.\" *
|
||||||
|
.\" **************************************************************************
|
||||||
|
.\"
|
||||||
|
.TH CURLOPT_DISALLOW_USERNAME_IN_URL 3 "30 May 2018" "libcurl 7.61.0" "curl_easy_setopt options"
|
||||||
|
.SH NAME
|
||||||
|
CURLOPT_DISALLOW_USERNAME_IN_URL \- disallow specifying username in the url
|
||||||
|
.SH SYNOPSIS
|
||||||
|
#include <curl/curl.h>
|
||||||
|
|
||||||
|
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_DISALLOW_USERNAME_IN_URL, long disallow);
|
||||||
|
.SH DESCRIPTION
|
||||||
|
A long parameter set to 1 tells the library to not allow URLs that include a
|
||||||
|
username.
|
||||||
|
.SH DEFAULT
|
||||||
|
0 (disabled) - user names are allowed by default.
|
||||||
|
.SH PROTOCOLS
|
||||||
|
Several
|
||||||
|
.SH EXAMPLE
|
||||||
|
.nf
|
||||||
|
CURL *curl = curl_easy_init();
|
||||||
|
if(curl) {
|
||||||
|
|
||||||
|
curl_easy_setopt(curl, CURLOPT_URL, "http://example.com");
|
||||||
|
curl_easy_setopt(curl, CURLOPT_DISALLOW_USERNAME_IN_URL, 1L);
|
||||||
|
|
||||||
|
curl_easy_perform(curl);
|
||||||
|
}
|
||||||
|
.fi
|
||||||
|
.SH AVAILABILITY
|
||||||
|
Added in libcurl 7.61.0
|
||||||
|
.SH RETURN VALUE
|
||||||
|
Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
|
||||||
|
|
||||||
|
curl_easy_perform() will return CURLE_LOGIN_DENIED if this option is enabled
|
||||||
|
and a URL containing a username is specified.
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.BR libcurl-security "(3), ", CURLOPT_PROTOCOLS "(3)"
|
@ -114,6 +114,7 @@ man_MANS = \
|
|||||||
CURLOPT_DEBUGFUNCTION.3 \
|
CURLOPT_DEBUGFUNCTION.3 \
|
||||||
CURLOPT_DEFAULT_PROTOCOL.3 \
|
CURLOPT_DEFAULT_PROTOCOL.3 \
|
||||||
CURLOPT_DIRLISTONLY.3 \
|
CURLOPT_DIRLISTONLY.3 \
|
||||||
|
CURLOPT_DISALLOW_USERNAME_IN_URL.3 \
|
||||||
CURLOPT_DNS_CACHE_TIMEOUT.3 \
|
CURLOPT_DNS_CACHE_TIMEOUT.3 \
|
||||||
CURLOPT_DNS_INTERFACE.3 \
|
CURLOPT_DNS_INTERFACE.3 \
|
||||||
CURLOPT_DNS_LOCAL_IP4.3 \
|
CURLOPT_DNS_LOCAL_IP4.3 \
|
||||||
|
@ -376,6 +376,7 @@ CURLOPT_DEBUGDATA 7.9.6
|
|||||||
CURLOPT_DEBUGFUNCTION 7.9.6
|
CURLOPT_DEBUGFUNCTION 7.9.6
|
||||||
CURLOPT_DEFAULT_PROTOCOL 7.45.0
|
CURLOPT_DEFAULT_PROTOCOL 7.45.0
|
||||||
CURLOPT_DIRLISTONLY 7.17.0
|
CURLOPT_DIRLISTONLY 7.17.0
|
||||||
|
CURLOPT_DISALLOW_USERNAME_IN_URL 7.61.0
|
||||||
CURLOPT_DNS_CACHE_TIMEOUT 7.9.3
|
CURLOPT_DNS_CACHE_TIMEOUT 7.9.3
|
||||||
CURLOPT_DNS_INTERFACE 7.33.0
|
CURLOPT_DNS_INTERFACE 7.33.0
|
||||||
CURLOPT_DNS_LOCAL_IP4 7.33.0
|
CURLOPT_DNS_LOCAL_IP4 7.33.0
|
||||||
|
@ -1853,6 +1853,9 @@ typedef enum {
|
|||||||
CINIT(TLS13_CIPHERS, STRINGPOINT, 276),
|
CINIT(TLS13_CIPHERS, STRINGPOINT, 276),
|
||||||
CINIT(PROXY_TLS13_CIPHERS, STRINGPOINT, 277),
|
CINIT(PROXY_TLS13_CIPHERS, STRINGPOINT, 277),
|
||||||
|
|
||||||
|
/* Disallow specifying username/login in URL. */
|
||||||
|
CINIT(DISALLOW_USERNAME_IN_URL, LONG, 278),
|
||||||
|
|
||||||
CURLOPT_LASTENTRY /* the last unused */
|
CURLOPT_LASTENTRY /* the last unused */
|
||||||
} CURLoption;
|
} CURLoption;
|
||||||
|
|
||||||
|
@ -2590,6 +2590,10 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
|||||||
case CURLOPT_DNS_SHUFFLE_ADDRESSES:
|
case CURLOPT_DNS_SHUFFLE_ADDRESSES:
|
||||||
data->set.dns_shuffle_addresses = (0 != va_arg(param, long)) ? TRUE:FALSE;
|
data->set.dns_shuffle_addresses = (0 != va_arg(param, long)) ? TRUE:FALSE;
|
||||||
break;
|
break;
|
||||||
|
case CURLOPT_DISALLOW_USERNAME_IN_URL:
|
||||||
|
data->set.disallow_username_in_url =
|
||||||
|
(0 != va_arg(param, long)) ? TRUE : FALSE;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
/* unknown tag and its companion, just ignore: */
|
/* unknown tag and its companion, just ignore: */
|
||||||
result = CURLE_UNKNOWN_OPTION;
|
result = CURLE_UNKNOWN_OPTION;
|
||||||
|
@ -3170,6 +3170,13 @@ static CURLcode parse_url_login(struct Curl_easy *data,
|
|||||||
if(userp) {
|
if(userp) {
|
||||||
char *newname;
|
char *newname;
|
||||||
|
|
||||||
|
if(data->set.disallow_username_in_url) {
|
||||||
|
failf(data, "Option DISALLOW_USERNAME_IN_URL is set "
|
||||||
|
"and url contains username.");
|
||||||
|
result = CURLE_LOGIN_DENIED;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
/* We have a user in the URL */
|
/* We have a user in the URL */
|
||||||
conn->bits.userpwd_in_url = TRUE;
|
conn->bits.userpwd_in_url = TRUE;
|
||||||
conn->bits.user_passwd = TRUE; /* enable user+password */
|
conn->bits.user_passwd = TRUE; /* enable user+password */
|
||||||
|
@ -1689,6 +1689,7 @@ struct UserDefined {
|
|||||||
curl_resolver_start_callback resolver_start; /* optional callback called
|
curl_resolver_start_callback resolver_start; /* optional callback called
|
||||||
before resolver start */
|
before resolver start */
|
||||||
void *resolver_start_client; /* pointer to pass to resolver start callback */
|
void *resolver_start_client; /* pointer to pass to resolver start callback */
|
||||||
|
bool disallow_username_in_url; /* disallow username in url */
|
||||||
};
|
};
|
||||||
|
|
||||||
struct Names {
|
struct Names {
|
||||||
|
@ -255,6 +255,7 @@ struct OperationConfig {
|
|||||||
long happy_eyeballs_timeout_ms; /* happy eyeballs timeout in milliseconds.
|
long happy_eyeballs_timeout_ms; /* happy eyeballs timeout in milliseconds.
|
||||||
0 is valid. default: CURL_HET_DEFAULT. */
|
0 is valid. default: CURL_HET_DEFAULT. */
|
||||||
bool haproxy_protocol; /* whether to send HAProxy protocol v1 */
|
bool haproxy_protocol; /* whether to send HAProxy protocol v1 */
|
||||||
|
bool disallow_username_in_url; /* disallow usernames in URLs */
|
||||||
struct GlobalConfig *global;
|
struct GlobalConfig *global;
|
||||||
struct OperationConfig *prev;
|
struct OperationConfig *prev;
|
||||||
struct OperationConfig *next; /* Always last in the struct */
|
struct OperationConfig *next; /* Always last in the struct */
|
||||||
|
@ -82,6 +82,7 @@ static const struct LongShort aliases[]= {
|
|||||||
{"*d", "ciphers", ARG_STRING},
|
{"*d", "ciphers", ARG_STRING},
|
||||||
{"*D", "dns-interface", ARG_STRING},
|
{"*D", "dns-interface", ARG_STRING},
|
||||||
{"*e", "disable-epsv", ARG_BOOL},
|
{"*e", "disable-epsv", ARG_BOOL},
|
||||||
|
{"*f", "disallow-username-in-url", ARG_BOOL},
|
||||||
{"*E", "epsv", ARG_BOOL},
|
{"*E", "epsv", ARG_BOOL},
|
||||||
/* 'epsv' made like this to make --no-epsv and --epsv to work
|
/* 'epsv' made like this to make --no-epsv and --epsv to work
|
||||||
although --disable-epsv is the documented option */
|
although --disable-epsv is the documented option */
|
||||||
@ -621,6 +622,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
|
|||||||
case 'e': /* --disable-epsv */
|
case 'e': /* --disable-epsv */
|
||||||
config->disable_epsv = toggle;
|
config->disable_epsv = toggle;
|
||||||
break;
|
break;
|
||||||
|
case 'f': /* --disallow-username-in-url */
|
||||||
|
config->disallow_username_in_url = toggle;
|
||||||
|
break;
|
||||||
case 'E': /* --epsv */
|
case 'E': /* --epsv */
|
||||||
config->disable_epsv = (!toggle)?TRUE:FALSE;
|
config->disable_epsv = (!toggle)?TRUE:FALSE;
|
||||||
break;
|
break;
|
||||||
|
@ -108,6 +108,8 @@ static const struct helptxt helptext[] = {
|
|||||||
"Inhibit using EPRT or LPRT"},
|
"Inhibit using EPRT or LPRT"},
|
||||||
{" --disable-epsv",
|
{" --disable-epsv",
|
||||||
"Inhibit using EPSV"},
|
"Inhibit using EPSV"},
|
||||||
|
{" --disallow-username-in-url",
|
||||||
|
"Disallow username in url"},
|
||||||
{" --dns-interface <interface>",
|
{" --dns-interface <interface>",
|
||||||
"Interface to use for DNS requests"},
|
"Interface to use for DNS requests"},
|
||||||
{" --dns-ipv4-addr <address>",
|
{" --dns-ipv4-addr <address>",
|
||||||
|
@ -1474,6 +1474,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
|
|||||||
if(config->haproxy_protocol)
|
if(config->haproxy_protocol)
|
||||||
my_setopt(curl, CURLOPT_HAPROXYPROTOCOL, 1L);
|
my_setopt(curl, CURLOPT_HAPROXYPROTOCOL, 1L);
|
||||||
|
|
||||||
|
if(config->disallow_username_in_url)
|
||||||
|
my_setopt(curl, CURLOPT_DISALLOW_USERNAME_IN_URL, 1L);
|
||||||
|
|
||||||
/* initialize retry vars for loop below */
|
/* initialize retry vars for loop below */
|
||||||
retry_sleep_default = (config->retry_delay) ?
|
retry_sleep_default = (config->retry_delay) ?
|
||||||
config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */
|
config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */
|
||||||
|
@ -196,6 +196,6 @@ test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
|
|||||||
test2064 test2065 test2066 test2067 test2068 test2069 \
|
test2064 test2065 test2066 test2067 test2068 test2069 \
|
||||||
\
|
\
|
||||||
test2070 test2071 test2072 test2073 \
|
test2070 test2071 test2072 test2073 \
|
||||||
test2074 \
|
test2074 test2075 \
|
||||||
\
|
\
|
||||||
test3000 test3001
|
test3000 test3001
|
||||||
|
34
tests/data/test2075
Normal file
34
tests/data/test2075
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
<testcase>
|
||||||
|
<info>
|
||||||
|
<keywords>
|
||||||
|
--disallow-username-in-url
|
||||||
|
HTTP
|
||||||
|
</keywords>
|
||||||
|
</info>
|
||||||
|
|
||||||
|
#
|
||||||
|
# Client-side
|
||||||
|
<client>
|
||||||
|
<features>
|
||||||
|
http
|
||||||
|
</features>
|
||||||
|
<server>
|
||||||
|
none
|
||||||
|
</server>
|
||||||
|
<name>
|
||||||
|
Verify usernames are not allowed in url
|
||||||
|
</name>
|
||||||
|
<command>
|
||||||
|
--disallow-username-in-url http://username:password@example.com/
|
||||||
|
</command>
|
||||||
|
</client>
|
||||||
|
|
||||||
|
#
|
||||||
|
# Verify data after the test has been "shot"
|
||||||
|
<verify>
|
||||||
|
# CURLE_LOGIN_DENIED is code 67
|
||||||
|
<errorcode>
|
||||||
|
67
|
||||||
|
</errorcode>
|
||||||
|
</verify>
|
||||||
|
</testcase>
|
Loading…
Reference in New Issue
Block a user