mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 07:38:49 -05:00
sasl: Don't use GSSAPI authentication when domain name not specified
Only choose the GSSAPI authentication mechanism when the user name contains a Windows domain name or the user is a valid UPN. Fixes #718
This commit is contained in:
parent
43dbd76616
commit
a78c61a4bf
@ -288,7 +288,8 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
|
||||
}
|
||||
else if(conn->bits.user_passwd) {
|
||||
#if defined(USE_KERBEROS5)
|
||||
if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported()) {
|
||||
if((enabledmechs & SASL_MECH_GSSAPI) && Curl_auth_is_gssapi_supported() &&
|
||||
Curl_auth_user_contains_domain(conn->user)) {
|
||||
sasl->mutual_auth = FALSE; /* TODO: Calculate mutual authentication */
|
||||
mech = SASL_MECH_STRING_GSSAPI;
|
||||
state1 = SASL_GSSAPI;
|
||||
|
@ -104,3 +104,44 @@ TCHAR *Curl_auth_build_spn(const char *service, const char *host,
|
||||
}
|
||||
#endif /* USE_WINDOWS_SSPI */
|
||||
|
||||
/*
|
||||
* Curl_auth_user_contains_domain()
|
||||
*
|
||||
* This is used to test if the specified user contains a Windows domain name as
|
||||
* follows:
|
||||
*
|
||||
* User\Domain (Down-level Logon Name)
|
||||
* User/Domain (curl Down-level format - for compatibility with existing code)
|
||||
* User@Domain (User Principal Name)
|
||||
*
|
||||
* Note: The user name may be empty when using a GSS-API library or Windows SSPI
|
||||
* as the user and domain are either obtained from the credientals cache when
|
||||
* using GSS-API or via the currently logged in user's credientals when using
|
||||
* Windows SSPI.
|
||||
*
|
||||
* Parameters:
|
||||
*
|
||||
* user [in] - The user name.
|
||||
*
|
||||
* Returns TRUE on success; otherwise FALSE.
|
||||
*/
|
||||
bool Curl_auth_user_contains_domain(const char *user)
|
||||
{
|
||||
bool valid = FALSE;
|
||||
|
||||
if(user && *user) {
|
||||
/* Check we have a domain name or UPN present */
|
||||
char *p = strpbrk(user, "\\/@");
|
||||
|
||||
valid = (p != NULL && p > user && p < user + strlen(user) - 1 ? TRUE :
|
||||
FALSE);
|
||||
}
|
||||
#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
|
||||
else
|
||||
/* User and domain are obtained from the GSS-API credientials cache or the
|
||||
currently logged in user from Windows */
|
||||
valid = TRUE;
|
||||
#endif
|
||||
|
||||
return valid;
|
||||
}
|
||||
|
@ -55,6 +55,9 @@ TCHAR *Curl_auth_build_spn(const char *service, const char *host,
|
||||
const char *realm);
|
||||
#endif
|
||||
|
||||
/* This is used to test if the user contains a Windows domain name */
|
||||
bool Curl_auth_user_contains_domain(const char *user);
|
||||
|
||||
/* This is used to generate a base64 encoded PLAIN cleartext message */
|
||||
CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
|
||||
const char *userp,
|
||||
|
Loading…
Reference in New Issue
Block a user