moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 22:45:03 -05:00
Code Issues Releases Wiki Activity

url: accept "any length" credentials for proxy auth

Browse Source 
They're only limited to the maximum string input restrictions, not to
256 bytes.

Added test 1178 to verify

Reported-by: Will Roberts
Fixes #5448
Closes #5449
This commit is contained in:
Daniel Stenberg 2020-05-25 15:38:36 +02:00
parent 96f52abf80
commit ad829b21ae
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
5 changed files with 70 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/escape.c
View File

@ -134,12 +134,17 @@ CURLcode Curl_urldecode(struct Curl_easy *data,
char **ostring, size_t *olen, char **ostring, size_t *olen,
bool reject_ctrl) bool reject_ctrl)
{ {
size_t alloc = (length?length:strlen(string)) + 1; size_t alloc;
char *ns = malloc(alloc); char *ns;
size_t strindex = 0; size_t strindex = 0;
unsigned long hex; unsigned long hex;
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
DEBUGASSERT(string);
alloc = (length?length:strlen(string)) + 1;
ns = malloc(alloc);
if(!ns) if(!ns)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;

24
lib/url.c
View File

@ -2355,24 +2355,14 @@ static CURLcode parse_proxy(struct Curl_easy *data,
static CURLcode parse_proxy_auth(struct Curl_easy *data, static CURLcode parse_proxy_auth(struct Curl_easy *data,
struct connectdata *conn) struct connectdata *conn)
{ {
char proxyuser[MAX_CURL_USER_LENGTH]=""; char *proxyuser = data->set.str[STRING_PROXYUSERNAME];
char proxypasswd[MAX_CURL_PASSWORD_LENGTH]=""; char *proxypasswd = data->set.str[STRING_PROXYPASSWORD];
CURLcode result; CURLcode result = CURLE_OK;
if(data->set.str[STRING_PROXYUSERNAME] != NULL) { if(proxyuser)
strncpy(proxyuser, data->set.str[STRING_PROXYUSERNAME], result = Curl_urldecode(data, proxyuser, 0, &conn->http_proxy.user, NULL,
MAX_CURL_USER_LENGTH); FALSE);
proxyuser[MAX_CURL_USER_LENGTH-1] = '\0'; /*To be on safe side*/ if(!result && proxypasswd)
}
if(data->set.str[STRING_PROXYPASSWORD] != NULL) {
strncpy(proxypasswd, data->set.str[STRING_PROXYPASSWORD],
MAX_CURL_PASSWORD_LENGTH);
proxypasswd[MAX_CURL_PASSWORD_LENGTH-1] = '\0'; /*To be on safe side*/
}
result = Curl_urldecode(data, proxyuser, 0, &conn->http_proxy.user, NULL,
FALSE);
if(!result)
result = Curl_urldecode(data, proxypasswd, 0, &conn->http_proxy.passwd, result = Curl_urldecode(data, proxypasswd, 0, &conn->http_proxy.passwd,
NULL, FALSE); NULL, FALSE);
return result; return result;

11
lib/urldata.h
View File

@ -1228,17 +1228,6 @@ typedef enum {
RTSPREQ_LAST /* last in list */ RTSPREQ_LAST /* last in list */
} Curl_RtspReq; } Curl_RtspReq;
/*
* Values that are generated, temporary or calculated internally for a
* "session handle" must be defined within the 'struct UrlState'. This struct
* will be used within the Curl_easy struct. When the 'Curl_easy'
* struct is cloned, this data MUST NOT be copied.
*
* Remember that any "state" information goes globally for the curl handle.
* Session-data MUST be put in the connectdata struct and here. */
#define MAX_CURL_USER_LENGTH 256
#define MAX_CURL_PASSWORD_LENGTH 256
struct auth { struct auth {
unsigned long want; /* Bitmask set to the authentication methods wanted by unsigned long want; /* Bitmask set to the authentication methods wanted by
app (with CURLOPT_HTTPAUTH or CURLOPT_PROXYAUTH). */ app (with CURLOPT_HTTPAUTH or CURLOPT_PROXYAUTH). */

1
tests/data/Makefile.inc
View File

@ -139,6 +139,7 @@ test1160 test1161 test1162 test1163 test1164 test1165 test1166 test1167 \
test1168 \ test1168 \
\ \
test1170 test1171 test1172 test1173 test1174 test1175 test1176 test1177 \ test1170 test1171 test1172 test1173 test1174 test1175 test1176 test1177 \
test1178 \
\ \
test1190 test1191 test1192 test1193 test1194 test1195 test1196 \ test1190 test1191 test1192 test1193 test1194 test1195 test1196 \
\ \

55
tests/data/test1178 Normal file
View File

@ -0,0 +1,55 @@
<testcase>
<info>
<keywords>
HTTP
HTTP GET
HTTP proxy
</keywords>
</info>
#
# Server-side
<reply>
<data>
HTTP/1.1 200 OK
Date: Thu, 09 Nov 2010 14:49:00 GMT
Server: test-server/fake swsclose
Content-Type: text/html
Funny-head: yesyes
</data>
</reply>
#
# Client-side
<client>
<server>
http
</server>
<name>
HTTP proxy auth with credentials longer than 256 bytes
</name>
# 400 x 'A' : 600 x 'B' ...
<command>
http://%HOSTIP:%HTTPPORT/we/want/that/page/1178 -x http://%HOSTIP:%HTTPPORT -U AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
</command>
<features>
proxy
</features>
</client>
#
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET http://%HOSTIP:%HTTPPORT/we/want/that/page/1178 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Proxy-Authorization: Basic QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQTpCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkI=
Accept: */*
Proxy-Connection: Keep-Alive
</protocol>
</verify>
</testcase>