From af32cd3859336ab963591ca0df9b1e33a7ee066b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 19 Jan 2018 13:19:25 +0100 Subject: [PATCH] http: prevent custom Authorization headers in redirects ... unless CURLOPT_UNRESTRICTED_AUTH is set to allow them. This matches how curl already handles Authorization headers created internally. Note: this changes behavior slightly, for the sake of reducing mistakes. Added test 317 and 318 to verify. Reported-by: Craig de Stigter Bug: https://curl.haxx.se/docs/adv_2018-b3bf.html --- docs/libcurl/opts/CURLOPT_HTTPHEADER.3 | 12 +++- lib/http.c | 10 ++- lib/setopt.c | 2 +- lib/urldata.h | 2 +- tests/data/Makefile.inc | 2 +- tests/data/test317 | 94 +++++++++++++++++++++++++ tests/data/test318 | 95 ++++++++++++++++++++++++++ 7 files changed, 212 insertions(+), 5 deletions(-) create mode 100644 tests/data/test317 create mode 100644 tests/data/test318 --- a/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 +++ b/docs/libcurl/opts/CURLOPT_HTTPHEADER.3 @@ -5,7 +5,7 @@ .\" * | (__| |_| | _ <| |___ .\" * \___|\___/|_| \_\_____| .\" * -.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. +.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. .\" * .\" * This software is licensed as described in the file COPYING, which .\" * you should have received as part of this distribution. The terms @@ -77,6 +77,16 @@ the headers. They may be private or othe Use \fICURLOPT_HEADEROPT(3)\fP to make the headers only get sent to where you intend them to get sent. + +Custom headers are sent in all requests done by the easy handles, which +implies that if you tell libcurl to follow redirects +(\fBCURLOPT_FOLLOWLOCATION(3)\fP), the same set of custom headers will be sent +in the subsequent request. Redirects can of course go to other hosts and thus +those servers will get all the contents of your custom headers too. + +Starting in 7.58.0, libcurl will specifically prevent "Authorization:" headers +from being sent to other hosts than the first used one, unless specifically +permitted with the \fBCURLOPT_UNRESTRICTED_AUTH(3)\fP option. .SH DEFAULT NULL .SH PROTOCOLS --- a/lib/http.c +++ b/lib/http.c @@ -725,7 +725,7 @@ Curl_http_output_auth(struct connectdata if(!data->state.this_is_a_follow || conn->bits.netrc || !data->state.first_host || - data->set.http_disable_hostname_check_before_authentication || + data->set.allow_auth_to_other_hosts || strcasecompare(data->state.first_host, conn->host.name)) { result = output_auth_headers(conn, authhost, request, path, FALSE); } @@ -1624,6 +1624,14 @@ CURLcode Curl_add_custom_headers(struct checkprefix("Transfer-Encoding:", headers->data)) /* HTTP/2 doesn't support chunked requests */ ; + else if(checkprefix("Authorization:", headers->data) && + /* be careful of sending this potentially sensitive header to + other hosts */ + (data->state.this_is_a_follow && + data->state.first_host && + !data->set.allow_auth_to_other_hosts && + !strcasecompare(data->state.first_host, conn->host.name))) + ; else { CURLcode result = Curl_add_bufferf(req_buffer, "%s\r\n", headers->data); --- a/lib/url.c +++ b/lib/url.c @@ -972,7 +972,7 @@ CURLcode Curl_setopt(struct Curl_easy *d * Send authentication (user+password) when following locations, even when * hostname changed. */ - data->set.http_disable_hostname_check_before_authentication = + data->set.allow_auth_to_other_hosts = (0 != va_arg(param, long)) ? TRUE : FALSE; break; --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1675,7 +1675,7 @@ struct UserDefined { bool http_keep_sending_on_error; /* for HTTP status codes >= 300 */ bool http_follow_location; /* follow HTTP redirects */ bool http_transfer_encoding; /* request compressed HTTP transfer-encoding */ - bool http_disable_hostname_check_before_authentication; + bool allow_auth_to_other_hosts; bool include_header; /* include received protocol headers in data output */ bool http_set_referer; /* is a custom referer used */ bool http_auto_referer; /* set "correct" referer when following location: */