Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/curl/patches/014-CVE-2016-8616.patch
changeset 7552 17fdfad41903
equal deleted inserted replaced
7551:d7da0f26b875 7552:17fdfad41903 
       
     1 From cef510beb222ab5750afcac2c74fcbcdc31ada64 Mon Sep 17 00:00:00 2001
 
       
     2 From: Daniel Stenberg <[email protected]>
 
       
     3 Date: Tue, 27 Sep 2016 18:01:53 +0200
 
       
     4 Subject: [PATCH] connectionexists: use case sensitive user/password
 
       
     5  comparisons
 
       
     6 
       
     7 CVE-2016-8616
 
       
     8 
       
     9 Bug: https://curl.haxx.se/docs/adv_20161102B.html
 
       
    10 Reported-by: Cure53
 
       
    11 ---
 
       
    12  lib/url.c | 12 ++++++------
 
       
    13  1 file changed, 6 insertions(+), 6 deletions(-)
 
       
    14 
       
    15 --- lib/url.c
 
       
    16 +++ lib/url.c
 
       
    17 @@ -3401,12 +3401,12 @@ ConnectionExists(struct Curl_easy *data,
 
       
    18        }
 
       
    19  
       
    20        if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
 
       
    21          /* This protocol requires credentials per connection,
 
       
    22             so verify that we're using the same name and password as well */
 
       
    23 -        if(!strequal(needle->user, check->user) ||
 
       
    24 -           !strequal(needle->passwd, check->passwd)) {
 
       
    25 +        if(strcmp(needle->user, check->user) ||
 
       
    26 +           strcmp(needle->passwd, check->passwd)) {
 
       
    27            /* one of them was different */
 
       
    28            continue;
 
       
    29          }
 
       
    30        }
 
       
    31  
       
    32 @@ -3462,12 +3462,12 @@ ConnectionExists(struct Curl_easy *data,
 
       
    33             already authenticating with the right credentials. If not, keep
 
       
    34             looking so that we can reuse NTLM connections if
 
       
    35             possible. (Especially we must not reuse the same connection if
 
       
    36             partway through a handshake!) */
 
       
    37          if(wantNTLMhttp) {
 
       
    38 -          if(!strequal(needle->user, check->user) ||
 
       
    39 -             !strequal(needle->passwd, check->passwd))
 
       
    40 +          if(strcmp(needle->user, check->user) ||
 
       
    41 +             strcmp(needle->passwd, check->passwd))
 
       
    42              continue;
 
       
    43          }
 
       
    44          else if(check->ntlm.state != NTLMSTATE_NONE) {
 
       
    45            /* Connection is using NTLM auth but we don't want NTLM */
 
       
    46            continue;
 
       
    47 @@ -3477,8 +3477,8 @@ ConnectionExists(struct SessionHandle *data,
 
       
    48          if(wantProxyNTLMhttp) {
 
       
    49 -          if(!strequal(needle->proxyuser, check->proxyuser) ||
 
       
    50 -             !strequal(needle->proxypasswd, check->proxypasswd))
 
       
    51 +          if(strcmp(needle->proxyuser, check->proxyuser) ||
 
       
    52 +             strcmp(needle->proxypasswd, check->proxypasswd))
 
       
    53              continue;
 
       
    54          }
 
       
    55          else if(check->proxyntlm.state != NTLMSTATE_NONE) {
 
       
    56            /* Proxy connection is using NTLM auth but we don't want NTLM */
 
       
    57            continue;
 
       
    58 -- 
       
    59 2.9.3
 
       
    60
upstream/oracle/userland-gate