WARNING! Gitlab maintenance operation scheduled for Monday, 20 April between 12:00 and 14:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.

Commit 31be461c authored Apr 16, 2015 by Daniel Stenberg

ConnectionExists: for NTLM re-use, require credentials to match

CVE-2015-3143

Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia

parent 6088fbce

lib/url.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -3209,7 +3209,7 @@ ConnectionExists(struct SessionHandle *data,
		}

		if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) \|\|
		wantNTLMhttp) {
		(wantNTLMhttp \|\| check->ntlm.state != NTLMSTATE_NONE)) {
		/* This protocol requires credentials per connection or is HTTP+NTLM,
		so verify that we're using the same name and password as well */
		if(!strequal(needle->user, check->user) \|\|

Admin message