From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 3 Jan 2025 16:22:27 +0100 Subject: [PATCH] netrc: 'default' with no credentials is not a match Test 486 verifies. Reported-by: Yihang Zhou Closes #15908 Changes: - Test files are added in Makefile.inc. - Adjust `%LOGDIR/` to 'log/' due to its absence in code. CVE: CVE-2025-0167 Upstream-Status: Backport [https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb] Signed-off-by: Yogita Urade --- lib/netrc.c | 7 ++- tests/data/Makefile.in | 2 + tests/data/test486 | 105 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 tests/data/test486 diff --git a/lib/netrc.c b/lib/netrc.c index 23080b3..6d87007 100644 --- a/lib/netrc.c +++ b/lib/netrc.c @@ -205,12 +205,17 @@ static int parsenetrc(const char *host, } /* while fgets() */ out: - if(!retcode && !password && our_login) { + if(!retcode) { + if(!password && our_login) { /* success without a password, set a blank one */ password = strdup(""); if(!password) retcode = 1; /* out of memory */ } + else if(!login && !password) + /* a default with no credentials */ + retcode = NETRC_FILE_MISSING; + } if(!retcode) { /* success */ *login_changed = FALSE; diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in index 3da7d31..5a3ec48 100644 --- a/tests/data/Makefile.in +++ b/tests/data/Makefile.in @@ -431,6 +431,8 @@ test409 test410 \ \ test430 test431 test432 test433 test434 test435 test436 \ \ +test486 \ +\ test490 test491 test492 test493 test494 \ \ test500 test501 test502 test503 test504 test505 test506 test507 test508 \ diff --git a/tests/data/test486 b/tests/data/test486 new file mode 100644 index 0000000..6926092 --- /dev/null +++ b/tests/data/test486 @@ -0,0 +1,105 @@ + + + +netrc +HTTP + + +# +# Server-side + + +HTTP/1.1 301 Follow this you fool +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +ETag: "21025-dc7-39462498" +Accept-Ranges: bytes +Content-Length: 6 +Connection: close +Location: http://b.com/%TESTNUMBER0002 + +-foo- + + + +HTTP/1.1 200 OK +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +ETag: "21025-dc7-39462498" +Accept-Ranges: bytes +Content-Length: 7 +Connection: close + +target + + + +HTTP/1.1 301 Follow this you fool +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +ETag: "21025-dc7-39462498" +Accept-Ranges: bytes +Content-Length: 6 +Connection: close +Location: http://b.com/%TESTNUMBER0002 + +HTTP/1.1 200 OK +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +ETag: "21025-dc7-39462498" +Accept-Ranges: bytes +Content-Length: 7 +Connection: close + +target + + + +# +# Client-side + + +http + + +proxy + + +.netrc with redirect and "default" with no password or login + + +--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ + + + +machine a.com + login alice + password alicespassword + +default + + + + + + +GET http://a.com/ HTTP/1.1 +Host: a.com +Authorization: Basic %b64[alice:alicespassword]b64% +User-Agent: curl/%VERSION +Accept: */* +Proxy-Connection: Keep-Alive + +GET http://b.com/%TESTNUMBER0002 HTTP/1.1 +Host: b.com +User-Agent: curl/%VERSION +Accept: */* +Proxy-Connection: Keep-Alive + + + + -- 2.40.0