On 04.05.21 08:59, Josef Moellers wrote: > Hi, > > I'm currently trying to tackle the CVE about passing credentials to > redirected servers. > I wonder if it may be necessary to be able to disable this feature, if > one trusts the servers, ie if some kind of command-line option might be > necessary.
After having run up and down the wrong alley for a few days (I had been thinking that these were the "real" credentials, eg passed with "https://user:pass@host/";), I have finally found a solution: 1) initializing "location_changed" to 0 in src/retr.c::retrieve_url() 2) passing the current value of "location_changed" to src/http.c::http_loop() 3) passing it on to gethttp() 4) preventing setting up any dangerous user header lines (eg "Authorization:", "Cookie:") when "location_changed" is non-0. An alternative could be to just set up every header as is done now and THEN discard anything dangerous, ie after adding the user headers go through req->headers[] and throw away any header with name "Authorization" or "Cookie". The question remains is if this should be done unconditionally or whether it should be made configurable, eg through a "--trust-redirections" option. Thanks, Josef -- SUSE Software Solutions Germany GmbH Maxfeldstr. 5 90409 Nürnberg Germany (HRB 36809, AG Nürnberg) Geschäftsführer: Felix Imendörffer
