On 04.05.21 08:59, Josef Moellers wrote:
> Hi,
>
> I'm currently trying to tackle the CVE about passing credentials to
> redirected servers.
> I wonder if it may be necessary to be able to disable this feature, if
> one trusts the servers, ie if some kind of command-line option might be
> necessary.
After having run up and down the wrong alley for a few days (I had been
thinking that these were the "real" credentials, eg passed with
"https://user:pass@host/;), I have finally found a solution:
1) initializing "location_changed" to 0 in src/retr.c::retrieve_url()
2) passing the current value of "location_changed" to
src/http.c::http_loop()
3) passing it on to gethttp()
4) preventing setting up any dangerous user header lines (eg
"Authorization:", "Cookie:") when "location_changed" is non-0.
An alternative could be to just set up every header as is done now and
THEN discard anything dangerous, ie after adding the user headers go
through req->headers[] and throw away any header with name
"Authorization" or "Cookie".
The question remains is if this should be done unconditionally or
whether it should be made configurable, eg through a
"--trust-redirections" option.
Thanks,
Josef
--
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5
90409 Nürnberg
Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer
