[PATCH] netrc: address several netrc parser flaws
- make sure that a match that returns a username also returns a
password, that should be blank if no password is found
- fix handling of multiple logins for same host where the password/login
order might be reversed.
- reject credentials provided in the .netrc if they contain ASCII control
codes - if the used protocol does not support such (like HTTP and WS do)
Reported-by: Harry Sintonen
Add test 478, 479 and 480 to verify. Updated unit 1304.
Closes #15586
Backported by: Matheus Polkorny <mpolkorny@gmail.com>
Based on the work of Marc Deslauriers <marc.deslauriers@ubuntu.com>
for curl 7.81.0-1ubuntu1.20.
Changes:
- Refresh patch context.
- Adjust `%LOGDIR/` to 'log/' due to its absence in bookworm.
- Replaces the previous usage of the state_login, state_password, and
state_our_login variables with the found_state enum, which includes the
values NONE, LOGIN, and PASSWORD. As a result, all conditionals and memory
management logic associated with these variables were updated.
- Updates to use password and login instead of s_password and s_login,
which do not exist in the Bookworm version. This change preserves the
same logic while adapting the code to the current structure.
- test478 is disabled as this version of curl does not support searching
for a specific login in the netrc file.
(see https://github.com/curl/curl/issues/8241)
- test480 is disabled as this version of curl does not support quoted or
escaped strings in the netrc file.
(see https://github.com/curl/curl/issues/8908)
- Small change in the Makefile to add a new test.
Gbp-Pq: Name CVE-2024-11053.patch
projects / curl.git / commit