[PATCH] netrc: 'default' with no credentials is not a match

Test 486 verifies.

Reported-by: Yihang Zhou
Closes #15908

Backported by: Dr. Tobias Quathamer <toddy@debian.org>

Changes:
* Refresh patch context for lib/netrc.c
* Use tests/data/Makefile.inc to add new test instead of
  tests/data/Makefile.am, because that has only been
  introduced in later versions of curl.
* Replace "%LOGDIR" with "log" due to its absence in bookworm.

Gbp-Pq: Name CVE-2025-0167.patch

diff --git a/lib/netrc.c b/lib/netrc.c
index fb1f4955474d0dd347afa931acf8e738eefa6ef8..2df76aa072395d255128e7ceae66737f7c652db9 100644 (file)
--- a/lib/netrc.c
+++ b/lib/netrc.c
@@ -260,11 +260,16 @@ static int parsenetrc(const char *host,
     } /* while Curl_get_line() */
 
     out:
-    if(!retcode && !password && our_login) {
-      /* success without a password, set a blank one */
-      password = strdup("");
-      if(!password)
-        retcode = 1; /* out of memory */
+    if(!retcode) {
+      if(!password && our_login) {
+        /* success without a password, set a blank one */
+        password = strdup("");
+        if(!password)
+          retcode = 1; /* out of memory */
+      }
+      else if(!login && !password)
+        /* a default with no credentials */
+        retcode = NETRC_FILE_MISSING;
     }
     if(!retcode) {
       /* success */

diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index ceedd387ca4c360f4fe495954f94fd0bf8ce60e2..0f6dd221aca5add32acbe0d38166cf5dd0f2f41b 100644 (file)
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -75,6 +75,7 @@ test430 test431 test432 test433 test434 test435 test436 \
 test440 test441 test442 test443 test444 test445 test446 \
 \
 test478 test479 test480 \
+test486 \
 \
 test490 test491 test492 test493 test494 test495 test496 \
 \

diff --git a/tests/data/test486 b/tests/data/test486
new file mode 100644 (file)
index 0000000..123d54b
--- /dev/null
+++ b/tests/data/test486
@@ -0,0 +1,105 @@
+<testcase>
+<info>
+<keywords>
+netrc
+HTTP
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<data crlf="yes">
+HTTP/1.1 301 Follow this you fool
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Location: http://b.com/%TESTNUMBER0002
+
+-foo-
+</data>
+
+<data2 crlf="yes">
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 7
+Connection: close
+
+target
+</data2>
+
+<datacheck crlf="yes">
+HTTP/1.1 301 Follow this you fool
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Location: http://b.com/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 7
+Connection: close
+
+target
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<features>
+proxy
+</features>
+<name>
+.netrc with redirect and "default" with no password or login
+</name>
+<command>
+--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
+</command>
+<file name="log/netrc%TESTNUMBER" >
+
+machine a.com
+  login alice
+  password alicespassword
+
+default
+
+</file>
+</client>
+
+<verify>
+<protocol>
+GET http://a.com/ HTTP/1.1\r
+Host: a.com\r
+Authorization: Basic %b64[alice:alicespassword]b64%\r
+User-Agent: curl/%VERSION\r
+Accept: */*\r
+Proxy-Connection: Keep-Alive\r
+\r
+GET http://b.com/%TESTNUMBER0002 HTTP/1.1\r
+Host: b.com\r
+User-Agent: curl/%VERSION\r
+Accept: */*\r
+Proxy-Connection: Keep-Alive\r
+\r
+</protocol>
+</verify>
+</testcase>