From 80a5c5a92df9a55607c3395f1c4dd0cf433767fd Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 3 Jan 2025 16:22:27 +0100 Subject: [PATCH] [PATCH] netrc: 'default' with no credentials is not a match Test 486 verifies. Reported-by: Yihang Zhou Closes #15908 Backported by: Dr. Tobias Quathamer Changes: * Refresh patch context for lib/netrc.c * Use tests/data/Makefile.inc to add new test instead of tests/data/Makefile.am, because that has only been introduced in later versions of curl. * Replace "%LOGDIR" with "log" due to its absence in bookworm. Gbp-Pq: Name CVE-2025-0167.patch --- lib/netrc.c | 15 ++++-- tests/data/Makefile.inc | 1 + tests/data/test486 | 105 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 116 insertions(+), 5 deletions(-) create mode 100644 tests/data/test486 diff --git a/lib/netrc.c b/lib/netrc.c index fb1f4955..2df76aa0 100644 --- a/lib/netrc.c +++ b/lib/netrc.c @@ -260,11 +260,16 @@ static int parsenetrc(const char *host, } /* while Curl_get_line() */ out: - if(!retcode && !password && our_login) { - /* success without a password, set a blank one */ - password = strdup(""); - if(!password) - retcode = 1; /* out of memory */ + if(!retcode) { + if(!password && our_login) { + /* success without a password, set a blank one */ + password = strdup(""); + if(!password) + retcode = 1; /* out of memory */ + } + else if(!login && !password) + /* a default with no credentials */ + retcode = NETRC_FILE_MISSING; } if(!retcode) { /* success */ diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index ceedd387..0f6dd221 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -75,6 +75,7 @@ test430 test431 test432 test433 test434 test435 test436 \ test440 test441 test442 test443 test444 test445 test446 \ \ test478 test479 test480 \ +test486 \ \ test490 test491 test492 test493 test494 test495 test496 \ \ diff --git a/tests/data/test486 b/tests/data/test486 new file mode 100644 index 00000000..123d54b7 --- /dev/null +++ b/tests/data/test486 @@ -0,0 +1,105 @@ + + + +netrc +HTTP + + +# +# Server-side + + +HTTP/1.1 301 Follow this you fool +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +ETag: "21025-dc7-39462498" +Accept-Ranges: bytes +Content-Length: 6 +Connection: close +Location: http://b.com/%TESTNUMBER0002 + +-foo- + + + +HTTP/1.1 200 OK +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +ETag: "21025-dc7-39462498" +Accept-Ranges: bytes +Content-Length: 7 +Connection: close + +target + + + +HTTP/1.1 301 Follow this you fool +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +ETag: "21025-dc7-39462498" +Accept-Ranges: bytes +Content-Length: 6 +Connection: close +Location: http://b.com/%TESTNUMBER0002 + +HTTP/1.1 200 OK +Date: Tue, 09 Nov 2010 14:49:00 GMT +Server: test-server/fake +Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT +ETag: "21025-dc7-39462498" +Accept-Ranges: bytes +Content-Length: 7 +Connection: close + +target + + + +# +# Client-side + + +http + + +proxy + + +.netrc with redirect and "default" with no password or login + + +--netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ + + + +machine a.com + login alice + password alicespassword + +default + + + + + + +GET http://a.com/ HTTP/1.1 +Host: a.com +Authorization: Basic %b64[alice:alicespassword]b64% +User-Agent: curl/%VERSION +Accept: */* +Proxy-Connection: Keep-Alive + +GET http://b.com/%TESTNUMBER0002 HTTP/1.1 +Host: b.com +User-Agent: curl/%VERSION +Accept: */* +Proxy-Connection: Keep-Alive + + + + -- 2.30.2