From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 3 Jan 2025 16:22:27 +0100 Subject: [PATCH] netrc: 'default' with no credentials is not a match Test 486 verifies. Reported-by: Yihang Zhou Closes #15908 Changes: - Test files are added in Makefile.inc. - Adjust `%LOGDIR/` to 'log/' due to its absence in code. CVE: CVE-2025-0167 Upstream-Status: Backport [https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e] Signed-off-by: Yogita Urade --- lib/netrc.c | 15 ++++-- tests/data/Makefile.inc | 2 +- tests/data/test486 | 105 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 116 insertions(+), 6 deletions(-) create mode 100644 tests/data/test486 diff --git a/lib/netrc.c b/lib/netrc.c index 64efdc0..5533ecc 100644 --- a/lib/netrc.c +++ b/lib/netrc.c @@ -263,11 +263,16 @@ static int parsenetrc(const char *host, out: Curl_dyn_free(&buf); - if(!retcode && !password && our_login) { - /* success without a password, set a blank one */ - password = strdup(""); - if(!password) - retcode = 1; /* out of memory */ + if(!retcode) { + if(!password && our_login) { + /* success without a password, set a blank one */ + password = strdup(""); + if(!password) + retcode = 1; /* out of memory */ + } + else if(!login && !password) + /* a default with no credentials */ + retcode = NETRC_FILE_MISSING; } if(!retcode) { /* success */ diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index e3508cb..7a8074f 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -73,7 +73,7 @@ test426 test427 test428 test429 test430 test431 test432 test433 test434 \ test435 test436 test437 test438 test439 test440 test441 test442 test443 \ test444 test445 test446 test447 test448 test449 test450 test451 test452 \ test453 test454 test455 test456 test457 test458 test459 test460 test461 \ -test462 test463 test467 test468 test478 test479 test480 \ +test462 test463 test467 test468 test478 test479 test480 test486 \ \ test490 test491 test492 test493 test494 test495 test496 test497 test498 \ test499 test500 test501 test502 test503 test504 test505 test506 test507 \ diff --git a/tests/data/test486 b/tests/data/test486 new file mode 100644 index 0000000..093899e --- /dev/null +++ b/tests/data/test486 @@ -0,0 +1,105 @@ + + + + netrc + HTTP + + + # + # Server-side + + + HTTP/1.1 301 Follow this you fool + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake + Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT + ETag: "21025-dc7-39462498" + Accept-Ranges: bytes + Content-Length: 6 + Connection: close + Location: http://b.com/%TESTNUMBER0002 + + -foo- + + + + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake + Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT + ETag: "21025-dc7-39462498" + Accept-Ranges: bytes + Content-Length: 7 + Connection: close + + target + + + + HTTP/1.1 301 Follow this you fool + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake + Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT + ETag: "21025-dc7-39462498" + Accept-Ranges: bytes + Content-Length: 6 + Connection: close + Location: http://b.com/%TESTNUMBER0002 + + HTTP/1.1 200 OK + Date: Tue, 09 Nov 2010 14:49:00 GMT + Server: test-server/fake + Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT + ETag: "21025-dc7-39462498" + Accept-Ranges: bytes + Content-Length: 7 + Connection: close + + target + + + + # + # Client-side + + + http + + + proxy + + + .netrc with redirect and "default" with no password or login + + + --netrc --netrc-file log/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/ + + + + machine a.com + login alice + password alicespassword + + default + + + + + + + GET http://a.com/ HTTP/1.1 + Host: a.com + Authorization: Basic %b64[alice:alicespassword]b64% + User-Agent: curl/%VERSION + Accept: */* + Proxy-Connection: Keep-Alive + + GET http://b.com/%TESTNUMBER0002 HTTP/1.1 + Host: b.com + User-Agent: curl/%VERSION + Accept: */* + Proxy-Connection: Keep-Alive + + + + -- 2.40.0