Skip to content

url: do not reuse a non-tls starttls connection if new requires TLS#21082

Closed
bagder wants to merge 1 commit into
masterfrom
bagder/starttls-reuse
Closed

url: do not reuse a non-tls starttls connection if new requires TLS#21082
bagder wants to merge 1 commit into
masterfrom
bagder/starttls-reuse

Conversation

@bagder

@bagder bagder commented Mar 24, 2026

Copy link
Copy Markdown
Member

No description provided.

@bagder bagder requested a review from icing March 24, 2026 11:52
@bagder bagder marked this pull request as ready for review March 24, 2026 11:52
@bagder bagder requested a review from Copilot March 24, 2026 11:53
Copilot AI reviewed Mar 24, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates connection reuse matching in lib/url.c to avoid reusing an existing clear-text connection for STARTTLS-style protocols when the new transfer requires TLS, preventing an unsafe/incompatible reuse.

Changes:

  • Add a req_tls flag to the connection-match struct to represent “TLS is required for a clear-text STARTTLS scheme”.
  • Reject reuse of non-SSL connections when req_tls is set, even if the scheme itself is non-SSL (STARTTLS case).
  • Initialize req_tls from data->set.use_ssl during reuse candidate selection.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread lib/url.c
@bagder bagder closed this in 507e7be Mar 25, 2026
@bagder bagder deleted the bagder/starttls-reuse branch March 25, 2026 10:24
icanhasmath pushed a commit to ActiveState/curl that referenced this pull request May 29, 2026
@bagder @icanhasmath
CVE-2026-4873: url: do not reuse a non-tls starttls connection if new…
9800c38 
… requires TLS

Reported-by: Arkadi Vainbrand

Closes curl#21082

(cherry picked from commit 507e7be)

Backport to 8.17.0 to address CVE-2026-4873 (a connection requiring TLS
could reuse an existing unencrypted connection from the pool for IMAP,
POP3 and SMTP, bypassing the TLS requirement). Cherry-pick applied
cleanly; git's 3-way merge mapped the hunks onto 8.17.0's
ConnectionExists()/conn->handler naming.
outcast36 pushed a commit to greearb/curl that referenced this pull request Jun 3, 2026
@bagder
url: do not reuse a non-tls starttls connection if new requires TLS
15124ae 
Reported-by: Arkadi Vainbrand

Closes curl#21082
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@icing icing Awaiting requested review from icing

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bagder