http: clear credentials better on redirect#21345
Closed
bagder wants to merge 4 commits into
Closed
Conversation
Verify with test 2506: netrc with redirect using proxy Updated test 998 which was wrong. Reported-by: Muhamad Arga Reksapati
There was a problem hiding this comment.
Pull request overview
Updates libcurl’s HTTP redirect handling to more reliably clear credentials on cross-origin redirects (including netrc-derived creds), and adds regression tests for proxy + redirect scenarios.
Changes:
- Adjust
Curl_http_follow()credential-reset logic during redirects. - Add new libtest + test case
2506covering netrc credentials with redirects through an HTTP proxy. - Correct
test998expectations so redirected request no longer includes the originalAuthorizationheader.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
lib/http.c |
Refactors redirect auth clearing using same-origin detection and resets credentials accordingly. |
tests/libtest/lib2506.c |
Adds a new libcurl-driven test client for the new testcase. |
tests/libtest/Makefile.inc |
Registers lib2506.c in the libtest build. |
tests/data/test2506 |
New testcase verifying netrc auth is not sent after redirect when using a proxy. |
tests/data/test998 |
Fixes incorrect expectation: redirected request should not carry Authorization. |
tests/data/Makefile.am |
Registers test2506 in the test suite manifest. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
benign otherwise but still
|
Analysis of PR #21345 at a4c1a273: Test 2506 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 6 different CI jobs (the link just goes to one of them). Generated by Testclutch |
icanhasmath
pushed a commit
to ActiveState/curl
that referenced
this pull request
May 29, 2026
Reported-by: Muhamad Arga Reksapati Closes curl#21345 (cherry picked from commit b4024bf) Backport to 8.17.0 to address CVE-2026-6429 (when using a .netrc file for credentials together with HTTP redirect following, the password used for the first host could leak to the redirect target host, e.g. over a clear-text HTTP redirect reusing the same proxy connection). The upstream patch replaced the old port/scheme-only auth-clearing check in Curl_http_follow() with a proper same-origin (scheme+host+port) check and additionally always resets the credentials when they did not come from an explicit CURLOPT_USERNAME (i.e. they were read from .netrc). Adaptations for 8.17.0: - Backported the helper Curl_url_same_origin() into urlapi.c (declared in urlapi-int.h), using Curl_get_scheme_handler()/handler->defport in place of the newer Curl_get_scheme()/Curl_scheme struct. curl_strequal() is NULL-safe so the possibly-NULL port comparisons are fine. - data->state.url is a plain char* in 8.17.0, so it is passed directly to curl_url_set() instead of via Curl_bufref_ptr(). - free()/Curl_safefree() instead of the curlx_* wrappers. - The proxy credential reset (from CVE-2026-6253) was moved into the else branch, matching upstream. Builds on the CVE-2026-6253 backport (Curl_reset_userpwd/proxypwd). The non-CVE follow-up 6daf4bc (clear host digest nonce on cross-origin redirect) is intentionally not included here. Test 2506 omitted (newer test infrastructure).
outcast36
pushed a commit
to greearb/curl
that referenced
this pull request
Jun 3, 2026
Verify with test 2506: netrc with redirect using proxy Updated test 998 which was wrong. Reported-by: Muhamad Arga Reksapati Closes curl#21345
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Verify with test 2506: netrc with redirect using proxy
Updated test 998 which was wrong.
Reported-by: Muhamad Arga Reksapati