setopt: clear proxy auth properties when switching#21453
Closed
bagder wants to merge 2 commits into
Closed
Conversation
Verify with test 1588
There was a problem hiding this comment.
Pull request overview
This PR aims to ensure proxy-auth state is cleared when switching proxies via CURLOPT_PROXY, and adds a regression test (test 1588) to validate the behavior.
Changes:
- Add
setproxy()helper inlib/setopt.cthat clears proxy auth state when the proxy string changes. - Add new libtest
lib1588plus new test spectest1588to verify Digest proxy auth across two sequential proxy configurations. - Wire the new test into the autotools test lists.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tests/libtest/lib1588.c | New libtest that performs two requests on the same easy handle while changing CURLOPT_PROXY, exercising proxy Digest auth twice. |
| tests/libtest/Makefile.inc | Adds lib1588.c to the libtest build list. |
| tests/data/test1588 | New test case definition verifying request/response and Proxy-Authorization behavior across proxy switch. |
| tests/data/Makefile.am | Registers test1588 in the test data distribution list. |
| lib/vauth/vauth.h | Adds a no-op macro for Curl_auth_digest_cleanup when Digest auth is disabled. |
| lib/setopt.c | Implements setproxy() and routes CURLOPT_PROXY through it to clear proxy auth state on change. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
icanhasmath
pushed a commit
to ActiveState/curl
that referenced
this pull request
May 29, 2026
Closes curl#21453 (cherry picked from commit c1cfdf5) Backport to 8.17.0 to address CVE-2026-7168 (when reusing an easy handle across different HTTP proxies using Digest auth, the Proxy-Authorization header meant for the first proxy could be sent to a second proxy). The upstream patch added a setproxy() helper called from setopt_cptr_proxy(); 8.17.0 has no setopt_cptr_proxy() (CURLOPT_PROXY is handled inline in setopt_cptr's switch), so the setproxy() helper was added next to that function and the CURLOPT_PROXY case now calls it. setproxy() clears the proxy Digest state and authproxy details whenever the proxy string changes. Also added the Curl_auth_digest_cleanup(x) no-op macro for the CURL_DISABLE_DIGEST_AUTH build, matching upstream. Test 1588 omitted (it relies on newer libtest infrastructure).
outcast36
pushed a commit
to greearb/curl
that referenced
this pull request
Jun 3, 2026
Verify with test 1588 Closes curl#21453
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Verify with test 1588