-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password containing newline fails when following http 302 #5582
Comments
Hey, Lines 179 to 182 in fa4fbc5
Here is the commit that introduces this behavior 75ca568 As @bagder 's commit mentioned, this is for security reason. Here is the secu advisory https://curl.haxx.se/docs/CVE-2012-0036.html Hope that helps. I am sure that @bagder could add more context and information to my comment. |
This makes sense, thanks for the explanation.
Trying with current master still reproduces:
It looks like the fix you linked is being applied, per this line:
FWIW, we managed to work around this by just constructing the
Given we have a workaround, this isn't a big issue for us anymore, especially since the relevant code is a CVE mitigation. Feel free to close this issue if it's too much trouble. |
(except for the path part) Reported-by: Jon Johnson Jr Fixes #5582
This is an extention of a bug in libcurl's URL API: setting a perfectly valid URL like Update: I notice this is in fact even documented functionality... |
Reported-by: Jon Johnson Jr Fixes #5582
I can confirm this is now fixed, thanks @bagder ! |
thanks for confirming @jonjohnsonjr ! |
This started happening in 7.62.0 (7.61.1 is fine). I narrowed it down to 46e1640 using
git bisect
, but I'm not familiar enough with curl to dig much deeper than that (it seems like a big change).Using a password containing a newline works fine on the first request, but if the server returns a 302, something goes wrong when curl is reconstructing the right URL to follow, and fails with:
I reproduced this with a simple go server that listens on 8080 and redirects from
/foo
to/bar
.I have a ~/key.json file containing some "credentials" for a basic password:
This fails because (I believe) key.json contains a newline:
But using
jq
to drop newlines with--compact-output
succeeds:I did this
I expected the following
curl/libcurl version
operating system
The text was updated successfully, but these errors were encountered: