Skip to content

curl_sasl: if redirected, require permission to use bearer #19933

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bagder wants to merge 3 commits into from
Closed

curl_sasl: if redirected, require permission to use bearer #19933

bagder wants to merge 3 commits into from

Conversation

@bagder
Copy link
Member

@bagder bagder commented Dec 11, 2025

No description provided.

@github-actions github-actions bot added the tests label Dec 11, 2025
@bagder bagder requested a review from Copilot December 11, 2025 08:13
@bagder
Copy link
Member Author

bagder commented Dec 11, 2025

augment review

augmentcode[bot]
augmentcode bot reviewed Dec 11, 2025
View reviewed changes
Copy link

@augmentcode augmentcode bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

Copilot AI reviewed Dec 11, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request implements a security enhancement to prevent OAuth bearer tokens from being automatically sent during HTTP redirects. The change ensures that bearer tokens used in SASL authentication (OAUTHBEARER and XOAUTH2) require explicit permission via CURLOPT_UNRESTRICTED_AUTH to be sent when following redirects, protecting against accidental token leakage to different hosts.

Key changes:

  • Modified sasl_choose_oauth() and sasl_choose_oauth2() to check redirect status and authorization settings before using bearer tokens
  • Bearer tokens are now set to NULL during redirects unless allow_auth_to_other_hosts is explicitly enabled
  • Added comprehensive test coverage demonstrating the new security behavior

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
lib/curl_sasl.c Added redirect check for OAuth bearer tokens in sasl_choose_oauth() and sasl_choose_oauth2() functions to prevent bearer tokens from being sent on redirects unless explicitly allowed
tests/data/test778 Test for HTTP OAuth2 bearer redirect to different host (bearer not passed to redirected host)
tests/data/test779 Test for HTTP OAuth2 bearer redirect to IMAP protocol (authentication fails with error 67 when bearer not sent)
tests/data/test795 Test for HTTP basic auth redirect to IMAP (demonstrates basic auth continues to work, showing OAuth bearer is more restrictive)
tests/data/Makefile.am Added test778, test779, and test795 to the test suite in correct numerical sequence

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@bagder bagder marked this pull request as ready for review December 11, 2025 08:28
@bagder bagder closed this in 1a82227 Dec 11, 2025
@bagder bagder deleted the bagder/bearer-redirects branch December 11, 2025 08:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@augmentcode augmentcode[bot] augmentcode[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

authentication tests

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bagder