luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ftp: when failing to do a secure GSSAPI login, fail hard

Browse Source 
... instead of switching to cleartext. For the sake of security.

Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1590102
Closes #8963
This commit is contained in:
Daniel Stenberg 2022-06-05 22:23:46 +02:00
parent 21ea13cfe1
commit 6754f99398
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/ftp.c
View File

@ -2702,10 +2702,11 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
set a valid level */
Curl_sec_request_prot(conn, data->set.str[STRING_KRB_LEVEL]);
if(Curl_sec_login(data, conn))
infof(data, "Logging in with password in cleartext");
else
infof(data, "Authentication successful");
if(Curl_sec_login(data, conn)) {
failf(data, "secure login failed");
return CURLE_WEIRD_SERVER_REPLY;
}
infof(data, "Authentication successful");
}
#endif