| commit | 32095dd57e170fa961581dad1059960e79326c70 | |
| author | Petr Písař <petr.pisar@atlas.cz> | |
| Fri, 1 May 2015 14:16:08 +0000 (1 16:16 +0200) | ||
| committer | Petr Písař <petr.pisar@atlas.cz> | |
| Fri, 1 May 2015 14:26:32 +0000 (1 16:26 +0200) | ||
| tree | 554fefb9f09756892a58f9e4d0c5cf8ac04f4002 | treesnapshot (tar.gz zip) |
| parent | 634de4606cce127ab26b22930bba3d0f4aba25f3 | commitdiff |
Do not send custom HTTP headers to proxies
Per cURL security advisory <http://curl.haxx.se/docs/adv_20150429.html>
(CVE-2015-3153), cURL libraries between 7.1 and 7.42.0 versions sent
custom HTTP headers not only an HTTPS server, but also to a proxy.
libisds uses this feature to set Accept and Content-Type headers. As a result,
vulnerable cURL revealed these two headers (among Host, User-Agent, and
Proxy-Connection headers) to a proxy on CONNECT request.
This patch stops sending the two headers in CONNECT request to a proxy.
Please note that user name, password and one-time password never have been
sent to proxy because libisds uses different cURL feature to set them which is
not vulnerable.
Per cURL security advisory <http://curl.haxx.se/docs/adv_20150429.html>
(CVE-2015-3153), cURL libraries between 7.1 and 7.42.0 versions sent
custom HTTP headers not only an HTTPS server, but also to a proxy.
libisds uses this feature to set Accept and Content-Type headers. As a result,
vulnerable cURL revealed these two headers (among Host, User-Agent, and
Proxy-Connection headers) to a proxy on CONNECT request.
This patch stops sending the two headers in CONNECT request to a proxy.
Please note that user name, password and one-time password never have been
sent to proxy because libisds uses different cURL feature to set them which is
not vulnerable.
| configure.ac | diffblobblamehistory | |
| src/soap.c | diffblobblamehistory |