From 32095dd57e170fa961581dad1059960e79326c70 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Petr=20P=C3=ADsa=C5=99?= <petr.pisar@atlas.cz>
Date: Fri, 1 May 2015 16:16:08 +0200
Subject: [PATCH] Do not send custom HTTP headers to proxies

Per cURL security advisory <http://curl.haxx.se/docs/adv_20150429.html>
(CVE-2015-3153), cURL libraries between 7.1 and 7.42.0 versions sent
custom HTTP headers not only an HTTPS server, but also to a proxy.

libisds uses this feature to set Accept and Content-Type headers. As a result,
vulnerable cURL revealed these two headers (among Host, User-Agent, and
Proxy-Connection headers) to a proxy on CONNECT request.

This patch stops sending the two headers in CONNECT request to a proxy.

Please note that user name, password and one-time password never have been
sent to proxy because libisds uses different cURL feature to set them which is
not vulnerable.
---
 configure.ac | 5 +++++
 src/soap.c   | 9 ++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 1306e17..ca98fb8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -61,6 +61,11 @@ AS_IF([test -z "$LIBCURL"],
     [
     cppflags_orig="$CPPFLAGS"
     CPPFLAGS="${CPPFLAGS} ${LIBCURL_CPPFLAGS}"
+    AC_CHECK_DECLS([CURLOPT_HEADEROPT], [],
+        AC_MSG_WARN([Your libcurl does not support not sending custom HTTP
+                     headers to proxies.
+                     Consider upgrade to 7.37.0 version.]),
+        [[#include <curl/curl.h>]])
     AC_CHECK_DECLS([CURLOPT_TIMEOUT_MS], [],
         AC_MSG_WARN([Your libcurl does not support subsecond timeout resolution.
                      Consider upgrade to 7.16.2 version.]),
diff --git a/src/soap.c b/src/soap.c
index 708acc5..b70a4b2 100644
--- a/src/soap.c
+++ b/src/soap.c
@@ -829,7 +829,14 @@ static isds_error http(struct isds_ctx *context,
     }
 
     /* Set MIME types and headers requires by SOAP 1.1.
-     * SOAP 1.1 requires text/xml, SOAP 1.2 requires application/soap+xml */
+     * SOAP 1.1 requires text/xml, SOAP 1.2 requires application/soap+xml.
+     * But suppress sending the headers to proxies first if supported. */
+#if HAVE_DECL_CURLOPT_HEADEROPT /* since curl-7.37.0 */
+    if (!curl_err) {
+        curl_err = curl_easy_setopt(context->curl, CURLOPT_HEADEROPT,
+                CURLHEADER_SEPARATE);
+    }
+#endif /* HAVE_DECL_CURLOPT_HEADEROPT */
     if (!curl_err) {
         headers = curl_slist_append(headers,
                 "Accept: application/soap+xml,application/xml,text/xml");
-- 
2.11.4.GIT