master

分支 (27)

标签 (36)

管理

管理

master

openEuler-20.03-LTS-SP4

openEuler-22.03-LTS-SP4

openEuler-24.03-LTS-SP1

openEuler-24.03-LTS-Next

openEuler-24.03-LTS-SP2

openEuler-24.03-LTS

openEuler-22.03-LTS-SP3

openEuler-25.03

openEuler-22.03-LTS-SP1

openEuler-24.09

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS-Next

openEuler-22.03-LTS

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP3

openEuler-23.09

openEuler-23.03

openEuler-22.09

openEuler-20.09

openEuler-20.03-LTS-SP4-update-20250403

openEuler-22.03-LTS-SP4-update-20250403

openEuler-24.03-LTS-SP1-update-20250403

openEuler-22.03-LTS-SP3-update-20250403

openEuler-24.03-LTS-update-20250403

openEuler-25.03-release

openEuler-24.03-LTS-update-20250110

openEuler-24.03-LTS-SP1-update-20250110

openEuler-22.03-LTS-SP1-update-20250110

openEuler-22.03-LTS-SP3-update-20250110

openEuler-22.03-LTS-SP4-update-20250110

openEuler-24.03-LTS-SP1-release

openEuler-22.03-LTS-SP4-update-20241122

openEuler-22.03-LTS-SP3-update-20241122

openEuler-22.03-LTS-SP1-update-20241115

openEuler-24.03-LTS-update-20241115

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

curl
/
backport-CVE-2025-0167.patch

From 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 3 Jan 2025 16:22:27 +0100
Subject: [PATCH] netrc: 'default' with no credentials is not a match

Test 486 verifies.

Reported-by: Yihang Zhou

Closes #15908

Conflict:context adapt
Reference:https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e
---
 lib/netrc.c            |  15 ++++--
 tests/data/Makefile.inc |   2 +-
 tests/data/test486     | 105 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 116 insertions(+), 6 deletions(-)
 create mode 100644 tests/data/test486

diff --git a/lib/netrc.c b/lib/netrc.c
index b517c1dfab67..7ad81ece229f 100644
--- a/lib/netrc.c
+++ b/lib/netrc.c
@@ -316,11 +316,16 @@ static int parsenetrc(struct store_netrc *store,

 out:
   Curl_dyn_free(&token);
-  if(!retcode && !password && our_login) {
-    /* success without a password, set a blank one */
-    password = strdup("");
-    if(!password)
-      retcode = 1; /* out of memory */
+  if(!retcode) {
+    if(!password && our_login) {
+      /* success without a password, set a blank one */
+      password = strdup("");
+      if(!password)
+        retcode = 1; /* out of memory */
+    }
+    else if(!login && !password)
+      /* a default with no credentials */
+      retcode = NETRC_FILE_MISSING;
   }
   if(!retcode) {
     /* success */
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 9ec101a7c74b..fc5e4cef5668 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -78,7 +78,7 @@ test426 test427 test428 test429 test430 test431 test432 test433 test434 \
 test435 test436 test437 test438 test439 test440 test441 test442 test443 \
 test444 test445 test446 test447 test448 test449 test450 test451 test452 \
 test453 test454 test455 test456 test457 test458 \
-test478 test479 test480 \
+test478 test479 test480 test486 \
 \
 test490 test491 test492 test493 test494 test495 test496 test497 test498 \
 \
diff --git a/tests/data/test486 b/tests/data/test486
new file mode 100644
index 000000000000..53efae597a1b
--- /dev/null
+++ b/tests/data/test486
@@ -0,0 +1,105 @@
+<testcase>
+<info>
+<keywords>
+netrc
+HTTP
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<data crlf="yes">
+HTTP/1.1 301 Follow this you fool
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Location: http://b.com/%TESTNUMBER0002
+
+-foo-
+</data>
+
+<data2 crlf="yes">
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 7
+Connection: close
+
+target
+</data2>
+
+<datacheck crlf="yes">
+HTTP/1.1 301 Follow this you fool
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 6
+Connection: close
+Location: http://b.com/%TESTNUMBER0002
+
+HTTP/1.1 200 OK
+Date: Tue, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
+ETag: "21025-dc7-39462498"
+Accept-Ranges: bytes
+Content-Length: 7
+Connection: close
+
+target
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+<features>
+proxy
+</features>
+<name>
+.netrc with redirect and "default" with no password or login
+</name>
+<command>
+--netrc --netrc-file %LOGDIR/netrc%TESTNUMBER -L -x http://%HOSTIP:%HTTPPORT/ http://a.com/
+</command>
+<file name="%LOGDIR/netrc%TESTNUMBER" >
+
+machine a.com
+  login alice
+  password alicespassword
+
+default
+
+</file>
+</client>
+
+<verify>
+<protocol>
+GET http://a.com/ HTTP/1.1
+Host: a.com
+Authorization: Basic %b64[alice:alicespassword]b64%
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+GET http://b.com/%TESTNUMBER0002 HTTP/1.1
+Host: b.com
+User-Agent: curl/%VERSION
+Accept: */*
+Proxy-Connection: Keep-Alive
+
+</protocol>
+</verify>
+</testcase>