http: do not leak basic auth credentials on re-used connections

author Kamil Dudka <kdudka@redhat.com>

Thu, 28 May 2015 18:04:35 +0000 (20:04 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Wed, 17 Jun 2015 05:43:13 +0000 (07:43 +0200)
author Kamil Dudka <kdudka@redhat.com>
Thu, 28 May 2015 18:04:35 +0000 (20:04 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Wed, 17 Jun 2015 05:43:13 +0000 (07:43 +0200)
diff --git a/lib/http.c b/lib/http.c

index 7a5137e86cc37e14ea8e7fc34df83f6097c8d306..e06c798e9bb10f004890f423ae7a97c5275dc221 100644 (file)
--- a/lib/http.c
+++ b/lib/http.c
@@ -2312,20 +2312,12 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
                       te
        );
  
-  /*
-   * Free userpwd for Negotiate/NTLM. Cannot reuse as it is associated with
-   * the connection and shouldn't be repeated over it either.
-   */
-  switch (data->state.authhost.picked) {
-  case CURLAUTH_NEGOTIATE:
-  case CURLAUTH_NTLM:
-  case CURLAUTH_NTLM_WB:
-    Curl_safefree(conn->allocptr.userpwd);
-    break;
-  }
+  /* clear userpwd to avoid re-using credentials from re-used connections */
+  Curl_safefree(conn->allocptr.userpwd);
  
    /*
-   * Same for proxyuserpwd
+   * Free proxyuserpwd for Negotiate/NTLM. Cannot reuse as it is associated
+   * with the connection and shouldn't be repeated over it either.
     */
    switch (data->state.authproxy.picked) {
    case CURLAUTH_NEGOTIATE:
author	Kamil Dudka <kdudka@redhat.com>
	Thu, 28 May 2015 18:04:35 +0000 (20:04 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Wed, 17 Jun 2015 05:43:13 +0000 (07:43 +0200)