From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 8 Oct 2025 12:06:55 +0000 (+0200)
Subject: socks: deny server basic-auth if not configured
X-Git-Tag: rc-8_17_0-2~163
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0a279a8e91a279f6942775073d21d0e93041af6;p=thirdparty%2Fcurl.git

socks: deny server basic-auth if not configured

When the server proposes BASIC authentication and curl does
not have that configured, fail right away.

Reported-by: Joshua Rogers
Closes #18937
---

diff --git a/lib/socks.c b/lib/socks.c
index e7e545442a..a0e1e6c042 100644
--- a/lib/socks.c
+++ b/lib/socks.c
@@ -681,8 +681,12 @@ static CURLproxycode socks5_check_resp0(struct socks_state *sx,
     return CURLPX_GSSAPI_PERMSG;
   case 2:
     /* regular name + password authentication */
-    sxstate(sx, cf, data, SOCKS5_ST_AUTH_INIT);
-    return CURLPX_OK;
+    if(data->set.socks5auth & CURLAUTH_BASIC) {
+      sxstate(sx, cf, data, SOCKS5_ST_AUTH_INIT);
+      return CURLPX_OK;
+    }
+    failf(data, "BASIC authentication proposed but not enabled.");
+    return CURLPX_NO_AUTH;
   case 255:
     failf(data, "No authentication method was acceptable.");
     return CURLPX_NO_AUTH;