source: trunk/server/common/patches/curl-gssapi-delegation.patch @ 1933

Last change on this file since 1933 was 1922, checked in by geofft, 13 years ago
Patch curl for CVE-2011-2192: do not delegate tickets over HTTP
File size: 1.0 KB
  • lib/http_negotiate.c

    From a4be0864ba953b3317ece66bf8c2332ea74a4715 Mon Sep 17 00:00:00 2001
    From: Daniel Stenberg <daniel@haxx.se>
    Date: Wed, 8 Jun 2011 00:10:26 +0200
    Subject: [PATCH] Curl_input_negotiate: do not delegate credentials
    
    This is a security flaw. See curl advisory 201106xx for details.
    
    Reported by: Richard Silverman
    ---
     lib/http_negotiate.c |    2 +-
     1 files changed, 1 insertions(+), 1 deletions(-)
    
    diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
    index 202d69e..5127e64 100644
    a b int Curl_input_negotiate(struct connectdata *conn, bool proxy, 
    243243                                      &neg_ctx->context,
    244244                                      neg_ctx->server_name,
    245245                                      GSS_C_NO_OID,
    246                                       GSS_C_DELEG_FLAG,
     246                                      0,
    247247                                      0,
    248248                                      GSS_C_NO_CHANNEL_BINDINGS,
    249249                                      &input_token,
Note: See TracBrowser for help on using the repository browser.