The new #curl CVE-2024-11053 we call "netrc and redirect credential leak"
While graded severity low, it will of course still be relevant to whomever uses the unlucky combination of options.
This entry was edited (9 months ago)
⇧
The new #curl CVE-2024-11053 we call "netrc and redirect credential leak"
While graded severity low, it will of course still be relevant to whomever uses the unlucky combination of options.
Ben Zanin
in reply to daniel:// stenberg:// • • •hmm, I think this CVE fix may have broken my use of ~/.netrc with the GitHub REST API. Ran into an issue where my normal usage pattern of curl, which includes a "netrc-optional" entry in ~/.curlrc and a GitHub personal access token in ~/.netrc, no longer adds an "Authorization: ..." header to my requests, correlated in time with installing curl 8.11.1 via homebrew.
I'll see if I can produce a properly reduced test case and bisect down to one commit.
daniel:// stenberg://
in reply to Ben Zanin • • •Ben Zanin
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Ben Zanin • • •Ben Zanin
in reply to daniel:// stenberg:// • • •Issue filed with a reduced replication test!
github.com/curl/curl/issues/15…
While developing that test I discovered an interesting factor: the bug seems to only be triggered in combination with the `--netrc-optional` option, notwithstanding whether that option is passed directly on the command line or whether it appears in `~/.curlrc`.
I wish I could have strace'd into exactly what's happening at file parse time. Hopefully this is useful enough!
curl CLI v8.11.1 fails to offer HTTP Basic auth specified in .netrc when invoked with --netrc-optional · Issue #15767 · curl/curl
GitHubdaniel:// stenberg://
in reply to Ben Zanin • • •daniel:// stenberg://
in reply to Ben Zanin • • •netrc: fix password-only entries by bagder · Pull Request #15768 · curl/curl
GitHubBen Zanin
in reply to daniel:// stenberg:// • • •