The vulnerability is related to how curl handles .netrc files with 'default' entries that omit both login and password, especially when HTTP redirects are involved. The core issue is that under these specific circumstances, a password used for an initial host could be leaked to a subsequent host after a redirect.
The fix is in the parsenetrc function in lib/netrc.c. The patch 0e120c5b925e8ca75d5319e319e5ce4b8080d8eb modifies this function to correctly handle the case where a 'default' entry in the .netrc file has no login and no password.
Specifically, the old code would proceed if !retcode && !password && our_login was true, meaning if there was no error, no password, but a login was found for the host, it would set an empty string as the password. This behavior was problematic for 'default' entries without credentials.
The patched code adds a condition: else if(!login && !password), which explicitly checks if both login and password are not found. If this is the case for a 'default' entry, it now sets retcode = NETRC_FILE_MISSING. This change ensures that a 'default' entry without any credentials is not treated as a successful credential match, thereby preventing the password from a previous, specific host entry from being reused for the 'default' case during a redirect.
The function parsenetrc is responsible for parsing the .netrc file. When a redirect happens, curl might re-consult the .netrc file for credentials for the new host. If the new host matches a 'default' entry with no credentials, the old logic could lead to the password from the previous host (if it was set in data->state.aptr.passwd) being incorrectly used or leaked because the password field wasn't properly cleared or handled for this specific 'default' scenario.
The introducing commit 46620b97431e19c53ce82e5 refactored how credentials were handled, moving them from connection-specific to transfer-specific (data->state.aptr.*). While this was a general improvement, the specific vulnerability regarding the 'default' netrc entry was addressed by the later fix in parsenetrc.
Therefore, parsenetrc is the key function where the flawed logic existed and was subsequently fixed to prevent the credential leakage during redirects when a 'default' netrc entry with no credentials is encountered. The vulnerability is triggered when this function processes such a .netrc entry in the context of an HTTP redirect, potentially leading to the reuse of the password from the initial request for the redirected request if the 'default' entry matches the redirected host and has no credentials specified.
Test case test486 added in the fixing commit 0e120c5b925e8ca75d5319e specifically verifies this scenario: a redirect from a.com (with specific credentials in netrc) to b.com, where the netrc file has a default entry with no login or password. The fix ensures that alicespassword from a.com is not sent to b.com.
The function Curl_http_auth_act (in lib/http.c, though not directly modified by the fixing patch for this specific CVE's logic) would be involved in deciding to use authentication and Curl_output_auth_headers (also in lib/http.c) would be responsible for constructing the Authorization header. The vulnerability is that parsenetrc could incorrectly populate or leave populated the password field that these functions might then use for the redirected host due to the mishandling of the 'default' entry with no credentials. The actual sending of the header happens later, but the decision and data preparation trace back to the netrc parsing logic.
However, the most direct function containing the vulnerable logic that was changed is parsenetrc.
Miggo AI