Package: libcurl3-gnutls Version: 7.74.0-1.3+deb11u5 When a curl handle is used to follow a cross-protocol (e.g. https to http) redirect, subsequent requests done with the same handle lack the "Authorization" header even though basicauth credentials are provided.
The following pycurl-based Python script demonstrates the problem (I'm sorry I cannot provide a reproducer in C): ### START OF SCRIPT ### #!/usr/bin/env python3 import pycurl curl = pycurl.Curl() # Perform request with https-to-http redirect curl.setopt(pycurl.VERBOSE, True) curl.setopt(pycurl.URL, "https://httpbin.org/redirect-to?url=http://httpbin.org"; ) curl.setopt(pycurl.FOLLOWLOCATION, True) curl.setopt(pycurl.WRITEFUNCTION, lambda buff: None) curl.perform() assert curl.getinfo(pycurl.REDIRECT_COUNT) == 1 assert curl.getinfo(pycurl.RESPONSE_CODE) == 200 curl.reset() # Perform request with basicauth. This fails. curl.setopt(pycurl.VERBOSE, True) curl.setopt( pycurl.HTTPAUTH, pycurl.HTTPAUTH_ANY & ~pycurl.HTTPAUTH_NEGOTIATE, ) curl.setopt( pycurl.URL, "https://httpbin.org:443/basic-auth/user/password";, ) curl.setopt(pycurl.USERPWD, "user:password") curl.perform() print("Status:", curl.getinfo(pycurl.RESPONSE_CODE)) ### END OF SCRIPT ### The debug output of libcurl contains the message * Clear auth, redirects to port from 443 to 80 when following the redirect. The requests during the second transfer all lack the "Authorization" header (full log is attached). When the first request is omitted, the second one works. The bug must have been introduced after 7.74.0-1.3+deb11u3 because that version does not have this problem. I suspect that the patch "CVE-2022- 27774_2_of_4.patch" introduced in version 7.74.0-1.3+deb11u5 is incomplete because it sets the "this_is_a_follow_without_auth" bit but never seems to clear it. Regards Marc Schmitzer -- Marc Schmitzer Software Developer Phone: +49 721 98993239 Fax: +49 721 98993-66 E-mail: m...@solute.de solute GmbH Zeppelinstraße 15 76185 Karlsruhe Germany Marken der solute GmbH | brands of solute GmbH billiger.de | Shopping.de Geschäftsführer | Managing Director: Dr. Thilo Gans, Bernd Vermaaten Webseite | www.solute.de Sitz | Registered Office: Karlsruhe Registergericht | Register Court: Amtsgericht Mannheim Registernummer | Register No.: HRB 110579 USt-ID | VAT ID: DE234663798 Informationen zum Datenschutz | Information about privacy policy http://solute.de/ger/datenschutz/grundsaetze-der-datenverarbeitung.php
* Trying 52.200.117.68:443... * Connected to httpbin.org (52.200.117.68) port 443 (#0) * found 389 certificates in /etc/ssl/certs * ALPN, offering h2 * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 * server certificate verification OK * server certificate status verification SKIPPED * common name: httpbin.org (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=httpbin.org * start date: Fri, 21 Oct 2022 00:00:00 GMT * expire date: Sun, 19 Nov 2023 23:59:59 GMT * issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon * ALPN, server accepted to use h2 * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x1cd1570) > GET /redirect-to?url=http://httpbin.org HTTP/2 Host: httpbin.org user-agent: PycURL/7.43.0.6 libcurl/7.74.0 GnuTLS/3.7.1 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3 accept: */* * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! < HTTP/2 302 < date: Wed, 08 Feb 2023 15:56:22 GMT < content-type: text/html; charset=utf-8 < content-length: 0 < location: http://httpbin.org < server: gunicorn/19.9.0 < access-control-allow-origin: * < access-control-allow-credentials: true < * Connection #0 to host httpbin.org left intact * Clear auth, redirects to port from 443 to 80* Issue another request to this URL: 'http://httpbin.org/' * Trying 52.1.93.201:80... * Connected to httpbin.org (52.1.93.201) port 80 (#1) > GET / HTTP/1.1 Host: httpbin.org User-Agent: PycURL/7.43.0.6 libcurl/7.74.0 GnuTLS/3.7.1 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3 Accept: */* * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Wed, 08 Feb 2023 15:56:23 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 9593 < Connection: keep-alive < Server: gunicorn/19.9.0 < Access-Control-Allow-Origin: * < Access-Control-Allow-Credentials: true < * Connection #1 to host httpbin.org left intact * Found bundle for host httpbin.org: 0x1cc56a0 [can multiplex] * Re-using existing connection! (#0) with host httpbin.org * Connected to httpbin.org (52.200.117.68) port 443 (#0) * Using Stream ID: 3 (easy handle 0x1cd1570) > GET /basic-auth/user/password HTTP/2 Host: httpbin.org user-agent: PycURL/7.43.0.6 libcurl/7.74.0 GnuTLS/3.7.1 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3 accept: */* < HTTP/2 401 < date: Wed, 08 Feb 2023 15:56:23 GMT < content-length: 0 < server: gunicorn/19.9.0 < www-authenticate: Basic realm="Fake Realm" < access-control-allow-origin: * < access-control-allow-credentials: true < * Connection #0 to host httpbin.org left intact * Issue another request to this URL: 'https://httpbin.org:443/basic-auth/user/password' * Found bundle for host httpbin.org: 0x1cc56a0 [can multiplex] * Re-using existing connection! (#0) with host httpbin.org * Connected to httpbin.org (52.200.117.68) port 443 (#0) * Using Stream ID: 5 (easy handle 0x1cd1570) > GET /basic-auth/user/password HTTP/2 Host: httpbin.org user-agent: PycURL/7.43.0.6 libcurl/7.74.0 GnuTLS/3.7.1 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.43.0 librtmp/2.3 accept: */* < HTTP/2 401 < date: Wed, 08 Feb 2023 15:56:23 GMT < content-length: 0 < server: gunicorn/19.9.0 * Authentication problem. Ignoring this. < www-authenticate: Basic realm="Fake Realm" < access-control-allow-origin: * < access-control-allow-credentials: true < * Connection #0 to host httpbin.org left intact Status: 401
