From 88c7e16cceec816a2df45c899d49b1e85513f193 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 20 May 2026 13:39:25 +0200 Subject: [PATCH] setopt: clear proxy auth properly on NULL Verify NULLed proxy credentials with test1648 Closes #21696 --- lib/setopt.c | 12 ++-- tests/data/Makefile.am | 2 +- tests/data/test1648 | 63 +++++++++++++++++ tests/libtest/Makefile.inc | 2 +- tests/libtest/lib1648.c | 135 +++++++++++++++++++++++++++++++++++++ 5 files changed, 206 insertions(+), 8 deletions(-) create mode 100644 tests/data/test1648 create mode 100644 tests/libtest/lib1648.c diff --git a/lib/setopt.c b/lib/setopt.c index 5a3e02c76f..067a8450de 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -1661,16 +1661,16 @@ static CURLcode setopt_cptr_proxy(struct Curl_easy *data, CURLoption option, result = setstropt_userpwd(ptr, &u, &p); /* URL decode the components */ - if(!result && u) { + if(!result) { curlx_safefree(s->str[STRING_PROXYUSERNAME]); - result = Curl_urldecode(u, 0, &s->str[STRING_PROXYUSERNAME], NULL, - REJECT_ZERO); - } - if(!result && p) { curlx_safefree(s->str[STRING_PROXYPASSWORD]); + if(u) + result = Curl_urldecode(u, 0, &s->str[STRING_PROXYUSERNAME], NULL, + REJECT_ZERO); + } + if(!result && p) result = Curl_urldecode(p, 0, &s->str[STRING_PROXYPASSWORD], NULL, REJECT_ZERO); - } curlx_free(u); curlx_free(p); break; diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index cde5c28736..2621c4dc7b 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -216,7 +216,7 @@ test1612 test1613 test1614 test1615 test1616 test1617 test1618 test1619 \ test1620 test1621 test1622 test1623 test1624 test1625 test1626 test1627 \ test1628 test1629 test1630 test1631 test1632 test1633 test1634 test1635 \ test1636 test1637 test1638 test1639 test1640 test1641 test1642 test1643 \ -test1644 test1645 test1646 test1647 \ +test1644 test1645 test1646 test1647 test1648 \ \ test1650 test1651 test1652 test1653 test1654 test1655 test1656 test1657 \ test1658 test1659 test1660 test1661 test1662 test1663 test1664 test1665 \ diff --git a/tests/data/test1648 b/tests/data/test1648 new file mode 100644 index 0000000000..623f3c9a81 --- /dev/null +++ b/tests/data/test1648 @@ -0,0 +1,63 @@ + + + + +HTTP +HTTP GET +HTTP proxy +HTTP proxy auth + + + +# Server-side + + +# this is returned first since we get no proxy-auth + +HTTP/1.1 407 Authorization Required to proxy me my dear +Proxy-Authenticate: Digest realm="weirdorealm", nonce="12345" +Content-Length: 33 + +And you should ignore this data. + + + + +# Client-side + + +http + +# tool is what to use instead of 'curl' + +lib%TESTNUMBER + + +proxy + + +HTTP proxy with auth, change proxy, clear auth + + +%HOSTIP %HTTPPORT + + + +# Verify data after the test has been "shot" + + +GET http://example.com/ HTTP/1.1 +Host: example.com +Proxy-Authorization: Basic %b64[victim:secret]b64% +Accept: */* +Proxy-Connection: Keep-Alive + +GET http://example.com/ HTTP/1.1 +Host: example.com +Accept: */* +Proxy-Connection: Keep-Alive + + + + + diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 586db5a2c9..d3e194b0c7 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc @@ -99,7 +99,7 @@ TESTS_C = \ lib1576.c lib1582.c lib1587.c lib1588.c lib1589.c \ lib1591.c lib1592.c lib1593.c lib1594.c lib1597.c \ lib1598.c lib1599.c \ - lib1647.c \ + lib1647.c lib1648.c \ lib1662.c \ lib1900.c lib1901.c lib1902.c lib1903.c lib1905.c lib1906.c lib1907.c \ lib1908.c lib1910.c lib1911.c lib1912.c lib1913.c \ diff --git a/tests/libtest/lib1648.c b/tests/libtest/lib1648.c new file mode 100644 index 0000000000..e97b2bdc88 --- /dev/null +++ b/tests/libtest/lib1648.c @@ -0,0 +1,135 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ +/* + * URL = host + * arg2 = port + */ + +#include "first.h" + +/* this is meant to pick up the proxy from the environment variable */ +static CURLcode init1648(CURL *curl, const char *url, const char *proxy) +{ + CURLcode result = CURLE_OK; + + res_easy_setopt(curl, CURLOPT_URL, url); + if(result) + goto init_failed; + + res_easy_setopt(curl, CURLOPT_PROXY, proxy); + if(result) + goto init_failed; + + res_easy_setopt(curl, CURLOPT_VERBOSE, 1L); + if(result) + goto init_failed; + + return CURLE_OK; /* success */ + +init_failed: + return result; /* failure */ +} + +static CURLcode run1648(CURL *curl, const char *url, const char *userpwd) +{ + CURLcode result = CURLE_OK; + + result = init1648(curl, url, userpwd); + if(result) + return result; + + return curl_easy_perform(curl); +} + +#define GET_THIS "http://example.com/" + +/* + * First get the URL over 'firstproxy' with auth. + * Then clear the auth and get the URL again over 'secondproxy'. + */ +static CURLcode test_lib1648(const char *hostip) +{ + CURLcode result = CURLE_OK; + CURL *curl = NULL; + struct curl_slist *host = NULL; + struct curl_slist *host2 = NULL; + char proxy1_resolve[128]; + char proxy2_resolve[128]; + char proxy1_connect[128]; + char proxy2_connect[128]; + + curl_msnprintf(proxy1_resolve, sizeof(proxy1_resolve), + "firstproxy:%s:%s", libtest_arg2, hostip); + curl_msnprintf(proxy2_resolve, sizeof(proxy2_resolve), + "secondproxy:%s:%s", libtest_arg2, hostip); + + /* we connect to the fake host name but the right port number */ + curl_msnprintf(proxy1_connect, sizeof(proxy1_connect), + "firstproxy:%s", libtest_arg2); + curl_msnprintf(proxy2_connect, sizeof(proxy2_connect), + "secondproxy:%s", libtest_arg2); + + res_global_init(CURL_GLOBAL_ALL); + if(result) + return result; + + curl = curl_easy_init(); + if(!curl) { + curl_mfprintf(stderr, "curl_easy_init() failed\n"); + curl_global_cleanup(); + return TEST_ERR_MAJOR_BAD; + } + + host = curl_slist_append(NULL, proxy1_resolve); + if(!host) + goto test_cleanup; + host2 = curl_slist_append(host, proxy2_resolve); + if(!host2) + goto test_cleanup; + host = host2; + + start_test_timing(); + + easy_setopt(curl, CURLOPT_RESOLVE, host); + easy_setopt(curl, CURLOPT_PROXYUSERPWD, "victim:secret"); + + curl_mprintf("--- First get over %s\n", proxy1_connect); + result = run1648(curl, GET_THIS, proxy1_connect); + if(result) + goto test_cleanup; + + easy_setopt(curl, CURLOPT_PROXYUSERPWD, NULL); + + curl_mprintf("--- Then over '%s'\n", proxy2_connect); + result = run1648(curl, GET_THIS, proxy2_connect); + +test_cleanup: + + /* proper cleanup sequence - type PB */ + + curl_easy_cleanup(curl); + curl_global_cleanup(); + curl_slist_free_all(host); + return result; +}