Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 632061 Details for
Bug 864566
CVE-2012-4545 elinks: Improper delegation of client credentials during GSS negotiation
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
[PATCH] http_negotiate: do not delegate GSSAPI credentials by default
0001-http_negotiate-do-not-delegate-GSSAPI-credentials-by.patch (text/plain), 3.13 KB, created by
Kamil Dudka
on 2012-10-23 12:20:22 UTC
(
hide
)
Description:
[PATCH] http_negotiate: do not delegate GSSAPI credentials by default
Filename:
MIME Type:
Creator:
Kamil Dudka
Created:
2012-10-23 12:20:22 UTC
Size:
3.13 KB
patch
obsolete
>From 15d88301e51826ef6ece17e277d05ddeacd7f4d5 Mon Sep 17 00:00:00 2001 >From: Kamil Dudka <kdudka@redhat.com> >Date: Tue, 23 Oct 2012 13:47:16 +0200 >Subject: [PATCH] http_negotiate: do not delegate GSSAPI credentials by default > >This patch introduces a new option protocol.http.gss_deleg that can be >set to a wildcard pattern of GSSAPI delegation trusted URIs. The GSSAPI >credential delegation is allowed only for the URIs matching the pattern. >--- > src/protocol/http/http.c | 3 +++ > src/protocol/http/http_negotiate.c | 21 +++++++++++++++++---- > 2 files changed, 20 insertions(+), 4 deletions(-) > >diff --git a/src/protocol/http/http.c b/src/protocol/http/http.c >index 98053c0..d4de941 100644 >--- a/src/protocol/http/http.c >+++ b/src/protocol/http/http.c >@@ -212,6 +212,9 @@ static struct option_info http_options[] = { > "%t in the string means size of the terminal,\n" > "%b in the string means number of bars displayed by ELinks.")), > >+ INIT_OPT_STRING("protocol.http", N_("GSSAPI delegation trusted URIs"), >+ "gss_deleg", 0, "", >+ N_("Wildcard of URIs that GSSAPI delegation is allowed for.")), > > INIT_OPT_TREE("protocol", N_("HTTPS"), > "https", 0, >diff --git a/src/protocol/http/http_negotiate.c b/src/protocol/http/http_negotiate.c >index ca4c15a..26fe852 100644 >--- a/src/protocol/http/http_negotiate.c >+++ b/src/protocol/http/http_negotiate.c >@@ -23,7 +23,9 @@ > #include <gssapi/gssapi.h> > > #include "elinks.h" >+#include "config/options.h" > #include "network/connection.h" >+#include "network/ssl/match-hostname.h" > #include "protocol/uri.h" > #include "protocol/http/http.h" > #include "protocol/http/http_negotiate.h" >@@ -181,16 +183,27 @@ http_negotiate_parse_data(unsigned char *data, int type, > } > > static int >-http_negotiate_create_context(struct negotiate *neg) >+http_negotiate_deleg_allowed(struct uri *uri) >+{ >+ const char *glob = get_opt_str("protocol.http.gss_deleg", NULL); >+ const size_t glob_len = strlen(glob); >+ return match_hostname_pattern(uri->host, uri->hostlen, glob, glob_len); >+} >+ >+static int >+http_negotiate_create_context(struct negotiate *neg, struct uri *uri) > { > OM_uint32 major_status, minor_status; > >+ const OM_uint32 req_flags = http_negotiate_deleg_allowed(uri) ? >+ GSS_C_DELEG_FLAG : 0; >+ > major_status = gss_init_sec_context(&minor_status, > GSS_C_NO_CREDENTIAL, > &neg->context, > neg->server_name, > GSS_C_NO_OID, >- GSS_C_DELEG_FLAG, >+ req_flags, > 0, > GSS_C_NO_CHANNEL_BINDINGS, > &neg->input_token, >@@ -242,7 +255,7 @@ http_negotiate_input(struct connection *conn, struct uri *uri, > if (data && http_negotiate_parse_data(data, type, &neg->input_token)) > return -1; > >- ret = http_negotiate_create_context(neg); >+ ret = http_negotiate_create_context(neg, uri); > if (ret == 0 && isnew) > http_negotiate_save(neg); > >@@ -264,7 +277,7 @@ http_negotiate_output(struct uri *uri, struct string *header) > return -1; > > if (neg->output_token.length == 0) { >- if (http_negotiate_create_context(neg) < 0) { >+ if (http_negotiate_create_context(neg, uri) < 0) { > /* full cleanup on error and ask for > * new WWW-Authenticate from server > */ >-- >1.7.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 864566
:
624175
|
632061
|
633270
|
635073
|
635074