1260178 – curl and libcurl truncates username/password in URL to 255 characters

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1260178 - curl and libcurl truncates username/password in URL to 255 characters

Summary: curl and libcurl truncates username/password in URL to 255 characters

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	curl
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Kamil Dudka
QA Contact:	Stefan Dordevic
Docs Contact:	Lenka Špačková
URL:
Whiteboard:
Depends On:
Blocks:	1203710 1289025 1295829 1313485
TreeView+	depends on / blocked

Reported:	2015-09-04 16:21 UTC by Cesar Wong
Modified:	2020-01-17 15:33 UTC (History)
CC List:	7 users (show)
Fixed In Version:	curl-7.29.0-30.el7
Doc Type:	Bug Fix
Doc Text:	libcurl no longer truncates long user names and passwords The URL parser in the libcurl library previously did not support arbitrarily long user names and passwords. Consequently, user names and passwords longer than 255 characters were truncated. A series of upstream patches has been applied on the libcurl source code, and long user names and passwords in the URLs are now processed correctly by libcurl.
Clone Of:
Environment:
Last Closed:	2016-11-03 17:43:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
backport of 28 (+5 trivial) upstream commits (99.53 KB, patch) 2015-09-07 17:25 UTC, Kamil Dudka	kdudka: review?	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2575	0	normal	SHIPPED_LIVE	Moderate: curl security, bug fix, and enhancement update	2016-11-03 12:06:39 UTC

Description Cesar Wong 2015-09-04 16:21:42 UTC

Description of problem:

Invoking $ curl http://[username]:[password]@some.url/

where the length of username or password is greater than 255 characters, truncates the value to 255 characters.

Version-Release number of selected component (if applicable):
curl-7.29.0-19.el7.x86_64

How reproducible: Always


Steps to Reproduce:
1. # Generate a long password string
   $ PASSWORD=$(head -c 300 < /dev/zero | tr '\0' '\141')
2. # Invoke curl with the password and inspect the authorization header
   $ SENTPASSWORD=$(curl -v http://test:${PASSWORD}@redhat.com/ 2>&1 | grep "Authorization" | awk '{ print $4}' | base64 -di | cut -d: -f2)
3. # Test whether the sent password is the same as the original password
   $ if [ $PASSWORD = $SENTPASSWORD ]; then echo "Success"; fi

Actual results:
No success message is printed. The sent password is 255 characters, while the original password is 300 characters.

Expected results:
Success is printed. The original password and the password sent by curl are the same.

Additional info:
The same test succeeds in Fedora 22. The issue has been fixed in curl v7.33

Comment 1 Cesar Wong 2015-09-04 16:27:03 UTC

Relevant commit:
https://github.com/bagder/curl/commit/2f1a0bc0bf36c5ad0f8755d9c7553e1f5729af43

Comment 3 Kamil Dudka 2015-09-07 17:25:58 UTC

Created attachment 1071073 [details]
backport of 28 (+5 trivial) upstream commits

I propose to pick the following 28 (+5 trivial) upstream commits:

> https://github.com/bagder/curl/commit/73aa9559 - url: Added support for parsing login options from the URL
> https://github.com/bagder/curl/commit/90c87f31 - url: Reworked URL parsing to allow overriding by CURLOPT_USERPWD
> https://github.com/bagder/curl/commit/0d49e408 - url: Re-factored set_userpass() and parse_url_userpass()
> https://github.com/bagder/curl/commit/bb20989a - url: Moved parsing of login details out of parse_url_login()
> https://github.com/bagder/curl/commit/49184c37 - url: Added bounds checking to parse_login_details()
> https://github.com/bagder/curl/commit/fddb7b44 - url: Added support for parsing login options from the CURLOPT_USERPWD
> https://github.com/bagder/curl/commit/d535c4a2 - url: Added overriding of URL login options from CURLOPT_USERPWD
> https://github.com/bagder/curl/commit/fe880475 - url: Fixed memory leak in setstropt_userpwd()
> https://github.com/bagder/curl/commit/e99c81a0 - url: Correction to scope of if statements when setting data
> https://github.com/bagder/curl/commit/bddf3d47 - url: Simplified setstropt_userpwd() following recent changes
> https://github.com/bagder/curl/commit/e8a9f794 - url: Tidy up of code and comments following recent changes
> https://github.com/bagder/curl/commit/702b0dd4 - url: Tidy up of setstropt_userpwd() parameters
> https://github.com/bagder/curl/commit/11332577 - url: Updated proxy URL parsing to use parse_login_details()
> https://github.com/bagder/curl/commit/416ecc15 - url: Fixed crash when no username or password supplied for proxy
> https://github.com/bagder/curl/commit/ddac43b3 - url: Fixed missing length check in parse_proxy()
> https://github.com/bagder/curl/commit/abca89aa - url: restore the functionality of 'curl -u :'
> https://github.com/bagder/curl/commit/83f0dae1 - url.c: fix parse_login_details() OOM handling
> https://github.com/bagder/curl/commit/cfc907e4 - url.c: fix parse_url_login() OOM handling
> https://github.com/bagder/curl/commit/53333a43 - url: use goto in create_conn() for exception handling
> https://github.com/bagder/curl/commit/11baffbf - url: allocate username, password, and options on the heap
> https://github.com/bagder/curl/commit/36585b53 - netrc: handle longer username and password
> https://github.com/bagder/curl/commit/15f76bf7 - Curl_setopt: handle arbitrary-length username and password
> https://github.com/bagder/curl/commit/09ddb1d6 - url: handle exceptional cases first in parse_url_login()
> https://github.com/bagder/curl/commit/455ba691 - url: Removed unused text length constants
> https://github.com/bagder/curl/commit/2f1a0bc0 - url: handle arbitrary-length username and password before '@'
> https://github.com/bagder/curl/commit/322f0bc2 - url.c: Fixed compilation warning
> https://github.com/bagder/curl/commit/169fedbd - login options: remove the ;[options] support from CURLOPT_USERPWD
> https://github.com/bagder/curl/commit/76815144 - netrc: Fixed a memory leak in an OOM condition

My first version of their backport is attached.

Comment 7 Cesar Wong 2015-09-22 17:21:51 UTC

I tested with RHEL 7.1 and the updated curl does fix the issue with the username/password truncation. Thank you!

Comment 10 Cesar Wong 2015-12-07 14:23:29 UTC

The main use case for this is that in OpenShift we use a RHEL container image as our builder. The builder needs to retrieve source code from a repository using git, which in turn uses libcurl. The internal OpenShift git server accepts tokens (which, for service accounts, are 1k in size) for authentication. With the current version of libcurl, authentication always fails for these service accounts. Therefore, our ability to build using a RHEL-based builder is limited without this fix.

Comment 18 Thomas Jones 2016-08-18 02:37:27 UTC

(In reply to Cesar Wong from comment #10)
> The main use case for this is that in OpenShift we use a RHEL container
> image as our builder. The builder needs to retrieve source code from a
> repository using git, which in turn uses libcurl. The internal OpenShift git
> server accepts tokens (which, for service accounts, are 1k in size) for
> authentication. With the current version of libcurl, authentication always
> fails for these service accounts. Therefore, our ability to build using a
> RHEL-based builder is limited without this fix.

This appears to similarly afflict the ability to use AWS CodeCommit via instance roles. Instance roles use ephemeral tokens that are transmitted via authenticated HTTPS to the CodeCommit git repositories. These tokens are similarly large in size. Right now, neither EL 6 nor EL 7 are able to use CodeCommit at provisioning-time or as part of an automated replication function (e.g., RedMine's SCM modules that pull git content into RedMine-hosted projects).

Is there a timetable for the fix mentioned in comment #7 to be pushed into EL7 (and preferable EL6 as well)?

Comment 19 Kamil Dudka 2016-08-19 08:15:43 UTC

(In reply to Thomas Jones from comment #18)
> Is there a timetable for the fix mentioned in comment #7 to be pushed into
> EL7 (and preferable EL6 as well)?

The fix is going to be included in RHEL-7.3.  There is no plan for RHEL-6 yet.

Comment 20 Thomas Jones 2016-08-19 13:03:55 UTC

(In reply to Kamil Dudka from comment #19)
> The fix is going to be included in RHEL-7.3.  There is no plan for RHEL-6
> yet.

Thanks for the update. Is this going to be via the 7.43 RPM that's available via cbs.centos.org?

Comment 21 Kamil Dudka 2016-08-19 13:50:51 UTC

(In reply to Thomas Jones from comment #20)
> Thanks for the update. Is this going to be via the 7.43 RPM that's available
> via cbs.centos.org?

Nope.  It will be curl-7.29.0-x.el7, where x >= 30.  See the Fixed In Version field on top of this page.

Comment 22 Thomas Jones 2016-10-25 12:16:18 UTC

This change will be in 7.3 or it will be released before then?

Comment 23 Kamil Dudka 2016-10-25 12:23:20 UTC

Yes, we expect the fix for this bug to be included in RHEL-7.3 GA.

Comment 25 errata-xmlrpc 2016-11-03 17:43:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2575.html

Note You need to log in before you can comment on or make changes to this bug.