test898: verify the fix for CVE-2022-27776
Do not pass on Authorization headers on redirects to another port
This commit is contained in:
Daniel Stenberg
Родитель
6e65999395
Коммит
afe752e050
|
|
@ -109,7 +109,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \
|
|||
test863 test864 test865 test866 test867 test868 test869 test870 test871 \
|
||||
test872 test873 test874 test875 test876 test877 test878 test879 test880 \
|
||||
test881 test882 test883 test884 test885 test886 test887 test888 test889 \
|
||||
test890 test891 test892 test893 test894 test895 test896 test897 \
|
||||
test890 test891 test892 test893 test894 test895 test896 test897 test898 \
|
||||
\
|
||||
test900 test901 test902 test903 test904 test905 test906 test907 test908 \
|
||||
test909 test910 test911 test912 test913 test914 test915 test916 test917 \
|
||||
|
|
|
|||
|
|
@ -0,0 +1,90 @@
|
|||
<testcase>
|
||||
<info>
|
||||
<keywords>
|
||||
HTTP
|
||||
--location
|
||||
Authorization
|
||||
Cookie
|
||||
</keywords>
|
||||
</info>
|
||||
|
||||
#
|
||||
# Server-side
|
||||
<reply>
|
||||
<data>
|
||||
HTTP/1.1 301 redirect
|
||||
Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
Server: test-server/fake
|
||||
Content-Length: 0
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||
|
||||
</data>
|
||||
<data2>
|
||||
HTTP/1.1 200 OK
|
||||
Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
Server: test-server/fake
|
||||
Content-Length: 4
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
|
||||
hey
|
||||
</data2>
|
||||
|
||||
<datacheck>
|
||||
HTTP/1.1 301 redirect
|
||||
Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
Server: test-server/fake
|
||||
Content-Length: 0
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||
Server: test-server/fake
|
||||
Content-Length: 4
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
|
||||
hey
|
||||
</datacheck>
|
||||
|
||||
</reply>
|
||||
|
||||
#
|
||||
# Client-side
|
||||
<client>
|
||||
<server>
|
||||
http
|
||||
</server>
|
||||
<name>
|
||||
HTTP with custom auth and cookies redirected to HTTP on a diff port
|
||||
</name>
|
||||
<command>
|
||||
-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
|
||||
</command>
|
||||
</client>
|
||||
|
||||
#
|
||||
# Verify data after the test has been "shot"
|
||||
<verify>
|
||||
<protocol>
|
||||
GET http://firsthost.com/ HTTP/1.1
|
||||
Host: firsthost.com
|
||||
User-Agent: curl/%VERSION
|
||||
Accept: */*
|
||||
Proxy-Connection: Keep-Alive
|
||||
Authorization: Basic am9lOnNlY3JldA==
|
||||
Cookie: userpwd=am9lOnNlY3JldA==
|
||||
|
||||
GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
||||
Host: firsthost.com:9999
|
||||
User-Agent: curl/%VERSION
|
||||
Accept: */*
|
||||
Proxy-Connection: Keep-Alive
|
||||
|
||||
</protocol>
|
||||
</verify>
|
||||
</testcase>
|
||||
Загрузка…
Ссылка в новой задаче