Merge branch 'ps/http-gssapi-cred-delegation'

In recent versions of cURL, GSSAPI credential delegation is
disabled by default due to CVE-2011-2192; introduce a configuration
to selectively allow enabling this.

* ps/http-gssapi-cred-delegation:
  http: control GSSAPI credential delegation
This commit is contained in:
Junio C Hamano 2016-10-06 14:53:11 -07:00
Родитель cb52426d9a 26a7b23429
Коммит fbfe878f97
2 изменённых файлов: 51 добавлений и 0 удалений

Просмотреть файл

@ -1736,6 +1736,20 @@ http.emptyAuth::
a username in the URL, as libcurl normally requires a username for a username in the URL, as libcurl normally requires a username for
authentication. authentication.
http.delegation::
Control GSSAPI credential delegation. The delegation is disabled
by default in libcurl since version 7.21.7. Set parameter to tell
the server what it is allowed to delegate when it comes to user
credentials. Used with GSS/kerberos. Possible values are:
+
--
* `none` - Don't allow any delegation.
* `policy` - Delegates if and only if the OK-AS-DELEGATE flag is set in the
Kerberos service ticket, which is a matter of realm policy.
* `always` - Unconditionally allow the server to delegate.
--
http.extraHeader:: http.extraHeader::
Pass an additional HTTP header when communicating with a server. If Pass an additional HTTP header when communicating with a server. If
more than one such entry exists, all of them are added as extra more than one such entry exists, all of them are added as extra

37
http.c
Просмотреть файл

@ -90,6 +90,18 @@ static struct {
* here, too * here, too
*/ */
}; };
#if LIBCURL_VERSION_NUM >= 0x071600
static const char *curl_deleg;
static struct {
const char *name;
long curl_deleg_param;
} curl_deleg_levels[] = {
{ "none", CURLGSSAPI_DELEGATION_NONE },
{ "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },
{ "always", CURLGSSAPI_DELEGATION_FLAG },
};
#endif
static struct credential proxy_auth = CREDENTIAL_INIT; static struct credential proxy_auth = CREDENTIAL_INIT;
static const char *curl_proxyuserpwd; static const char *curl_proxyuserpwd;
static const char *curl_cookie_file; static const char *curl_cookie_file;
@ -323,6 +335,15 @@ static int http_options(const char *var, const char *value, void *cb)
return 0; return 0;
} }
if (!strcmp("http.delegation", var)) {
#if LIBCURL_VERSION_NUM >= 0x071600
return git_config_string(&curl_deleg, var, value);
#else
warning(_("Delegation control is not supported with cURL < 7.22.0"));
return 0;
#endif
}
if (!strcmp("http.pinnedpubkey", var)) { if (!strcmp("http.pinnedpubkey", var)) {
#if LIBCURL_VERSION_NUM >= 0x072c00 #if LIBCURL_VERSION_NUM >= 0x072c00
return git_config_pathname(&ssl_pinnedkey, var, value); return git_config_pathname(&ssl_pinnedkey, var, value);
@ -629,6 +650,22 @@ static CURL *get_curl_handle(void)
curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY); curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
#endif #endif
#if LIBCURL_VERSION_NUM >= 0x071600
if (curl_deleg) {
int i;
for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) {
if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) {
curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION,
curl_deleg_levels[i].curl_deleg_param);
break;
}
}
if (i == ARRAY_SIZE(curl_deleg_levels))
warning("Unknown delegation method '%s': using default",
curl_deleg);
}
#endif
if (http_proactive_auth) if (http_proactive_auth)
init_curl_http_auth(result); init_curl_http_auth(result);