1 files changed, 41 insertions, 19 deletions

diff --git a/libs/libcurl/src/url.c b/libs/libcurl/src/url.c
index 28c37019ea..dcb3e2ab2b 100644
--- a/libs/libcurl/src/url.c
+++ b/libs/libcurl/src/url.c
@@ -2651,6 +2651,17 @@ static CURLcode parse_remote_port(struct Curl_easy *data,
   return CURLE_OK;

 }

 

+static bool str_has_ctrl(const char *input)

+{

+  const unsigned char *str = (const unsigned char *)input;

+  while(*str) {

+    if(*str < 0x20)

+      return TRUE;

+    str++;

+  }

+  return FALSE;

+}

+

 /*

  * Override the login details from the URL with that in the CURLOPT_USERPWD

  * option or a .netrc file, if applicable.

@@ -2682,29 +2693,40 @@ static CURLcode override_login(struct Curl_easy *data,
 

     if(data->state.aptr.user &&

        (data->state.creds_from != CREDS_NETRC)) {

-      /* there was a username in the URL. Use the URL decoded version */

+      /* there was a username with a length in the URL. Use the URL decoded

+         version */

       userp = &data->state.aptr.user;

       url_provided = TRUE;

     }

 

-    ret = Curl_parsenetrc(&data->state.netrc, conn->host.name,

-                          userp, passwdp,

-                          data->set.str[STRING_NETRC_FILE]);

-    if(ret > 0) {

-      infof(data, "Couldn't find host %s in the %s file; using defaults",

-            conn->host.name,

-            (data->set.str[STRING_NETRC_FILE] ?

-             data->set.str[STRING_NETRC_FILE] : ".netrc"));

-    }

-    else if(ret < 0) {

-      failf(data, ".netrc parser error");

-      return CURLE_READ_ERROR;

-    }

-    else {

-      /* set bits.netrc TRUE to remember that we got the name from a .netrc

-         file, so that it is safe to use even if we followed a Location: to a

-         different host or similar. */

-      conn->bits.netrc = TRUE;

+    if(!*passwdp) {

+      ret = Curl_parsenetrc(&data->state.netrc, conn->host.name,

+                            userp, passwdp,

+                            data->set.str[STRING_NETRC_FILE]);

+      if(ret > 0) {

+        infof(data, "Couldn't find host %s in the %s file; using defaults",

+              conn->host.name,

+              (data->set.str[STRING_NETRC_FILE] ?

+               data->set.str[STRING_NETRC_FILE] : ".netrc"));

+      }

+      else if(ret < 0) {

+        failf(data, ".netrc parser error");

+        return CURLE_READ_ERROR;

+      }

+      else {

+        if(!(conn->handler->flags&PROTOPT_USERPWDCTRL)) {

+          /* if the protocol can't handle control codes in credentials, make

+             sure there are none */

+          if(str_has_ctrl(*userp) || str_has_ctrl(*passwdp)) {

+            failf(data, "control code detected in .netrc credentials");

+            return CURLE_READ_ERROR;

+          }

+        }

+        /* set bits.netrc TRUE to remember that we got the name from a .netrc

+           file, so that it is safe to use even if we followed a Location: to a

+           different host or similar. */

+        conn->bits.netrc = TRUE;

+      }

     }

     if(url_provided) {

       Curl_safefree(conn->user);