1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
From b9c6df58e821977a0be886f6847311a4ffc7124e Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 8 Jun 2011 00:10:26 +0200
Subject: [PATCH] Curl_input_negotiate: do not delegate GSSAPI credentials
This is a security flaw. See curl advisory 20110623 for details.
Reported by: Richard Silverman
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http_negotiate.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 08064d6..4015e2f 100644
--- a/lib/http_negotiate.c
+++ b/lib/http_negotiate.c
@@ -216,7 +216,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header)
&neg_ctx->context,
neg_ctx->server_name,
GSS_C_NO_OID,
- GSS_C_DELEG_FLAG,
+ 0,
0,
GSS_C_NO_CHANNEL_BINDINGS,
&input_token,
--
1.7.4.4
|
