From c29d74f079b854ffc1e815d462819c828f0bfea3 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 18 Apr 2015 23:50:16 +0200
Subject: [PATCH] http_done: close Negotiate connections when done

When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.

CVE-2015-3148

Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris

Upstream-commit: 79b9d5f1a42578f807a6c94914bc65cbaa304b6d
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/http.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/http.c b/lib/http.c
index ee0a9a4..a05317e 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1407,8 +1407,14 @@ CURLcode Curl_http_done(struct connectdata *conn,
 
 #ifdef USE_HTTP_NEGOTIATE
   if(data->state.proxyneg.state == GSS_AUTHSENT ||
-      data->state.negotiate.state == GSS_AUTHSENT)
+     data->state.negotiate.state == GSS_AUTHSENT) {
+    /* add forbid re-use if http-code != 401/407 as a WA only needed for
+     * 401/407 that signal auth failure (empty) otherwise state will be RECV
+     * with current code */
+    if((data->req.httpcode != 401) && (data->req.httpcode != 407))
+      conn->bits.close = TRUE; /* Negotiate transfer completed */
     Curl_cleanup_negotiate(data);
+  }
 #endif
 
   /* set the proper values (possibly modified on POST) */
-- 
2.3.5