When proxy authentication is used in a CONNECT request (as used for all SSL

connects and otherwise enforced tunnel-thru-proxy requests), the same
authentication header is also wrongly sent to the remote host.

The name and password can then be captured by an evil host and possibly get
used for malicious purposes.

diff --git a/lib/http.c b/lib/http.c
index 7f6752ec58f6c4d239b3a91a373d71c60152a8f0..2418c1bd7d79339610f6535f0f194d07ba4892f7 100644 (file)
--- a/lib/http.c
+++ b/lib/http.c
@@ -91,6 +91,7 @@
 #include "http_digest.h"
 #include "http_ntlm.h"
 #include "http_negotiate.h"
+#include "url.h"
 
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
@@ -552,6 +553,12 @@ CURLcode Curl_ConnectHTTPProxyTunnel(struct connectdata *conn,
       failf(data, "Received error code %d from proxy", httperror);
     return CURLE_RECV_ERROR;
   }
+  
+  /* If a proxy-authorization header was used for the proxy, then we should
+     make sure that it isn't accidentally used for the document request
+     after we've connected. So let's free and clear it here. */
+  Curl_safefree(conn->allocptr.proxyuserpwd);
+  conn->allocptr.proxyuserpwd = NULL;
 
   infof (data, "Proxy replied to CONNECT request\n");
   return CURLE_OK;