connectionexists: use case sensitive user/password comparisons

CVE-2016-8616 Bug: https://curl.haxx.se/docs/adv_20161102B.html Reported-by: Cure53
2025-09-20 11:02:42 +03:00 · 2016-09-27 18:01:53 +02:00 · 2016-09-27 18:01:53 +02:00 · b3ee26c5df
commit b3ee26c5df
parent efd24d5742
1 changed files with 6 additions and 6 deletions
--- a/lib/url.c
+++ b/lib/url.c
@ -3394,8 +3394,8 @@ ConnectionExists(struct Curl_easy *data,
      if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
        /* This protocol requires credentials per connection,
           so verify that we're using the same name and password as well */
-        if(!strequal(needle->user, check->user) ||
-           !strequal(needle->passwd, check->passwd)) {
+        if(strcmp(needle->user, check->user) ||
+           strcmp(needle->passwd, check->passwd)) {
          /* one of them was different */
          continue;
        }
@ -3455,8 +3455,8 @@ ConnectionExists(struct Curl_easy *data,
           possible. (Especially we must not reuse the same connection if
           partway through a handshake!) */
        if(wantNTLMhttp) {
-          if(!strequal(needle->user, check->user) ||
-             !strequal(needle->passwd, check->passwd))
+          if(strcmp(needle->user, check->user) ||
+             strcmp(needle->passwd, check->passwd))
            continue;
        }
        else if(check->ntlm.state != NTLMSTATE_NONE) {
@ -3470,8 +3470,8 @@ ConnectionExists(struct Curl_easy *data,
          if(!check->proxyuser || !check->proxypasswd)
            continue;

-          if(!strequal(needle->proxyuser, check->proxyuser) ||
-             !strequal(needle->proxypasswd, check->proxypasswd))
+          if(strcmp(needle->proxyuser, check->proxyuser) ||
+             strcmp(needle->proxypasswd, check->proxypasswd))
            continue;
        }
        else if(check->proxyntlm.state != NTLMSTATE_NONE) {