diff options
author | Patrick Monnerat <patrick@monnerat.net> | 2021-09-08 11:56:22 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2021-09-13 16:51:31 +0200 |
commit | 364f174724ef115c63d5e5dc1d3342c8a43b1cca (patch) | |
tree | 9856fb764ee026d4c55c9525496b541a79af7800 /lib/pop3.c | |
parent | 43157490a5054bd24256fe12876931e8abc9df49 (diff) | |
download | curl-364f174724ef115c63d5e5dc1d3342c8a43b1cca.tar.gz |
ftp,imap,pop3: do not ignore --ssl-reqd
In imap and pop3, check if TLS is required even when capabilities
request has failed.
In ftp, ignore preauthentication (230 status of server greeting) if TLS
is required.
Bug: https://curl.se/docs/CVE-2021-22946.html
CVE-2021-22946
Diffstat (limited to 'lib/pop3.c')
-rw-r--r-- | lib/pop3.c | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/lib/pop3.c b/lib/pop3.c index d7b5283e1..a331d71f7 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -740,28 +740,23 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code, } } } - else if(pop3code == '+') { - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { - /* We don't have a SSL/TLS connection yet, but SSL is requested */ - if(pop3c->tls_supported) - /* Switch to TLS connection now */ - result = pop3_perform_starttls(data, conn); - else if(data->set.use_ssl == CURLUSESSL_TRY) - /* Fallback and carry on with authentication */ - result = pop3_perform_authentication(data, conn); - else { - failf(data, "STLS not supported."); - result = CURLE_USE_SSL_FAILED; - } - } - else - result = pop3_perform_authentication(data, conn); - } else { /* Clear text is supported when CAPA isn't recognised */ - pop3c->authtypes |= POP3_TYPE_CLEARTEXT; + if(pop3code != '+') + pop3c->authtypes |= POP3_TYPE_CLEARTEXT; - result = pop3_perform_authentication(data, conn); + if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) + result = pop3_perform_authentication(data, conn); + else if(pop3code == '+' && pop3c->tls_supported) + /* Switch to TLS connection now */ + result = pop3_perform_starttls(data, conn); + else if(data->set.use_ssl <= CURLUSESSL_TRY) + /* Fallback and carry on with authentication */ + result = pop3_perform_authentication(data, conn); + else { + failf(data, "STLS not supported."); + result = CURLE_USE_SSL_FAILED; + } } return result; |