Re: [PATCH 2/2 v2] ntlm_wb: Avoid invoking ntlm_auth helper with empty username

Sat, 12 Jul 2014 15:54:24 -0700 

On Sat, Jul 12, 2014 at 11:22:38AM +0100, David Woodhouse wrote:
> I note that for finding the home directory in both lib/netrc.c and
> src/tool_homedir.c we use $HOME *before* getpwuid(). And we actually use

That adds flexibility to the user who can switch the location easily without
changing code.

> getpwuid() instead of getpwuid_r(), which probably ought to be fixed.

Good point—that could cause some weird issues with multithreaded programs. I've
just committed a fix for that.


> +  /* The real ntlm_auth really doesn't like being invoked with an
> +     empty username. It won't make inferences for itself, and expects
> +     the client to do so (mostly because it's really designed for
> +     servers like squid to use for auth, and client support is an
> +     afterthought for it). So try hard to provide a suitable username
> +     if we don't already have one. But if we can't, provide the
> +     empty one anyway. Perhaps they have an implementation of the
> +     ntlm_auth helper which *doesn't* need it so we might as well try */
> +  if(!username || !username[0]) {
> +    username = getenv("NTLMUSER");
> +#if defined(HAVE_GETPWUID_R) && defined(HAVE_GETEUID)
> +    if((!username || !username[0]) &&
> +       !getpwuid_r(geteuid(), &pw, pwbuf, sizeof(pwbuf), &pw_res) &&
> +       pw_res) {
> +      username = pw.pw_name;
> +    }
> +#endif
> +    if(!username || !username[0])
> +      username = getenv("LOGNAME");
> +    if(!username || !username[0])
> +      username = getenv("USER");
> +    if(!username || !username[0])
> +      username = userp;
> +  }

Thinking about it some more, it does seem to make sense to let the
user-overrideable variables come before the system-defined ones. A user
running curl under plain 'su' for example will see a difference between
the two options; geteuid() will return the root user but $LOGNAME will
still contain the original user. I think I'd move the geteuid() method
as the method of last resort.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to