Change #266986
| Category | curl |
| Changed by | Daniel Stenberg <daniel@haxx.se> |
| Changed at | Wed 13 May 2026 14:34:08 |
| Repository | https://github.com/curl/curl.git |
| Project | curl |
| Branch | master |
| Revision | 11df1251e550c5b4b77a4c66bca96cbbc09cdcc4 |
Comments
snpego_sspi: preserve distinction btw policy-only and uncond delegation CURLOPT_GSSAPI_DELEGATION exposes distinct modes: CURLGSSAPI_DELEGATION_POLICY_FLAG is documented as delegating only when OK-AS-DELEGATE policy permits it, while CURLGSSAPI_DELEGATION_FLAG is unconditional. The new SSPI implementation checks for either bit and sets ISC_REQ_DELEGATE, so a caller requesting policy-limited delegation is put on the same SSPI path as unconditional delegation. In addition, curl's existing protection that avoids reusing a connection when the GSS delegation setting differs was guarded only by HAVE_GSSAPI; SSPI-only builds now have an effective delegation option, but the connection's delegation setting was neither copied nor compared. This would cause Windows SSPI Negotiate/Kerberos authentication to delegate credentials contrary to the caller's selected policy or reuse an already-delegated authenticated connection for a transfer that requested no delegation. Follow-up to cc6777d939976b2f322dcbe5a Reported by Codex Security Closes #21583
Changed files
- lib/url.c
- lib/vauth/spnego_sspi.c