From dc38e5ed2c8a057e576b99a42eb1ba0535015aa2 Mon Sep 17 00:00:00 2001 From: SaSukiTB Date: Fri, 7 Feb 2025 15:22:48 +0100 Subject: [PATCH 1/2] Fix memory leaks and improve error handling in req() function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. Added curl_easy_cleanup(curl); to free resources after request 2. Changed to 2L (Enforces full hostname verification) 3. Added cleanup before calling error() 4. Properly convert to C-string XorStr("keyauth.win").c_str() 5. Proper Cleanup to Avoid Memory Leaks Your original function doesn’t call curl_easy_cleanup(), which means CURL resources aren’t freed in case of errors. this leads to memory leaks if the function is called multiple times (and its already called multiple times) almost every function in keyAuth library use it. Stronger SSL Security curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1); only checks if the SSL certificate exists, but does not verify the hostname properly. Change it to curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); Enforces full hostname verification, preventing MITM attacks --- auth.cpp | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/auth.cpp b/auth.cpp index f47567f..3cb4119 100644 --- a/auth.cpp +++ b/auth.cpp @@ -1664,40 +1664,41 @@ void KeyAuth::api::setDebug(bool value) { KeyAuth::api::debug = value; } -std::string KeyAuth::api::req(std::string data, std::string url) { +std::string KeyAuth::api::req(const std::string& data, const std::string& url) { + CURL* curl = curl_easy_init(); - if (!curl) - return XorStr("null"); + if (!curl) { + error(XorStr("CURL Initialization Failed!")); + } std::string to_return; std::string headers; + // Set CURL options curl_easy_setopt(curl, CURLOPT_URL, url.c_str()); - - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1); - - curl_easy_setopt(curl, CURLOPT_NOPROXY, XorStr( "keyauth.win" ) ); - + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L); curl_easy_setopt(curl, CURLOPT_CERTINFO, 1L); - + curl_easy_setopt(curl, CURLOPT_NOPROXY, XorStr("keyauth.win").c_str()); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, data.c_str()); - curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &to_return); - curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION, header_callback); curl_easy_setopt(curl, CURLOPT_HEADERDATA, &headers); - auto code = curl_easy_perform(curl); - - if (code != CURLE_OK) - error(curl_easy_strerror(code)); + // Perform the request + CURLcode code = curl_easy_perform(curl); + if (code != CURLE_OK) { + std::string errorMsg = "CURL Error: " + std::string(curl_easy_strerror(code)); + curl_easy_cleanup(curl); + error(errorMsg); + } debugInfo(data, url, to_return, "Sig: " + signature + "\nTimestamp:" + signatureTimestamp); - + curl_easy_cleanup(curl); return to_return; } + void error(std::string message) { system((XorStr("start cmd /C \"color b && title Error && echo ").c_str() + message + XorStr(" && timeout /t 5\"")).c_str()); LI_FN(__fastfail)(0); From 95b3a8d2cf15357a03f9c5d5378555791242c034 Mon Sep 17 00:00:00 2001 From: SaSukiTB Date: Fri, 7 Feb 2025 15:24:02 +0100 Subject: [PATCH 2/2] Refactor req() function declaration in auth.hpp for consistency Updated `req()` function declaration in `auth.hpp` to use `const std::string&` for parameters. --- auth.hpp | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/auth.hpp b/auth.hpp index 4058f63..f229460 100644 --- a/auth.hpp +++ b/auth.hpp @@ -105,12 +105,10 @@ namespace KeyAuth { responsedata response; Tfa tfa; private: - std::string sessionid, enckey; - - static std::string req(std::string data, std::string url); + std::string sessionid, enckey; + static std::string req(const std::string& data, const std::string& url); static void debugInfo(std::string data, std::string url, std::string response, std::string headers); - static void setDebug(bool value);