aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2007-07-22 10:17:52 +0000
committerDaniel Stenberg <daniel@haxx.se>2007-07-22 10:17:52 +0000
commit9af807a5ce199adfb7372abd2a490d4af1179725 (patch)
tree849c2bc10bc0002583b44f5dcb0a88e0aae628ae
parent4bbcc47f3f3a81ada6e7d620400c1388d6161e88 (diff)
HTTP Digest auth fix on a re-used connection
-rw-r--r--CHANGES27
-rw-r--r--RELEASE-NOTES52
-rw-r--r--lib/http_digest.c7
3 files changed, 83 insertions, 3 deletions
diff --git a/CHANGES b/CHANGES
index 82ed74886..ed3fe586e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,33 @@
Changelog
Daniel S (22 July 2007)
+- HTTP Digest bug fix by Chris Flerackers:
+
+ Scenario
+
+ - Perfoming a POST request with body
+ - With authentication (only Digest)
+ - Re-using a connection
+
+ libcurl would send a HTTP POST with an Authorization header but without
+ body. Our server would return 400 Bad Request in that case (because
+ authentication passed, but the body was empty).
+
+ Cause
+
+ 1) http_digest.c -> Curl_output_digest
+ - Updates allocptr.userpwd/allocptr.proxyuserpwd *only* if d->nonce is
+ filled in (and no errors)
+ - authp->done = TRUE if d->nonce is filled in
+ 2) http.c -> Curl_http
+ - *Always* uses allocptr.userpwd/allocptr.proxyuserpwd if not NULL
+ 3) http.c -> Curl_http, Curl_http_output_auth
+
+ So what happens is that Curl_output_digest cannot yet update the
+ Authorization header (allocptr.userpwd) which results in authhost->done=0 ->
+ authhost->multi=1 -> conn->bits.authneg = TRUE. The body is not
+ added. *However*, allocptr.userpwd is still used when building the request
+
- Added test case 354 that makes a simple FTP retrieval without password, which
verifies the bug fix in #1757328.
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 81c0a2a48..21992d90f 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -47,6 +47,56 @@ advice from friends like these:
Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev,
Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson,
- Ralf S. Engelschall, James Housley
+ Ralf S. Engelschall, James Housley, Curl and libcurl 7.16.5
+
+ Public curl release number: 101
+ Releases counted from the very beginning: 127
+ Available command line options: 118
+ Available curl_easy_setopt() options: 143
+ Number of public functions in libcurl: 55
+ Amount of public web site mirrors: 39
+ Number of known libcurl bindings: 35
+ Number of contributors: 572
+
+This release includes the following changes:
+
+ o
+
+This release includes the following bugfixes:
+
+ o test cases 31, 46, 61, 506, 517 now work in time zones that use leap seconds
+ o problem with closed proxy connection during HTTP CONNECT auth negotiation
+ o transfer-encoding skipping didn't ignore the 407 response bodies properly
+ o CURLOPT_SSL_VERIFYHOST set to 1
+ o CONNECT endless loop
+ o krb5 support builds with Heimdal
+ o added returned error string for connection refused case
+ o re-use of dead FTP control connections
+ o login to FTP servers that don't require (nor understand) PASS after the
+ USER command
+ o bad free of memory from libssh2
+ o the SFTP PWD command works
+ o HTTP Digest auth on a re-used connection
+
+This release includes the following known bugs:
+
+ o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html)
+
+Other curl-related news:
+
+ o pycurl 7.16.4 was released http://pycurl.sf.net
+ o TclCurl 7.16.4 was released
+ http://personal1.iddeo.es/andresgarci/tclcurl/english/
+
+New curl mirrors:
+
+ o http://curl.freeby.pctools.cl is a new mirror in Chile
+
+This release would not have looked like this without help, code, reports and
+advice from friends like these:
+
+ Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev,
+ Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson,
+ Ralf S. Engelschall, James Housley, Chris Flerackers
Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/http_digest.c b/lib/http_digest.c
index 604655f04..7338ce72a 100644
--- a/lib/http_digest.c
+++ b/lib/http_digest.c
@@ -266,6 +266,11 @@ CURLcode Curl_output_digest(struct connectdata *conn,
authp = &data->state.authhost;
}
+ if (*allocuserpwd) {
+ Curl_safefree(*allocuserpwd);
+ *allocuserpwd = NULL;
+ }
+
/* not set means empty */
if(!userp)
userp=(char *)"";
@@ -388,8 +393,6 @@ CURLcode Curl_output_digest(struct connectdata *conn,
nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca"
*/
- Curl_safefree(*allocuserpwd);
-
if (d->qop) {
*allocuserpwd =
aprintf( "%sAuthorization: Digest "