diff options
author | Daniel Stenberg <daniel@haxx.se> | 2004-04-22 20:07:41 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2004-04-22 20:07:41 +0000 |
commit | 2ff30d067c19aea79cd82e0a45e313cf3bb07285 (patch) | |
tree | 7b304c7139048758169e5e562e72929d3edb6278 | |
parent | 84406b3e2cd887b2e162345a49d5ffaf3e0f43ec (diff) |
- David Byron found and fixed a small bug with the --fail and authentication
stuff added a few weeks ago. Turns out that if you specify --proxy-ntlm and
communicate with a proxy that requires basic authentication, the proxy
properly returns a 407, but the failure detection code doesn't realize it
should give up, so curl returns with exit code 0. Test case 162 verifies
this.
-rw-r--r-- | CHANGES | 7 | ||||
-rw-r--r-- | lib/http.c | 37 | ||||
-rw-r--r-- | lib/transfer.c | 1 | ||||
-rw-r--r-- | lib/urldata.h | 1 | ||||
-rw-r--r-- | tests/data/Makefile.am | 2 | ||||
-rw-r--r-- | tests/data/test162 | 45 |
6 files changed, 86 insertions, 7 deletions
@@ -7,6 +7,13 @@ Changelog Daniel (22 April 2004) +- David Byron found and fixed a small bug with the --fail and authentication + stuff added a few weeks ago. Turns out that if you specify --proxy-ntlm and + communicate with a proxy that requires basic authentication, the proxy + properly returns a 407, but the failure detection code doesn't realize it + should give up, so curl returns with exit code 0. Test case 162 added to + verify the functionality. + - If a transfer is found out to be only partial, libcurl will now treat that as a problem serious enough to skip the final QUIT command before closing the control connection. To avoid the risk that it will "hang" waiting for diff --git a/lib/http.c b/lib/http.c index b2f919f67..0922b9eda 100644 --- a/lib/http.c +++ b/lib/http.c @@ -396,8 +396,13 @@ CURLcode Curl_http_auth(struct connectdata *conn, if(data->state.authwant == CURLAUTH_GSSNEGOTIATE) { /* if exactly this is wanted, go */ int neg = Curl_input_negotiate(conn, start); - if (neg == 0) + if (neg == 0) { conn->newurl = strdup(data->change.url); + data->state.authproblem = (conn->newurl == NULL); + else { + infof(data, "Authentication problem. Ignoring this.\n"); + data->state.authproblem = TRUE; + } } else if(data->state.authwant & CURLAUTH_GSSNEGOTIATE) @@ -414,10 +419,14 @@ CURLcode Curl_http_auth(struct connectdata *conn, CURLntlm ntlm = Curl_input_ntlm(conn, (bool)(httpcode == 407), start); - if(CURLNTLM_BAD != ntlm) + if(CURLNTLM_BAD != ntlm) { conn->newurl = strdup(data->change.url); /* clone string */ - else + data->state.authproblem = (conn->newurl == NULL); + } + else { infof(data, "Authentication problem. Ignoring this.\n"); + data->state.authproblem = TRUE; + } } else if(data->state.authwant & CURLAUTH_NTLM) @@ -431,12 +440,16 @@ CURLcode Curl_http_auth(struct connectdata *conn, /* Digest authentication is activated */ CURLdigest dig = Curl_input_digest(conn, start); - if(CURLDIGEST_FINE == dig) + if(CURLDIGEST_FINE == dig) { /* We act on it. Store our new url, which happens to be the same one we already use! */ conn->newurl = strdup(data->change.url); /* clone string */ - else + data->state.authproblem = (conn->newurl == NULL); + } + else { infof(data, "Authentication problem. Ignoring this.\n"); + data->state.authproblem = TRUE; + } } else if(data->state.authwant & CURLAUTH_DIGEST) { @@ -458,9 +471,17 @@ CURLcode Curl_http_auth(struct connectdata *conn, valid. */ data->state.authavail = CURLAUTH_NONE; infof(data, "Authentication problem. Ignoring this.\n"); + data->state.authproblem = TRUE; } else if(data->state.authwant & CURLAUTH_BASIC) { data->state.authavail |= CURLAUTH_BASIC; + } else { + /* + ** We asked for something besides basic but got + ** Basic anyway. This is no good. + */ + infof(data, "Server expects Basic auth, but we're doing something else.\n"); + data->state.authproblem = TRUE; } } return CURLE_OK; @@ -531,13 +552,17 @@ int Curl_http_should_fail(struct connectdata *conn) */ #if 0 /* set to 1 when debugging this functionality */ infof(data,"%s: authstage = %d\n",__FUNCTION__,data->state.authstage); + infof(data,"%s: authwant = 0x%08x\n",__FUNCTION__,data->state.authwant); + infof(data,"%s: authavail = 0x%08x\n",__FUNCTION__,data->state.authavail); infof(data,"%s: httpcode = %d\n",__FUNCTION__,k->httpcode); infof(data,"%s: authdone = %d\n",__FUNCTION__,data->state.authdone); + infof(data,"%s: newurl = %s\n",__FUNCTION__,conn->newurl ? conn->newurl : "(null)"); + infof(data,"%s: authproblem = %d\n",__FUNCTION__,data->state.authproblem); #endif if (data->state.authstage && (data->state.authstage == k->httpcode)) - return data->state.authdone; + return (data->state.authdone || data->state.authproblem); /* ** Either we're not authenticating, or we're supposed to diff --git a/lib/transfer.c b/lib/transfer.c index 2d0b4aa33..1151e05b6 100644 --- a/lib/transfer.c +++ b/lib/transfer.c @@ -1499,6 +1499,7 @@ CURLcode Curl_pretransfer(struct SessionHandle *data) /* set preferred authentication, default to basic */ data->state.authstage = 0; /* initialize authentication later */ + data->state.authproblem = FALSE; /* If there was a list of cookie files to read and we haven't done it before, do it now! */ diff --git a/lib/urldata.h b/lib/urldata.h index 55070ccbf..7642cb9a1 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -725,6 +725,7 @@ struct UrlState { depending on authstage) */ long authavail; /* what the server reports */ + bool authproblem; /* TRUE if there's some problem authenticating */ bool authdone; /* TRUE when the auth phase is done and ready to do the *actual* request */ #ifdef USE_ARES diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 39c807a39..abce9bdef 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -22,7 +22,7 @@ test80 test81 test82 test83 test84 test85 test86 test87 test507 \ test149 test88 test89 test90 test508 test91 test92 test203 test93 \ test94 test95 test509 test510 test97 test98 test99 test150 test151 \ test152 test153 test154 test155 test156 test157 test158 test159 test511 \ -test160 test161 +test160 test161 test162 # The following tests have been removed from the dist since they no longer # work. We need to fix the test suite's FTPS server first, then bring them diff --git a/tests/data/test162 b/tests/data/test162 new file mode 100644 index 000000000..27576c0f9 --- /dev/null +++ b/tests/data/test162 @@ -0,0 +1,45 @@ +# Server-side +<reply> +<data1001 nocheck=1> +HTTP/1.0 407 BAD BOY +Proxy-Authenticate: Basic realm="Squid proxy-caching web server" +Server: swsclose +Content-Type: text/html + +Even though it's the response code that triggers authentication, we're +using NTLM and the server isn't, so we should fail. We know the server +isn't because there's no Proxy-Authorization: NTLM header +</data1001> +</reply> + +# Client-side +<client> +<server> +http +</server> + <name> +HTTP GET asking for --proxy-ntlm when some other authentication is required + </name> + <command> +http://%HOSTIP:%HOSTPORT/162 --proxy http://%HOSTIP:%HOSTPORT --proxy-user foo:bar --proxy-ntlm --fail +</command> +</test> + +# Verify data after the test has been "shot" +<verify> +<strip> +^User-Agent: curl/.* +</strip> +<protocol> +GET http://127.0.0.1:8999/162 HTTP/1.1
+Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAgIAAAAAAAAgAAAAAAAAACAAAAA= +User-Agent: curl/7.8.1-pre3 (sparc-sun-solaris2.7) libcurl 7.8.1-pre3 (OpenSSL 0.9.6a) (krb4 enabled)
+Host: 127.0.0.1:8999
+Pragma: no-cache
+Accept: */*
+
+</protocol> +<errorcode> +22 +</errorcode> +</verify> |