aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2005-02-18 23:53:07 +0000
committerDaniel Stenberg <daniel@haxx.se>2005-02-18 23:53:07 +0000
commit5ba188ab2dda19d63a908fd245d9727f2d5df4ea (patch)
treeaf1ac7455322c78afca751c7c6cd5352b3a7fc63
parenteadfd78c2ec38c80990ec6abfd64431708f38dae (diff)
Ralph Mitchell reported a flaw when you used a proxy with auth, and you
requested data from a host and then followed a redirect to another host. libcurl then didn't use the proxy-auth properly in the second request, due to the host-only check for original host name wrongly being extended to the proxy auth as well. Added test case 233 to verify the flaw and that the fix removed the problem.
-rw-r--r--CHANGES9
-rw-r--r--RELEASE-NOTES3
-rw-r--r--lib/http.c42
-rw-r--r--tests/data/Makefile.am2
-rw-r--r--tests/data/test23381
5 files changed, 114 insertions, 23 deletions
diff --git a/CHANGES b/CHANGES
index 1a209b569..55a4a72db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,15 @@
Changelog
+
+Daniel (19 February 2005)
+- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
+ requested data from a host and then followed a redirect to another
+ host. libcurl then didn't use the proxy-auth properly in the second request,
+ due to the host-only check for original host name wrongly being extended to
+ the proxy auth as well. Added test case 233 to verify the flaw and that the
+ fix removed the problem.
+
Daniel (18 February 2005)
- Mike Dobbs reported a mingw build failure due to the lack of
BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 6add05297..40aaecce0 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -16,6 +16,7 @@ This release includes the following changes:
This release includes the following bugfixes:
+ o proxy auth bug when following redirects to another host
o socket leak when local bind failed
o HTTP POST with --anyauth picking NTLM
o SSL problems when downloading exactly 16KB data
@@ -34,6 +35,6 @@ This release would not have looked like this without help, code, reports and
advice from friends like these:
Gisle Vanem, David Byron, Marty Kuhrt, Maruko, Eric Vergnaud, Christopher
- R. Palmer, Mike Dobbs, David in bug report #1124588
+ R. Palmer, Mike Dobbs, David in bug report #1124588, Ralph Mitchell
Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/http.c b/lib/http.c
index a5f29da3b..ae2594737 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -403,24 +403,17 @@ Curl_http_output_auth(struct connectdata *conn,
and if this is one single bit it'll be used instantly. */
authproxy->picked = authproxy->want;
- /* To prevent the user+password to get sent to other than the original
- host due to a location-follow, we do some weirdo checks here */
- if(!data->state.this_is_a_follow ||
- !data->state.first_host ||
- curl_strequal(data->state.first_host, conn->host.name) ||
- data->set.http_disable_hostname_check_before_authentication) {
-
- /* Send proxy authentication header if needed */
- if (conn->bits.httpproxy &&
- (conn->bits.tunnel_proxy == proxytunnel)) {
+ /* Send proxy authentication header if needed */
+ if (conn->bits.httpproxy &&
+ (conn->bits.tunnel_proxy == proxytunnel)) {
#ifdef USE_SSLEAY
- if(authproxy->want == CURLAUTH_NTLM) {
- auth=(char *)"NTLM";
- result = Curl_output_ntlm(conn, TRUE);
- if(result)
- return result;
- }
- else
+ if(authproxy->want == CURLAUTH_NTLM) {
+ auth=(char *)"NTLM";
+ result = Curl_output_ntlm(conn, TRUE);
+ if(result)
+ return result;
+ }
+ else
#endif
if(authproxy->want == CURLAUTH_BASIC) {
/* Basic */
@@ -454,10 +447,17 @@ Curl_http_output_auth(struct connectdata *conn,
else
authproxy->multi = FALSE;
}
- else
- /* we have no proxy so let's pretend we're done authenticating
- with it */
- authproxy->done = TRUE;
+ else
+ /* we have no proxy so let's pretend we're done authenticating
+ with it */
+ authproxy->done = TRUE;
+
+ /* To prevent the user+password to get sent to other than the original
+ host due to a location-follow, we do some weirdo checks here */
+ if(!data->state.this_is_a_follow ||
+ !data->state.first_host ||
+ curl_strequal(data->state.first_host, conn->host.name) ||
+ data->set.http_disable_hostname_check_before_authentication) {
/* Send web authentication header if needed */
{
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index ebbfdab0b..509206733 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -32,7 +32,7 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46 \
test223 test224 test206 test207 test208 test209 test213 test240 \
test241 test242 test519 test214 test215 test216 test217 test218 \
test199 test225 test226 test227 test230 test231 test232 test228 \
- test229
+ test229 test233
# The following tests have been removed from the dist since they no longer
# work. We need to fix the test suite's FTPS server first, then bring them
diff --git a/tests/data/test233 b/tests/data/test233
new file mode 100644
index 000000000..0e329f7b6
--- /dev/null
+++ b/tests/data/test233
@@ -0,0 +1,81 @@
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 302 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+Location: http://goto.second.host.now/2330002
+Content-Length: 8
+Connection: close
+
+contents
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+
+contents
+</data2>
+
+<datacheck>
+HTTP/1.1 302 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+Location: http://goto.second.host.now/2330002
+Content-Length: 8
+Connection: close
+
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+
+contents
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP, proxy, site+proxy auth and Location: to new host
+ </name>
+ <command>
+http://first.host.it.is/we/want/that/page/233 -x %HOSTIP:%HTTPPORT --user iam:myself --proxy-user testing:this --location
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET http://first.host.it.is/we/want/that/page/233 HTTP/1.1
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
+Authorization: Basic aWFtOm15c2VsZg==
+Host: first.host.it.is
+Pragma: no-cache
+Accept: */*
+
+GET http://goto.second.host.now/2330002 HTTP/1.1
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
+Host: goto.second.host.now
+Pragma: no-cache
+Accept: */*
+
+</protocol>
+</verify>