HTTP Digest auth fix on a re-used connection

3 files changed, 83 insertions, 3 deletions

diff --git a/CHANGES b/CHANGES
index 82ed74886..ed3fe586e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,33 @@
                                   Changelog
 
 Daniel S (22 July 2007)
+- HTTP Digest bug fix by Chris Flerackers:
+
+  Scenario
+
+  - Perfoming a POST request with body
+  - With authentication (only Digest)
+  - Re-using a connection
+
+  libcurl would send a HTTP POST with an Authorization header but without
+  body. Our server would return 400 Bad Request in that case (because
+  authentication passed, but the body was empty).
+
+  Cause
+
+  1) http_digest.c -> Curl_output_digest
+  - Updates allocptr.userpwd/allocptr.proxyuserpwd *only* if d->nonce is
+  filled in (and no errors)
+  - authp->done = TRUE if d->nonce is filled in
+  2) http.c -> Curl_http
+  - *Always* uses allocptr.userpwd/allocptr.proxyuserpwd if not NULL
+  3) http.c -> Curl_http, Curl_http_output_auth
+
+  So what happens is that Curl_output_digest cannot yet update the
+  Authorization header (allocptr.userpwd) which results in authhost->done=0 ->
+  authhost->multi=1 -> conn->bits.authneg = TRUE.  The body is not
+  added. *However*, allocptr.userpwd is still used when building the request
+
 - Added test case 354 that makes a simple FTP retrieval without password, which
   verifies the bug fix in #1757328.
 
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 81c0a2a48..21992d90f 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -47,6 +47,56 @@ advice from friends like these:
 
  Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev,
  Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson,
- Ralf S. Engelschall, James Housley
+ Ralf S. Engelschall, James Housley, Curl and libcurl 7.16.5
+
+ Public curl release number:               101
+ Releases counted from the very beginning: 127
+ Available command line options:           118
+ Available curl_easy_setopt() options:     143
+ Number of public functions in libcurl:    55
+ Amount of public web site mirrors:        39
+ Number of known libcurl bindings:         35
+ Number of contributors:                   572
+
+This release includes the following changes:
+ 
+ o 
+
+This release includes the following bugfixes:
+
+ o test cases 31, 46, 61, 506, 517 now work in time zones that use leap seconds
+ o problem with closed proxy connection during HTTP CONNECT auth negotiation
+ o transfer-encoding skipping didn't ignore the 407 response bodies properly
+ o CURLOPT_SSL_VERIFYHOST set to 1
+ o CONNECT endless loop
+ o krb5 support builds with Heimdal
+ o added returned error string for connection refused case
+ o re-use of dead FTP control connections
+ o login to FTP servers that don't require (nor understand) PASS after the
+   USER command
+ o bad free of memory from libssh2
+ o the SFTP PWD command works
+ o HTTP Digest auth on a re-used connection
+
+This release includes the following known bugs:
+
+ o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html)
+
+Other curl-related news:
+
+ o pycurl 7.16.4 was released http://pycurl.sf.net
+ o TclCurl 7.16.4 was released
+   http://personal1.iddeo.es/andresgarci/tclcurl/english/
+
+New curl mirrors:
+
+ o http://curl.freeby.pctools.cl is a new mirror in Chile
+
+This release would not have looked like this without help, code, reports and
+advice from friends like these:
+
+ Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev,
+ Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson,
+ Ralf S. Engelschall, James Housley, Chris Flerackers
  
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/http_digest.c b/lib/http_digest.c
index 604655f04..7338ce72a 100644
--- a/lib/http_digest.c
+++ b/lib/http_digest.c
@@ -266,6 +266,11 @@ CURLcode Curl_output_digest(struct connectdata *conn,
     authp = &data->state.authhost;
   }
 
+  if (*allocuserpwd) {
+    Curl_safefree(*allocuserpwd);
+    *allocuserpwd = NULL;
+  }
+
   /* not set means empty */
   if(!userp)
     userp=(char *)"";
@@ -388,8 +393,6 @@ CURLcode Curl_output_digest(struct connectdata *conn,
     nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca"
   */
 
-  Curl_safefree(*allocuserpwd);
-
   if (d->qop) {
     *allocuserpwd =
       aprintf( "%sAuthorization: Digest "