aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2005-10-20 20:07:32 +0000
committerDaniel Stenberg <daniel@haxx.se>2005-10-20 20:07:32 +0000
commitbe9c873a6e97423bc0b2a2dd45835c35c7d81231 (patch)
treeb1a9d53a9be19ab9514bfca4c61baa414ed4528f
parent034d80f6cd9a9d5035efe7429b331f679405be0f (diff)
Dave Dribin made libcurl understand and handle cases when the server
(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should never happen in a sane world, libcurl previously got into an infinite loop when this occurred. Dave added test 273 to verify this.
-rw-r--r--CHANGES5
-rw-r--r--RELEASE-NOTES1
-rw-r--r--lib/http.c29
-rw-r--r--tests/data/Makefile.am2
-rw-r--r--tests/data/test27376
5 files changed, 100 insertions, 13 deletions
diff --git a/CHANGES b/CHANGES
index 2c5b455c2..7ec9b1460 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,11 @@
Daniel (20 October 2005)
+- Dave Dribin made libcurl understand and handle cases when the server
+ (wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
+ never happen in a sane world, libcurl previously got into an infinite loop
+ when this occurred. Dave added test 273 to verify this.
+
- Temprimus improved the MSVC makefile: "makes a build option available so if
you set rtlibcfg=static for the make, then it would build with /MT. The
default behaviour is /MD (the original)."
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index cded82901..4c801f9a7 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -15,6 +15,7 @@ This release includes the following changes:
This release includes the following bugfixes:
+ o double WWW-Authenticate Digest headers are now handled
o curl-config --vernum fixed
Other curl-related news since the previous public release:
diff --git a/lib/http.c b/lib/http.c
index f46c1585a..fe06c7dc7 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -621,18 +621,23 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
#endif
#ifndef CURL_DISABLE_CRYPTO_AUTH
if(checkprefix("Digest", start)) {
- CURLdigest dig;
- *availp |= CURLAUTH_DIGEST;
- authp->avail |= CURLAUTH_DIGEST;
-
- /* We call this function on input Digest headers even if Digest
- * authentication isn't activated yet, as we need to store the
- * incoming data from this header in case we are gonna use Digest. */
- dig = Curl_input_digest(conn, (bool)(httpcode == 407), start);
-
- if(CURLDIGEST_FINE != dig) {
- infof(data, "Authentication problem. Ignoring this.\n");
- data->state.authproblem = TRUE;
+ if((authp->avail & CURLAUTH_DIGEST) != 0) {
+ infof(data, "Ignoring duplicate digest auth header.\n");
+ }
+ else {
+ CURLdigest dig;
+ *availp |= CURLAUTH_DIGEST;
+ authp->avail |= CURLAUTH_DIGEST;
+
+ /* We call this function on input Digest headers even if Digest
+ * authentication isn't activated yet, as we need to store the
+ * incoming data from this header in case we are gonna use Digest. */
+ dig = Curl_input_digest(conn, (bool)(httpcode == 407), start);
+
+ if(CURLDIGEST_FINE != dig) {
+ infof(data, "Authentication problem. Ignoring this.\n");
+ data->state.authproblem = TRUE;
+ }
}
}
else
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index ad13b139b..5b646ddf9 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -33,4 +33,4 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46 \
test237 test238 test239 test243 test245 test246 test247 test248 test249 \
test250 test251 test252 test253 test254 test255 test521 test522 test523 \
test256 test257 test258 test259 test260 test261 test262 test263 test264 \
- test265 test266 test267 test268 test269 test270 test271 test272
+ test265 test266 test267 test268 test269 test270 test271 test272 test273
diff --git a/tests/data/test273 b/tests/data/test273
new file mode 100644
index 000000000..dbc8f8429
--- /dev/null
+++ b/tests/data/test273
@@ -0,0 +1,76 @@
+<info>
+<keywords>
+HTTP
+HTTP GET
+HTTP Digest auth
+</keywords>
+</info>
+# Server-side
+<reply>
+<data>
+HTTP/1.1 401 Authorization Required swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
+Content-Type: text/html; charset=iso-8859-1
+
+This is not the real page
+</data>
+
+# This is supposed to be returned when the server gets a
+# Authorization: Digest line passed-in from the client
+<data1000>
+HTTP/1.1 200 OK swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+Content-Type: text/html; charset=iso-8859-1
+
+This IS the real page!
+</data1000>
+
+<datacheck>
+HTTP/1.1 401 Authorization Required swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
+Content-Type: text/html; charset=iso-8859-1
+
+HTTP/1.1 200 OK swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+Content-Type: text/html; charset=iso-8859-1
+
+This IS the real page!
+</datacheck>
+
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP with two Digest authorization headers
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/273 -u testuser:testpass --digest
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /273 HTTP/1.1
+Host: 127.0.0.1:%HTTPPORT
+Accept: */*
+
+GET /273 HTTP/1.1
+Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/273", response="576ae57b1db0039f8c0de43ef58e49e3"
+User-Agent: curl/7.10.5 (i686-pc-linux-gnu) libcurl/7.10.5 OpenSSL/0.9.7a ipv6 zlib/1.1.3
+Host: 127.0.0.1:%HTTPPORT
+Accept: */*
+
+</protocol>
+</verify>