diff options
author | Daniel Stenberg <daniel@haxx.se> | 2005-10-20 20:07:32 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2005-10-20 20:07:32 +0000 |
commit | be9c873a6e97423bc0b2a2dd45835c35c7d81231 (patch) | |
tree | b1a9d53a9be19ab9514bfca4c61baa414ed4528f | |
parent | 034d80f6cd9a9d5035efe7429b331f679405be0f (diff) |
Dave Dribin made libcurl understand and handle cases when the server
(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
never happen in a sane world, libcurl previously got into an infinite loop
when this occurred. Dave added test 273 to verify this.
-rw-r--r-- | CHANGES | 5 | ||||
-rw-r--r-- | RELEASE-NOTES | 1 | ||||
-rw-r--r-- | lib/http.c | 29 | ||||
-rw-r--r-- | tests/data/Makefile.am | 2 | ||||
-rw-r--r-- | tests/data/test273 | 76 |
5 files changed, 100 insertions, 13 deletions
@@ -9,6 +9,11 @@ Daniel (20 October 2005) +- Dave Dribin made libcurl understand and handle cases when the server + (wrongly) sends *two* WWW-Authenticate headers for Digest. While this should + never happen in a sane world, libcurl previously got into an infinite loop + when this occurred. Dave added test 273 to verify this. + - Temprimus improved the MSVC makefile: "makes a build option available so if you set rtlibcfg=static for the make, then it would build with /MT. The default behaviour is /MD (the original)." diff --git a/RELEASE-NOTES b/RELEASE-NOTES index cded82901..4c801f9a7 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -15,6 +15,7 @@ This release includes the following changes: This release includes the following bugfixes: + o double WWW-Authenticate Digest headers are now handled o curl-config --vernum fixed Other curl-related news since the previous public release: diff --git a/lib/http.c b/lib/http.c index f46c1585a..fe06c7dc7 100644 --- a/lib/http.c +++ b/lib/http.c @@ -621,18 +621,23 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, #endif #ifndef CURL_DISABLE_CRYPTO_AUTH if(checkprefix("Digest", start)) { - CURLdigest dig; - *availp |= CURLAUTH_DIGEST; - authp->avail |= CURLAUTH_DIGEST; - - /* We call this function on input Digest headers even if Digest - * authentication isn't activated yet, as we need to store the - * incoming data from this header in case we are gonna use Digest. */ - dig = Curl_input_digest(conn, (bool)(httpcode == 407), start); - - if(CURLDIGEST_FINE != dig) { - infof(data, "Authentication problem. Ignoring this.\n"); - data->state.authproblem = TRUE; + if((authp->avail & CURLAUTH_DIGEST) != 0) { + infof(data, "Ignoring duplicate digest auth header.\n"); + } + else { + CURLdigest dig; + *availp |= CURLAUTH_DIGEST; + authp->avail |= CURLAUTH_DIGEST; + + /* We call this function on input Digest headers even if Digest + * authentication isn't activated yet, as we need to store the + * incoming data from this header in case we are gonna use Digest. */ + dig = Curl_input_digest(conn, (bool)(httpcode == 407), start); + + if(CURLDIGEST_FINE != dig) { + infof(data, "Authentication problem. Ignoring this.\n"); + data->state.authproblem = TRUE; + } } } else diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index ad13b139b..5b646ddf9 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -33,4 +33,4 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46 \ test237 test238 test239 test243 test245 test246 test247 test248 test249 \ test250 test251 test252 test253 test254 test255 test521 test522 test523 \ test256 test257 test258 test259 test260 test261 test262 test263 test264 \ - test265 test266 test267 test268 test269 test270 test271 test272 + test265 test266 test267 test268 test269 test270 test271 test272 test273 diff --git a/tests/data/test273 b/tests/data/test273 new file mode 100644 index 000000000..dbc8f8429 --- /dev/null +++ b/tests/data/test273 @@ -0,0 +1,76 @@ +<info> +<keywords> +HTTP +HTTP GET +HTTP Digest auth +</keywords> +</info> +# Server-side +<reply> +<data> +HTTP/1.1 401 Authorization Required swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" +Content-Type: text/html; charset=iso-8859-1
+
+This is not the real page +</data> + +# This is supposed to be returned when the server gets a +# Authorization: Digest line passed-in from the client +<data1000> +HTTP/1.1 200 OK swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+Content-Type: text/html; charset=iso-8859-1
+
+This IS the real page! +</data1000> + +<datacheck> +HTTP/1.1 401 Authorization Required swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
+WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" +Content-Type: text/html; charset=iso-8859-1
+
+HTTP/1.1 200 OK swsclose
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+Content-Type: text/html; charset=iso-8859-1
+
+This IS the real page! +</datacheck> + +</reply> + +# Client-side +<client> +<server> +http +</server> + <name> +HTTP with two Digest authorization headers + </name> + <command> +http://%HOSTIP:%HTTPPORT/273 -u testuser:testpass --digest +</command> +</client> + +# Verify data after the test has been "shot" +<verify> +<strip> +^User-Agent:.* +</strip> +<protocol> +GET /273 HTTP/1.1
+Host: 127.0.0.1:%HTTPPORT
+Accept: */*
+
+GET /273 HTTP/1.1
+Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/273", response="576ae57b1db0039f8c0de43ef58e49e3"
+User-Agent: curl/7.10.5 (i686-pc-linux-gnu) libcurl/7.10.5 OpenSSL/0.9.7a ipv6 zlib/1.1.3
+Host: 127.0.0.1:%HTTPPORT
+Accept: */*
+
+</protocol> +</verify> |