diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2004-04-06 15:14:10 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2004-04-06 15:14:10 +0000 |
| commit | 8ed44e8dfbe2182696becc3ca8a9950888251503 (patch) | |
| tree | 28f9e3b26fedd0c2041898e53abb81799b5f5b38 /CHANGES | |
| parent | f617c1131a939b88544d7923db557437df31e433 (diff) | |
New authentication code added, particularly noticable when doing POST or PUT
with Digest or NTLM. libcurl will now use HEAD to negotiate the authentication
and when done perform the requested POST.
Diffstat (limited to 'CHANGES')
| -rw-r--r-- | CHANGES | 39 |
1 files changed, 39 insertions, 0 deletions
@@ -7,6 +7,45 @@ Changelog Daniel (6 April 2004) +- Gisle Vanem's fixed bug #927979 reported by Nathan O'Sullivan. The problem + made libcurl on Windows leak a small amount of memory in each name resolve + when not used as a DLL. + +- New authentication code added, particularly noticable when doing POST or PUT + with Digest or NTLM. libcurl will now use HEAD to negotiate the + authentication and when done perform the requested POST. Previously libcurl + sent POST immediately and expected the server to reply a final status code + with an error and then libcurl would not send the request-body but instead + send then next request in the sequence. + + The reason for this change is due to IIS6 barfing on libcurl when we attempt + to POST with NTLM authentication. The reason for the problems is found in + RFC2616 section 8.2.3 regarding how servers should deal with the 100 + continue request-header: + + If it responds with a final status code, it MAY close the transport + connection or it MAY continue to read and discard the rest of the + request. + + Previous versions of IIS clearly did close the connection in this case, + while this newer version decided it should "read and discard". That would've + forced us to send the whole POST (or PUT) data only to have it discarded and + then be forced to send it again. To avoid that huge penality, we switch to + using HEAD until we are authenticated and then send the POST. + + The only actual drawback I can think of (except for the odd sites that might + treat HEAD differently than they would treat POST/PUT when given the same + URL) is that if you do POST with CURLAUTH_ANY set and the site requires NO + authentication, libcurl will still use a HEAD in a first round and then do a + POST. + + If you do a HEAD or a GET on a site using CURLAUTH_ANY, libcurl will send + an un-authenticated request at once, which then is the only request if the + site requires no auth. + + Alan Pinstein helped me work out the protocol details by figuring out why + libcurl failed and what IIS6 expects. + - The --limit-rate logic was corrected and now it works a lot better for higher speeds, such as '10m' or similar. Reported in bug report #930249. |