aboutsummaryrefslogtreecommitdiff
path: root/CHANGES
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2007-07-22 10:17:52 +0000
committerDaniel Stenberg <daniel@haxx.se>2007-07-22 10:17:52 +0000
commit9af807a5ce199adfb7372abd2a490d4af1179725 (patch)
tree849c2bc10bc0002583b44f5dcb0a88e0aae628ae /CHANGES
parent4bbcc47f3f3a81ada6e7d620400c1388d6161e88 (diff)
HTTP Digest auth fix on a re-used connection
Diffstat (limited to 'CHANGES')
-rw-r--r--CHANGES27
1 files changed, 27 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 82ed74886..ed3fe586e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,33 @@
Changelog
Daniel S (22 July 2007)
+- HTTP Digest bug fix by Chris Flerackers:
+
+ Scenario
+
+ - Perfoming a POST request with body
+ - With authentication (only Digest)
+ - Re-using a connection
+
+ libcurl would send a HTTP POST with an Authorization header but without
+ body. Our server would return 400 Bad Request in that case (because
+ authentication passed, but the body was empty).
+
+ Cause
+
+ 1) http_digest.c -> Curl_output_digest
+ - Updates allocptr.userpwd/allocptr.proxyuserpwd *only* if d->nonce is
+ filled in (and no errors)
+ - authp->done = TRUE if d->nonce is filled in
+ 2) http.c -> Curl_http
+ - *Always* uses allocptr.userpwd/allocptr.proxyuserpwd if not NULL
+ 3) http.c -> Curl_http, Curl_http_output_auth
+
+ So what happens is that Curl_output_digest cannot yet update the
+ Authorization header (allocptr.userpwd) which results in authhost->done=0 ->
+ authhost->multi=1 -> conn->bits.authneg = TRUE. The body is not
+ added. *However*, allocptr.userpwd is still used when building the request
+
- Added test case 354 that makes a simple FTP retrieval without password, which
verifies the bug fix in #1757328.