diff options
author | Daniel Stenberg <daniel@haxx.se> | 2007-07-22 10:17:52 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2007-07-22 10:17:52 +0000 |
commit | 9af807a5ce199adfb7372abd2a490d4af1179725 (patch) | |
tree | 849c2bc10bc0002583b44f5dcb0a88e0aae628ae /CHANGES | |
parent | 4bbcc47f3f3a81ada6e7d620400c1388d6161e88 (diff) |
HTTP Digest auth fix on a re-used connection
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 27 |
1 files changed, 27 insertions, 0 deletions
@@ -7,6 +7,33 @@ Changelog Daniel S (22 July 2007) +- HTTP Digest bug fix by Chris Flerackers: + + Scenario + + - Perfoming a POST request with body + - With authentication (only Digest) + - Re-using a connection + + libcurl would send a HTTP POST with an Authorization header but without + body. Our server would return 400 Bad Request in that case (because + authentication passed, but the body was empty). + + Cause + + 1) http_digest.c -> Curl_output_digest + - Updates allocptr.userpwd/allocptr.proxyuserpwd *only* if d->nonce is + filled in (and no errors) + - authp->done = TRUE if d->nonce is filled in + 2) http.c -> Curl_http + - *Always* uses allocptr.userpwd/allocptr.proxyuserpwd if not NULL + 3) http.c -> Curl_http, Curl_http_output_auth + + So what happens is that Curl_output_digest cannot yet update the + Authorization header (allocptr.userpwd) which results in authhost->done=0 -> + authhost->multi=1 -> conn->bits.authneg = TRUE. The body is not + added. *However*, allocptr.userpwd is still used when building the request + - Added test case 354 that makes a simple FTP retrieval without password, which verifies the bug fix in #1757328. |