HTTP Digest auth fix on a re-used connection

author: Daniel Stenberg <daniel@haxx.se> 2007-07-22 10:17:52 +0000
committer: Daniel Stenberg <daniel@haxx.se> 2007-07-22 10:17:52 +0000
commit: 9af807a5ce199adfb7372abd2a490d4af1179725 (patch)
tree: 849c2bc10bc0002583b44f5dcb0a88e0aae628ae /CHANGES
parent: 4bbcc47f3f3a81ada6e7d620400c1388d6161e88 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 82ed74886..ed3fe586e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,33 @@
                                   Changelog
 
 Daniel S (22 July 2007)
+- HTTP Digest bug fix by Chris Flerackers:
+
+  Scenario
+
+  - Perfoming a POST request with body
+  - With authentication (only Digest)
+  - Re-using a connection
+
+  libcurl would send a HTTP POST with an Authorization header but without
+  body. Our server would return 400 Bad Request in that case (because
+  authentication passed, but the body was empty).
+
+  Cause
+
+  1) http_digest.c -> Curl_output_digest
+  - Updates allocptr.userpwd/allocptr.proxyuserpwd *only* if d->nonce is
+  filled in (and no errors)
+  - authp->done = TRUE if d->nonce is filled in
+  2) http.c -> Curl_http
+  - *Always* uses allocptr.userpwd/allocptr.proxyuserpwd if not NULL
+  3) http.c -> Curl_http, Curl_http_output_auth
+
+  So what happens is that Curl_output_digest cannot yet update the
+  Authorization header (allocptr.userpwd) which results in authhost->done=0 ->
+  authhost->multi=1 -> conn->bits.authneg = TRUE.  The body is not
+  added. *However*, allocptr.userpwd is still used when building the request
+
 - Added test case 354 that makes a simple FTP retrieval without password, which
   verifies the bug fix in #1757328.
author	Daniel Stenberg <daniel@haxx.se>	2007-07-22 10:17:52 +0000
committer	Daniel Stenberg <daniel@haxx.se>	2007-07-22 10:17:52 +0000
commit	9af807a5ce199adfb7372abd2a490d4af1179725 (patch)
tree	849c2bc10bc0002583b44f5dcb0a88e0aae628ae /CHANGES
parent	4bbcc47f3f3a81ada6e7d620400c1388d6161e88 (diff)