Dave Dribin made libcurl understand and handle cases when the server

(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
never happen in a sane world, libcurl previously got into an infinite loop
when this occurred. Dave added test 273 to verify this.

1 files changed, 17 insertions, 12 deletions

diff --git a/lib/http.c b/lib/http.c
index f46c1585a..fe06c7dc7 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -621,18 +621,23 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
 #endif
 #ifndef CURL_DISABLE_CRYPTO_AUTH
       if(checkprefix("Digest", start)) {
-        CURLdigest dig;
-        *availp |= CURLAUTH_DIGEST;
-        authp->avail |= CURLAUTH_DIGEST;
-
-        /* We call this function on input Digest headers even if Digest
-         * authentication isn't activated yet, as we need to store the
-         * incoming data from this header in case we are gonna use Digest. */
-        dig = Curl_input_digest(conn, (bool)(httpcode == 407), start);
-
-        if(CURLDIGEST_FINE != dig) {
-          infof(data, "Authentication problem. Ignoring this.\n");
-          data->state.authproblem = TRUE;
+        if((authp->avail & CURLAUTH_DIGEST) != 0) {
+          infof(data, "Ignoring duplicate digest auth header.\n");
+        }
+        else {
+          CURLdigest dig;
+          *availp |= CURLAUTH_DIGEST;
+          authp->avail |= CURLAUTH_DIGEST;
+
+          /* We call this function on input Digest headers even if Digest
+           * authentication isn't activated yet, as we need to store the
+           * incoming data from this header in case we are gonna use Digest. */
+          dig = Curl_input_digest(conn, (bool)(httpcode == 407), start);
+
+          if(CURLDIGEST_FINE != dig) {
+            infof(data, "Authentication problem. Ignoring this.\n");
+            data->state.authproblem = TRUE;
+          }
         }
       }
       else