diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2005-02-18 23:53:07 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2005-02-18 23:53:07 +0000 |
| commit | 5ba188ab2dda19d63a908fd245d9727f2d5df4ea (patch) | |
| tree | af1ac7455322c78afca751c7c6cd5352b3a7fc63 /lib | |
| parent | eadfd78c2ec38c80990ec6abfd64431708f38dae (diff) | |
Ralph Mitchell reported a flaw when you used a proxy with auth, and you
requested data from a host and then followed a redirect to another
host. libcurl then didn't use the proxy-auth properly in the second request,
due to the host-only check for original host name wrongly being extended to
the proxy auth as well. Added test case 233 to verify the flaw and that the
fix removed the problem.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/http.c | 42 |
1 files changed, 21 insertions, 21 deletions
diff --git a/lib/http.c b/lib/http.c index a5f29da3b..ae2594737 100644 --- a/lib/http.c +++ b/lib/http.c @@ -403,24 +403,17 @@ Curl_http_output_auth(struct connectdata *conn, and if this is one single bit it'll be used instantly. */ authproxy->picked = authproxy->want; - /* To prevent the user+password to get sent to other than the original - host due to a location-follow, we do some weirdo checks here */ - if(!data->state.this_is_a_follow || - !data->state.first_host || - curl_strequal(data->state.first_host, conn->host.name) || - data->set.http_disable_hostname_check_before_authentication) { - - /* Send proxy authentication header if needed */ - if (conn->bits.httpproxy && - (conn->bits.tunnel_proxy == proxytunnel)) { + /* Send proxy authentication header if needed */ + if (conn->bits.httpproxy && + (conn->bits.tunnel_proxy == proxytunnel)) { #ifdef USE_SSLEAY - if(authproxy->want == CURLAUTH_NTLM) { - auth=(char *)"NTLM"; - result = Curl_output_ntlm(conn, TRUE); - if(result) - return result; - } - else + if(authproxy->want == CURLAUTH_NTLM) { + auth=(char *)"NTLM"; + result = Curl_output_ntlm(conn, TRUE); + if(result) + return result; + } + else #endif if(authproxy->want == CURLAUTH_BASIC) { /* Basic */ @@ -454,10 +447,17 @@ Curl_http_output_auth(struct connectdata *conn, else authproxy->multi = FALSE; } - else - /* we have no proxy so let's pretend we're done authenticating - with it */ - authproxy->done = TRUE; + else + /* we have no proxy so let's pretend we're done authenticating + with it */ + authproxy->done = TRUE; + + /* To prevent the user+password to get sent to other than the original + host due to a location-follow, we do some weirdo checks here */ + if(!data->state.this_is_a_follow || + !data->state.first_host || + curl_strequal(data->state.first_host, conn->host.name) || + data->set.http_disable_hostname_check_before_authentication) { /* Send web authentication header if needed */ { |