diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2008-12-10 23:13:31 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2008-12-10 23:13:31 +0000 |
| commit | 6e376532b00879ead13d5e07453ab8dd0d97571e (patch) | |
| tree | ed84d9a37b1a344f4c3b5cdff4ea96bf7a55a7a9 /lib | |
| parent | 4ed64fd5ee1ac4a845bbfe8c0316051746120243 (diff) | |
- Internet Explorer had a broken HTTP digest authentication before v7 and
there are servers "out there" that relies on the client doing this broken
Digest authentication. Apache even comes with an option to work with such
broken clients.
The difference is only for URLs that contain a query-part (a '?'-letter and
text to the right of it).
libcurl now supports this quirk, and you enable it by setting the
CURLAUTH_DIGEST_IE bit in the bitmask you pass to the CURLOPT_HTTPAUTH or
CURLOPT_PROXYAUTH options. They are thus individually controlled to server
and proxy.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/http_digest.c | 20 | ||||
| -rw-r--r-- | lib/url.c | 19 | ||||
| -rw-r--r-- | lib/urldata.h | 3 |
3 files changed, 40 insertions, 2 deletions
diff --git a/lib/http_digest.c b/lib/http_digest.c index be5ca5a8d..bab95e9de 100644 --- a/lib/http_digest.c +++ b/lib/http_digest.c @@ -356,7 +356,25 @@ CURLcode Curl_output_digest(struct connectdata *conn, 5.1.1 of RFC 2616) */ - md5this = (unsigned char *)aprintf("%s:%s", request, uripath); + /* So IE browsers < v7 cut off the URI part at the query part when they + evaluate the MD5 and some (IIS?) servers work with them so we may need to + do the Digest IE-style. Note that the different ways cause different MD5 + sums to get sent. + + Apache servers can be set to do the Digest IE-style automatically using + the BrowserMatch feature: + http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie + + Further details on Digest implementation differences: + http://www.fngtps.com/2006/09/http-authentication + */ + if(authp->iestyle && (tmp = strchr((char *)uripath, '?'))) { + md5this = (unsigned char *)aprintf("%s:%.*s", request, + (int)(tmp - (char *)uripath), uripath); + } + else + md5this = (unsigned char *)aprintf("%s:%s", request, uripath); + if(!md5this) { free(ha1); return CURLE_OUT_OF_MEMORY; @@ -1319,6 +1319,16 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, */ { long auth = va_arg(param, long); + + /* the DIGEST_IE bit is only used to set a special marker, for all the + rest we need to handle it as normal DIGEST */ + data->state.authhost.iestyle = (auth & CURLAUTH_DIGEST_IE)?TRUE:FALSE; + + if(auth & CURLAUTH_DIGEST_IE) { + auth |= CURLAUTH_DIGEST; /* set standard digest bit */ + auth &= ~CURLAUTH_DIGEST_IE; /* unset ie digest bit */ + } + /* switch off bits we can't support */ #ifndef USE_NTLM auth &= ~CURLAUTH_NTLM; /* no NTLM without SSL */ @@ -1354,6 +1364,15 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, */ { long auth = va_arg(param, long); + + /* the DIGEST_IE bit is only used to set a special marker, for all the + rest we need to handle it as normal DIGEST */ + data->state.authproxy.iestyle = (auth & CURLAUTH_DIGEST_IE)?TRUE:FALSE; + + if(auth & CURLAUTH_DIGEST_IE) { + auth |= CURLAUTH_DIGEST; /* set standard digest bit */ + auth &= ~CURLAUTH_DIGEST_IE; /* unset ie digest bit */ + } /* switch off bits we can't support */ #ifndef USE_NTLM auth &= ~CURLAUTH_NTLM; /* no NTLM without SSL */ diff --git a/lib/urldata.h b/lib/urldata.h index aafa26eab..07dab3ee1 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1139,7 +1139,8 @@ struct auth { request */ bool multi; /* TRUE if this is not yet authenticated but within the auth multipass negotiation */ - + bool iestyle; /* TRUE if digest should be done IE-style or FALSE if it should + be RFC compliant */ }; struct conncache { |