Fred New reported a bug where we used Basic auth and user name and password in

.netrc, and when following a Location: the subsequent requests didn't properly
use the auth as found in the netrc file. Added test case 257 to verify my fix.

4 files changed, 16 insertions, 6 deletions

diff --git a/lib/http.c b/lib/http.c
index c3c805956..f61ce42c4 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -465,6 +465,7 @@ Curl_http_output_auth(struct connectdata *conn,
   /* To prevent the user+password to get sent to other than the original
      host due to a location-follow, we do some weirdo checks here */
   if(!data->state.this_is_a_follow ||
+     conn->bits.netrc ||
      !data->state.first_host ||
      curl_strequal(data->state.first_host, conn->host.name) ||
      data->set.http_disable_hostname_check_before_authentication) {
diff --git a/lib/netrc.c b/lib/netrc.c
index e43140ac3..9b56dd4a2 100644
--- a/lib/netrc.c
+++ b/lib/netrc.c
@@ -103,7 +103,7 @@ int Curl_parsenetrc(char *host,
     char *override = curl_getenv("CURL_DEBUG_NETRC");
 
     if (override) {
-      printf("NETRC: overridden " NETRC " file: %s\n", home);
+      fprintf(stderr, "NETRC: overridden " NETRC " file: %s\n", override);
       netrcfile = override;
       netrc_alloc = TRUE;
     }
@@ -171,7 +171,7 @@ int Curl_parsenetrc(char *host,
             /* and yes, this is our host! */
             state=HOSTVALID;
 #ifdef _NETRC_DEBUG
-            printf("HOST: %s\n", tok);
+            fprintf(stderr, "HOST: %s\n", tok);
 #endif
             retcode=0; /* we did find our host */
           }
@@ -188,7 +188,7 @@ int Curl_parsenetrc(char *host,
             else {
               strncpy(login, tok, LOGINSIZE-1);
 #ifdef _NETRC_DEBUG
-              printf("LOGIN: %s\n", login);
+              fprintf(stderr, "LOGIN: %s\n", login);
 #endif
             }
             state_login=0;
@@ -197,7 +197,7 @@ int Curl_parsenetrc(char *host,
             if (state_our_login || !specific_login) {
               strncpy(password, tok, PASSWORDSIZE-1);
 #ifdef _NETRC_DEBUG
-              printf("PASSWORD: %s\n", password);
+              fprintf(stderr, "PASSWORD: %s\n", password);
 #endif
             }
             state_password=0;
diff --git a/lib/url.c b/lib/url.c
index e75c29043..fb9c5905d 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3147,15 +3147,23 @@ static CURLcode CreateConnection(struct SessionHandle *data,
            user, passwd);
   }
 
+  conn->bits.netrc = FALSE;
   if (data->set.use_netrc != CURL_NETRC_IGNORED) {
     if(Curl_parsenetrc(conn->host.name,
                        user, passwd,
                        data->set.netrc_file)) {
-      infof(data, "Couldn't find host %s in the " DOT_CHAR "netrc file, using defaults\n",
+      infof(data, "Couldn't find host %s in the " DOT_CHAR
+            "netrc file, using defaults\n",
             conn->host.name);
     }
-    else
+    else {
+      /* set bits.netrc TRUE to remember that we got the name from a .netrc
+         file, so that it is safe to use even if we followed a Location: to a
+         different host or similar. */
+      conn->bits.netrc = TRUE;
+
       conn->bits.user_passwd = 1; /* enable user+password */
+    }
   }
 
   /* If our protocol needs a password and we have none, use the defaults */
diff --git a/lib/urldata.h b/lib/urldata.h
index a3b2c25ff..9bd245980 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -420,6 +420,7 @@ struct ConnectBits {
   bool ftp_use_lprt;  /* As set with CURLOPT_FTP_USE_EPRT, but if we find out
                          LPRT doesn't work we disable it for the forthcoming
                          requests */
+  bool netrc;         /* name+password provided by netrc */
 };
 
 struct hostname {