aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2009-06-05 06:18:42 +0000
committerDaniel Stenberg <daniel@haxx.se>2009-06-05 06:18:42 +0000
commit1012c5705aedc6730244c22cd9d2bcb3c5c13212 (patch)
tree9aae1daea0f396600c3ad2f123817f77cdd08f2b /lib
parent1c2947581b8694b3e8ab447c5c7c2c9dbb43bf8b (diff)
- Setting the Content-Length: header from your app when you do a POST or PUT
is almost always a VERY BAD IDEA. Yet there are still apps out there doing this, and now recently it triggered a bug/side-effect in libcurl as when libcurl sends a POST or PUT with NTLM, it sends an empty post first when it knows it will just get a 401/407 back. If the app then replaced the Content-Length header, it caused the server to wait for input that libcurl wouldn't send. Aaron Oneal reported this problem in bug report #2799008 http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
Diffstat (limited to 'lib')
-rw-r--r--lib/http.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/lib/http.c b/lib/http.c
index 466d9539a..ccbec227f 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -2032,6 +2032,11 @@ static CURLcode add_custom_headers(struct connectdata *conn,
/* this header (extended by formdata.c) is sent later */
checkprefix("Content-Type:", headers->data))
;
+ else if(conn->bits.authneg &&
+ /* while doing auth neg, don't allow the custom length since
+ we will force length zero then */
+ checkprefix("Content-Length", headers->data))
+ ;
else {
CURLcode result = add_bufferf(req_buffer, "%s\r\n", headers->data);
if(result)
@@ -2787,9 +2792,9 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
we don't upload data chunked, as RFC2616 forbids us to set both
kinds of headers (Transfer-Encoding: chunked and Content-Length) */
- if(!checkheaders(data, "Content-Length:")) {
- /* we allow replacing this header, although it isn't very wise to
- actually set your own */
+ if(conn->bits.authneg || !checkheaders(data, "Content-Length:")) {
+ /* we allow replacing this header if not during auth negotiation,
+ although it isn't very wise to actually set your own */
result = add_bufferf(req_buffer,
"Content-Length: %" FORMAT_OFF_T"\r\n",
postsize);