diff options
-rw-r--r-- | lib/http.c | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/lib/http.c b/lib/http.c index c3fb857d8..9372e488e 100644 --- a/lib/http.c +++ b/lib/http.c @@ -176,8 +176,24 @@ CURLcode http_connect(struct connectdata *conn) } } + if(data->bits.user_passwd && !data->bits.this_is_a_follow) { + /* Authorization: is requested, this is not a followed location, get the + original host name */ + data->auth_host = strdup(data->hostname); + } + return CURLE_OK; } + +/* called from curl_close() when this struct is about to get wasted, free + protocol-specific resources */ +CURLcode http_close(struct connectdata *conn) +{ + if(conn->data->auth_host) + free(conn->data->auth_host); + return CURLE_OK; +} + CURLcode http_done(struct connectdata *conn) { struct UrlData *data; @@ -238,10 +254,17 @@ CURLcode http(struct connectdata *conn) if((data->bits.user_passwd) && !checkheaders(data, "Authorization:")) { char authorization[512]; - sprintf(data->buffer, "%s:%s", data->user, data->passwd); - base64Encode(data->buffer, authorization); - data->ptr_userpwd = maprintf( "Authorization: Basic %s\015\012", - authorization); + + /* To prevent the user+password to get sent to other than the original + host due to a location-follow, we do some weirdo checks here */ + if(!data->bits.this_is_a_follow || + !data->auth_host || + strequal(data->auth_host, data->hostname)) { + sprintf(data->buffer, "%s:%s", data->user, data->passwd); + base64Encode(data->buffer, authorization); + data->ptr_userpwd = maprintf( "Authorization: Basic %s\015\012", + authorization); + } } if((data->bits.set_range) && !checkheaders(data, "Range:")) { data->ptr_rangeline = maprintf("Range: bytes=%s\015\012", data->range); |