diff options
| -rw-r--r-- | CHANGES | 27 | ||||
| -rw-r--r-- | RELEASE-NOTES | 52 | ||||
| -rw-r--r-- | lib/http_digest.c | 7 |
3 files changed, 83 insertions, 3 deletions
@@ -7,6 +7,33 @@ Changelog Daniel S (22 July 2007) +- HTTP Digest bug fix by Chris Flerackers: + + Scenario + + - Perfoming a POST request with body + - With authentication (only Digest) + - Re-using a connection + + libcurl would send a HTTP POST with an Authorization header but without + body. Our server would return 400 Bad Request in that case (because + authentication passed, but the body was empty). + + Cause + + 1) http_digest.c -> Curl_output_digest + - Updates allocptr.userpwd/allocptr.proxyuserpwd *only* if d->nonce is + filled in (and no errors) + - authp->done = TRUE if d->nonce is filled in + 2) http.c -> Curl_http + - *Always* uses allocptr.userpwd/allocptr.proxyuserpwd if not NULL + 3) http.c -> Curl_http, Curl_http_output_auth + + So what happens is that Curl_output_digest cannot yet update the + Authorization header (allocptr.userpwd) which results in authhost->done=0 -> + authhost->multi=1 -> conn->bits.authneg = TRUE. The body is not + added. *However*, allocptr.userpwd is still used when building the request + - Added test case 354 that makes a simple FTP retrieval without password, which verifies the bug fix in #1757328. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 81c0a2a48..21992d90f 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -47,6 +47,56 @@ advice from friends like these: Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev, Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson, - Ralf S. Engelschall, James Housley + Ralf S. Engelschall, James Housley, Curl and libcurl 7.16.5 + + Public curl release number: 101 + Releases counted from the very beginning: 127 + Available command line options: 118 + Available curl_easy_setopt() options: 143 + Number of public functions in libcurl: 55 + Amount of public web site mirrors: 39 + Number of known libcurl bindings: 35 + Number of contributors: 572 + +This release includes the following changes: + + o + +This release includes the following bugfixes: + + o test cases 31, 46, 61, 506, 517 now work in time zones that use leap seconds + o problem with closed proxy connection during HTTP CONNECT auth negotiation + o transfer-encoding skipping didn't ignore the 407 response bodies properly + o CURLOPT_SSL_VERIFYHOST set to 1 + o CONNECT endless loop + o krb5 support builds with Heimdal + o added returned error string for connection refused case + o re-use of dead FTP control connections + o login to FTP servers that don't require (nor understand) PASS after the + USER command + o bad free of memory from libssh2 + o the SFTP PWD command works + o HTTP Digest auth on a re-used connection + +This release includes the following known bugs: + + o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html) + +Other curl-related news: + + o pycurl 7.16.4 was released http://pycurl.sf.net + o TclCurl 7.16.4 was released + http://personal1.iddeo.es/andresgarci/tclcurl/english/ + +New curl mirrors: + + o http://curl.freeby.pctools.cl is a new mirror in Chile + +This release would not have looked like this without help, code, reports and +advice from friends like these: + + Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev, + Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson, + Ralf S. Engelschall, James Housley, Chris Flerackers Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/http_digest.c b/lib/http_digest.c index 604655f04..7338ce72a 100644 --- a/lib/http_digest.c +++ b/lib/http_digest.c @@ -266,6 +266,11 @@ CURLcode Curl_output_digest(struct connectdata *conn, authp = &data->state.authhost; } + if (*allocuserpwd) { + Curl_safefree(*allocuserpwd); + *allocuserpwd = NULL; + } + /* not set means empty */ if(!userp) userp=(char *)""; @@ -388,8 +393,6 @@ CURLcode Curl_output_digest(struct connectdata *conn, nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca" */ - Curl_safefree(*allocuserpwd); - if (d->qop) { *allocuserpwd = aprintf( "%sAuthorization: Digest " |