3 files changed, 40 insertions, 2 deletions

diff --git a/lib/http_digest.c b/lib/http_digest.c
index be5ca5a8d..bab95e9de 100644
--- a/lib/http_digest.c
+++ b/lib/http_digest.c
@@ -356,7 +356,25 @@ CURLcode Curl_output_digest(struct connectdata *conn,
     5.1.1 of RFC 2616)
   */
 
-  md5this = (unsigned char *)aprintf("%s:%s", request, uripath);
+  /* So IE browsers < v7 cut off the URI part at the query part when they
+     evaluate the MD5 and some (IIS?) servers work with them so we may need to
+     do the Digest IE-style. Note that the different ways cause different MD5
+     sums to get sent.
+
+     Apache servers can be set to do the Digest IE-style automatically using
+     the BrowserMatch feature:
+     http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
+
+     Further details on Digest implementation differences:
+     http://www.fngtps.com/2006/09/http-authentication
+  */
+  if(authp->iestyle && (tmp = strchr((char *)uripath, '?'))) {
+    md5this = (unsigned char *)aprintf("%s:%.*s", request,
+                                       (int)(tmp - (char *)uripath), uripath);
+  }
+  else
+    md5this = (unsigned char *)aprintf("%s:%s", request, uripath);
+
   if(!md5this) {
     free(ha1);
     return CURLE_OUT_OF_MEMORY;
diff --git a/lib/url.c b/lib/url.c
index 9037bf920..1cf8b08da 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -1319,6 +1319,16 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
      */
   {
     long auth = va_arg(param, long);
+
+    /* the DIGEST_IE bit is only used to set a special marker, for all the
+       rest we need to handle it as normal DIGEST */
+    data->state.authhost.iestyle = (auth & CURLAUTH_DIGEST_IE)?TRUE:FALSE;
+
+    if(auth & CURLAUTH_DIGEST_IE) {
+      auth |= CURLAUTH_DIGEST; /* set standard digest bit */
+      auth &= ~CURLAUTH_DIGEST_IE; /* unset ie digest bit */
+    }
+
     /* switch off bits we can't support */
 #ifndef USE_NTLM
     auth &= ~CURLAUTH_NTLM; /* no NTLM without SSL */
@@ -1354,6 +1364,15 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
      */
   {
     long auth = va_arg(param, long);
+
+    /* the DIGEST_IE bit is only used to set a special marker, for all the
+       rest we need to handle it as normal DIGEST */
+    data->state.authproxy.iestyle = (auth & CURLAUTH_DIGEST_IE)?TRUE:FALSE;
+
+    if(auth & CURLAUTH_DIGEST_IE) {
+      auth |= CURLAUTH_DIGEST; /* set standard digest bit */
+      auth &= ~CURLAUTH_DIGEST_IE; /* unset ie digest bit */
+    }
     /* switch off bits we can't support */
 #ifndef USE_NTLM
     auth &= ~CURLAUTH_NTLM; /* no NTLM without SSL */
diff --git a/lib/urldata.h b/lib/urldata.h
index aafa26eab..07dab3ee1 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1139,7 +1139,8 @@ struct auth {
                  request */
   bool multi; /* TRUE if this is not yet authenticated but within the auth
                  multipass negotiation */
-
+  bool iestyle; /* TRUE if digest should be done IE-style or FALSE if it should
+                   be RFC compliant */
 };
 
 struct conncache {