From 638c6da9dbe26dd50664839f6ffb3357f0560abf Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 31 Mar 2013 13:26:54 +0200 Subject: proxy: make ConnectionExists() check credential of proxyconnections too Previously it only compared credentials if the requested needle connection wasn't using a proxy. This caused NTLM authentication failures when using proxies as the authentication code wasn't send on the connection where the challenge arrived. Added test 1215 to verify: NTLM server authentication through a proxy (This is a modified copy of test 67) --- lib/url.c | 23 +++++------ tests/data/Makefile.am | 2 +- tests/data/test1215 | 104 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 117 insertions(+), 12 deletions(-) create mode 100644 tests/data/test1215 diff --git a/lib/url.c b/lib/url.c index 33876478b..4399162a9 100644 --- a/lib/url.c +++ b/lib/url.c @@ -2974,6 +2974,18 @@ ConnectionExists(struct SessionHandle *data, continue; } + if((needle->handler->protocol & CURLPROTO_FTP) || + ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { + /* This is FTP or HTTP+NTLM, verify that we're using the same name + and password as well */ + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) { + /* one of them was different */ + continue; + } + credentialsMatch = TRUE; + } + if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || (needle->bits.httpproxy && check->bits.httpproxy && needle->bits.tunnel_proxy && check->bits.tunnel_proxy && @@ -3007,17 +3019,6 @@ ConnectionExists(struct SessionHandle *data, continue; } } - if((needle->handler->protocol & CURLPROTO_FTP) || - ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { - /* This is FTP or HTTP+NTLM, verify that we're using the same name - and password as well */ - if(!strequal(needle->user, check->user) || - !strequal(needle->passwd, check->passwd)) { - /* one of them was different */ - continue; - } - credentialsMatch = TRUE; - } match = TRUE; } } diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index a6eb2e07e..5ef2de6b7 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -88,7 +88,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ test1128 test1129 test1130 test1131 test1132 test1133 \ \ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ -test1208 test1209 test1210 test1211 test1212 test1213 test1214 \ +test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ \ test1220 test1221 test1222 test1223 \ \ diff --git a/tests/data/test1215 b/tests/data/test1215 new file mode 100644 index 000000000..ea62eeb60 --- /dev/null +++ b/tests/data/test1215 @@ -0,0 +1,104 @@ + + +# This test is a copy of test 67, modified to use a HTTP proxy. + +HTTP +HTTP GET +HTTP NTLM auth +HTTP proxy + + +# Server-side + + + + + +HTTP/1.1 401 Now gimme that second request of crap +Server: Microsoft-IIS/5.0 +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 34 +WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAgACADAAAAAGgoEAc51AYVDgyNcAAAAAAAAAAG4AbgAyAAAAQ0MCAAQAQwBDAAEAEgBFAEwASQBTAEEAQgBFAFQASAAEABgAYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAwAsAGUAbABpAHMAYQBiAGUAdABoAC4AYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAAAAAA== + +This is not the real page either! + + +# This is supposed to be returned when the server gets the second +# Authorization: NTLM line passed-in from the client + +HTTP/1.1 200 Things are fine in server land swsclose +Server: Microsoft-IIS/5.0 +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 32 + +Finally, this is the real page! + + + +HTTP/1.1 401 Now gimme that second request of crap +Server: Microsoft-IIS/5.0 +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 34 +WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAgACADAAAAAGgoEAc51AYVDgyNcAAAAAAAAAAG4AbgAyAAAAQ0MCAAQAQwBDAAEAEgBFAEwASQBTAEEAQgBFAFQASAAEABgAYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAwAsAGUAbABpAHMAYQBiAGUAdABoAC4AYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAAAAAA== + +HTTP/1.1 200 Things are fine in server land swsclose +Server: Microsoft-IIS/5.0 +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 32 + +Finally, this is the real page! + + + + +# Client-side + + +NTLM + + +http + + +HTTP with server NTLM authorization using a proxy + + +# we force our own host name, in order to make the test machine independent +CURL_GETHOSTNAME=curlhost +# we try to use the LD_PRELOAD hack, if not a debug build +LD_PRELOAD=%PWD/libtest/.libs/libhostname.so + + +http://%HOSTIP:%HTTPPORT/1215 -u testuser:testpass --ntlm --proxy http://%HOSTIP:%HTTPPORT + + +chkhostname curlhost + + + +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET http://%HOSTIP:%HTTPPORT/1215 HTTP/1.1 +Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA= +User-Agent: curl/7.30.0-DEV +Host: %HOSTIP:%HTTPPORT +Accept: */* +Proxy-Connection: Keep-Alive + +GET http://%HOSTIP:%HTTPPORT/1215 HTTP/1.1 +Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACAAIAHAAAAAIAAgAeAAAAAAAAAAAAAAABoKBAFpkQwKRCZFMhjj0tw47wEjKHRHlvzfxQamFcheMuv8v+xeqphEO5V41xRd7R9deOXRlc3R1c2VyY3VybGhvc3Q= +User-Agent: curl/7.30.0-DEV +Host: %HOSTIP:%HTTPPORT +Accept: */* +Proxy-Connection: Keep-Alive + + + + -- cgit v1.2.3