Harshal Pradhan fixed changing username/password on a persitent HTTP

connection.

CHANGES

@@ -7,7 +7,17 @@
                                   Changelog
 
 
+Daniel (14 December 2004)
+- Harshal Pradhan patched a HTTP persistent connection flaw: if the user name
+  and/or password were modified between two requests on a persistent
+  connection, the second request were still made with the first setup!
+
+  I added test case 519 to verify the fix.
+
 Daniel (13 December 2004)
+- Gisle added CURLINFO_SSL_ENGINES to curl_easy_getinfo() to allow an app
+  to list all available crypto ENGINES.
+
 - Gisle fixed bug report #1083542, which pointed out a problem with resuming
   large file (>4GB) file:// transfers on windows.
 

RELEASE-NOTES

@@ -10,6 +10,7 @@ Curl and libcurl 7.12.3
 
 This release includes the following changes:
 
+ o added CURLINFO_SSL_ENGINES
  o new configure options: --disable-cookies, --disable-crypto-auth and
    --disable-verbose
  o persistent ftp request improvements
@@ -25,6 +26,7 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o modified credentials between two requests on a persistent http connection
  o large file file:// resumes on Windows
  o URLs with username and IPv6 numerical addresses
  o configure works better with SSL libs in a "non-standard ld.so dir"
@@ -67,6 +69,6 @@ advice from friends like these:
  Tim Sneddon, Ian Gulliver, Jean-Philippe Barrette-LaPierre, Jeff Phillips,
  Wojciech Zwiefka, David Phillips, Reinout van Schouwen, Maurice Barnum,
  Richard Atterer, Rene Bernhardt, Matt Veenstra, Bryan Henderson, Ton Voon,
- Kai Sommerfeld, David Byron
+ Kai Sommerfeld, David Byron, Harshal Pradhan
 
         Thanks! (and sorry if I forgot to mention someone)

lib/url.c

@@ -3131,7 +3131,26 @@ static CURLcode CreateConnection(struct SessionHandle *data,
     /* get the user+password information from the old_conn struct since it may
      * be new for this request even when we re-use an existing connection */
     conn->bits.user_passwd = old_conn->bits.user_passwd;
+    if (conn->bits.user_passwd) {
+      /* use the new user namd and password though */
+      Curl_safefree(conn->user);
+      Curl_safefree(conn->passwd);
+      conn->user = old_conn->user;
+      conn->passwd = old_conn->passwd;
+      old_conn->user = NULL;
+      old_conn->passwd = NULL;
+    }
+
     conn->bits.proxy_user_passwd = old_conn->bits.proxy_user_passwd;
+    if (conn->bits.proxy_user_passwd) {
+      /* use the new proxy user name and proxy password though */
+      Curl_safefree(conn->proxyuser);
+      Curl_safefree(conn->proxypasswd);
+      conn->proxyuser = old_conn->proxyuser;
+      conn->proxypasswd = old_conn->proxypasswd;
+      old_conn->proxyuser = NULL;
+      old_conn->proxypasswd = NULL;
+    }
 
     /* host can change, when doing keepalive with a proxy ! */
     if (conn->bits.httpproxy) {

tests/data/Makefile.am

@@ -30,7 +30,7 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46	\
  test193 test194 test195 test196 test197 test198 test515 test516	\
  test517 test518 test210 test211 test212 test220 test221 test222	\
  test223 test224 test206 test207 test208 test209 test213 test240        \
- test241 test242
+ test241 test242 test519
 
 # The following tests have been removed from the dist since they no longer
 # work. We need to fix the test suite's FTPS server first, then bring them

tests/data/test519

@@ -0,0 +1,71 @@
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 200 OK swsbounce
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 8
+
+content
+</data>
+<data1>
+HTTP/1.1 200 OK swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 9
+
+content2
+</data1>
+<datacheck>
+HTTP/1.1 200 OK swsbounce
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 8
+
+content
+HTTP/1.1 200 OK swsclose
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake
+Content-Length: 9
+
+content2
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+# tool is what to use instead of 'curl'
+<tool>
+lib519
+</tool>
+
+ <name>
+GET same URL twice with different users
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/519
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+GET /519 HTTP/1.1
+Authorization: Basic bW9uc3Rlcjp1bmRlcmJlZA==
+Host: 127.0.0.1:8990
+Pragma: no-cache
+Accept: */*
+
+GET /519 HTTP/1.1
+Authorization: Basic YW5vdGhlcm1vbnN0ZXI6aW53YXJkcm9iZQ==
+Host: 127.0.0.1:8990
+Pragma: no-cache
+Accept: */*
+
+</protocol>
+</verify>

tests/libtest/Makefile.am

@@ -40,7 +40,7 @@ SUPPORTFILES = first.c test.h
 # These are all libcurl test programs
 noinst_PROGRAMS = lib500 lib501 lib502 lib503 lib504 lib505 lib506 lib507 \
   lib508 lib509 lib510 lib511 lib512 lib513 lib514 lib515 lib516 lib517 \
-  lib518
+  lib518 lib519
 
 lib500_SOURCES = lib500.c $(SUPPORTFILES)
 lib500_LDADD = $(LIBDIR)/libcurl.la
@@ -117,3 +117,7 @@ lib517_DEPENDENCIES = $(LIBDIR)/libcurl.la
 lib518_SOURCES = lib518.c $(SUPPORTFILES)
 lib518_LDADD = $(LIBDIR)/libcurl.la
 lib518_DEPENDENCIES = $(LIBDIR)/libcurl.la
+
+lib519_SOURCES = lib519.c $(SUPPORTFILES)
+lib519_LDADD = $(LIBDIR)/libcurl.la
+lib519_DEPENDENCIES = $(LIBDIR)/libcurl.la

tests/libtest/lib519.c

@@ -0,0 +1,21 @@
+#include "test.h"
+
+int test(char *URL)
+{
+  CURLcode res;
+  CURL *curl = curl_easy_init();
+  curl_easy_setopt(curl, CURLOPT_URL, URL);
+  curl_easy_setopt(curl, CURLOPT_USERPWD, "monster:underbed");
+  curl_easy_setopt(curl, CURLOPT_HEADER, TRUE);
+  curl_easy_setopt(curl, CURLOPT_VERBOSE, TRUE);
+  /* get first page */
+  res = curl_easy_perform(curl);
+
+  curl_easy_setopt(curl, CURLOPT_USERPWD, "anothermonster:inwardrobe");
+  /* get second page */
+  res = curl_easy_perform(curl);
+
+  curl_easy_cleanup(curl);
+  return (int)res;
+}
+