From 1012c5705aedc6730244c22cd9d2bcb3c5c13212 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 5 Jun 2009 06:18:42 +0000 Subject: [PATCH] - Setting the Content-Length: header from your app when you do a POST or PUT is almost always a VERY BAD IDEA. Yet there are still apps out there doing this, and now recently it triggered a bug/side-effect in libcurl as when libcurl sends a POST or PUT with NTLM, it sends an empty post first when it knows it will just get a 401/407 back. If the app then replaced the Content-Length header, it caused the server to wait for input that libcurl wouldn't send. Aaron Oneal reported this problem in bug report #2799008 http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix. --- CHANGES | 13 +++++++++++++ RELEASE-NOTES | 10 ++++++++++ lib/http.c | 11 ++++++++--- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 2b934415e..1c9745a3d 100644 --- a/CHANGES +++ b/CHANGES @@ -6,11 +6,24 @@ Changelog +<<<<<<< CHANGES +Daniel Stenberg (4 June 2009) +- Setting the Content-Length: header from your app when you do a POST or PUT + is almost always a VERY BAD IDEA. Yet there are still apps out there doing + this, and now recently it triggered a bug/side-effect in libcurl as when + libcurl sends a POST or PUT with NTLM, it sends an empty post first when it + knows it will just get a 401/407 back. If the app then replaced the + Content-Length header, it caused the server to wait for input that libcurl + wouldn't send. Aaron Oneal reported this problem in bug report #2799008 + http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix. + +======= Yang Tse (4 Jun 2009) - Igor Novoseltsev provided patches and information, that after some adjustments to better fit curl's way of doing things, have resulted in the posibility of building libcurl for VxWorks. +>>>>>>> 1.1683 Daniel Fandrich (2 June 2009) - Checked in a Google Android make file. To use it, you must first create a config.h file by running configure in the Android environment, diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 035473d2a..9866e5d92 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -20,7 +20,11 @@ This release includes the following bugfixes: o libcurl-NSS build fixes o libcurl-NSS build fix o configure script fixed for VMS +<<<<<<< RELEASE-NOTES + o set Content-Length: with POST and PUT failed with NTLM auth +======= o allow building libcurl for VxWorks +>>>>>>> 1.1030 This release includes the following known bugs: @@ -29,7 +33,13 @@ This release includes the following known bugs: This release would not have looked like this without help, code, reports and advice from friends like these: +<<<<<<< RELEASE-NOTES + Yang Tse, Daniel Fandrich, Kamil Dudka, Caolan McNamara, Frank McGeough, + Andre Guibert de Bruet, Mike Crowe, Claes Jakobsson, John E. Malmberg, + Aaron Oneal +======= Kamil Dudka, Caolan McNamara, Frank McGeough, Andre Guibert de Bruet, Mike Crowe, Claes Jakobsson, John E. Malmberg, Igor Novoseltsev +>>>>>>> 1.1030 Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/http.c b/lib/http.c index 466d9539a..ccbec227f 100644 --- a/lib/http.c +++ b/lib/http.c @@ -2032,6 +2032,11 @@ static CURLcode add_custom_headers(struct connectdata *conn, /* this header (extended by formdata.c) is sent later */ checkprefix("Content-Type:", headers->data)) ; + else if(conn->bits.authneg && + /* while doing auth neg, don't allow the custom length since + we will force length zero then */ + checkprefix("Content-Length", headers->data)) + ; else { CURLcode result = add_bufferf(req_buffer, "%s\r\n", headers->data); if(result) @@ -2787,9 +2792,9 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) we don't upload data chunked, as RFC2616 forbids us to set both kinds of headers (Transfer-Encoding: chunked and Content-Length) */ - if(!checkheaders(data, "Content-Length:")) { - /* we allow replacing this header, although it isn't very wise to - actually set your own */ + if(conn->bits.authneg || !checkheaders(data, "Content-Length:")) { + /* we allow replacing this header if not during auth negotiation, + although it isn't very wise to actually set your own */ result = add_bufferf(req_buffer, "Content-Length: %" FORMAT_OFF_T"\r\n", postsize);