1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00

- Setting the Content-Length: header from your app when you do a POST or PUT

is almost always a VERY BAD IDEA. Yet there are still apps out there doing
  this, and now recently it triggered a bug/side-effect in libcurl as when
  libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
  knows it will just get a 401/407 back. If the app then replaced the
  Content-Length header, it caused the server to wait for input that libcurl
  wouldn't send. Aaron Oneal reported this problem in bug report #2799008
  http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
This commit is contained in:
Daniel Stenberg 2009-06-05 06:18:42 +00:00
parent 1c2947581b
commit 1012c5705a
3 changed files with 31 additions and 3 deletions

13
CHANGES
View File

@ -6,11 +6,24 @@
Changelog Changelog
<<<<<<< CHANGES
Daniel Stenberg (4 June 2009)
- Setting the Content-Length: header from your app when you do a POST or PUT
is almost always a VERY BAD IDEA. Yet there are still apps out there doing
this, and now recently it triggered a bug/side-effect in libcurl as when
libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
knows it will just get a 401/407 back. If the app then replaced the
Content-Length header, it caused the server to wait for input that libcurl
wouldn't send. Aaron Oneal reported this problem in bug report #2799008
http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
=======
Yang Tse (4 Jun 2009) Yang Tse (4 Jun 2009)
- Igor Novoseltsev provided patches and information, that after some - Igor Novoseltsev provided patches and information, that after some
adjustments to better fit curl's way of doing things, have resulted adjustments to better fit curl's way of doing things, have resulted
in the posibility of building libcurl for VxWorks. in the posibility of building libcurl for VxWorks.
>>>>>>> 1.1683
Daniel Fandrich (2 June 2009) Daniel Fandrich (2 June 2009)
- Checked in a Google Android make file. To use it, you must first - Checked in a Google Android make file. To use it, you must first
create a config.h file by running configure in the Android environment, create a config.h file by running configure in the Android environment,

View File

@ -20,7 +20,11 @@ This release includes the following bugfixes:
o libcurl-NSS build fixes o libcurl-NSS build fixes
o libcurl-NSS build fix o libcurl-NSS build fix
o configure script fixed for VMS o configure script fixed for VMS
<<<<<<< RELEASE-NOTES
o set Content-Length: with POST and PUT failed with NTLM auth
=======
o allow building libcurl for VxWorks o allow building libcurl for VxWorks
>>>>>>> 1.1030
This release includes the following known bugs: This release includes the following known bugs:
@ -29,7 +33,13 @@ This release includes the following known bugs:
This release would not have looked like this without help, code, reports and This release would not have looked like this without help, code, reports and
advice from friends like these: advice from friends like these:
<<<<<<< RELEASE-NOTES
Yang Tse, Daniel Fandrich, Kamil Dudka, Caolan McNamara, Frank McGeough,
Andre Guibert de Bruet, Mike Crowe, Claes Jakobsson, John E. Malmberg,
Aaron Oneal
=======
Kamil Dudka, Caolan McNamara, Frank McGeough, Andre Guibert de Bruet, Kamil Dudka, Caolan McNamara, Frank McGeough, Andre Guibert de Bruet,
Mike Crowe, Claes Jakobsson, John E. Malmberg, Igor Novoseltsev Mike Crowe, Claes Jakobsson, John E. Malmberg, Igor Novoseltsev
>>>>>>> 1.1030
Thanks! (and sorry if I forgot to mention someone) Thanks! (and sorry if I forgot to mention someone)

View File

@ -2032,6 +2032,11 @@ static CURLcode add_custom_headers(struct connectdata *conn,
/* this header (extended by formdata.c) is sent later */ /* this header (extended by formdata.c) is sent later */
checkprefix("Content-Type:", headers->data)) checkprefix("Content-Type:", headers->data))
; ;
else if(conn->bits.authneg &&
/* while doing auth neg, don't allow the custom length since
we will force length zero then */
checkprefix("Content-Length", headers->data))
;
else { else {
CURLcode result = add_bufferf(req_buffer, "%s\r\n", headers->data); CURLcode result = add_bufferf(req_buffer, "%s\r\n", headers->data);
if(result) if(result)
@ -2787,9 +2792,9 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
we don't upload data chunked, as RFC2616 forbids us to set both we don't upload data chunked, as RFC2616 forbids us to set both
kinds of headers (Transfer-Encoding: chunked and Content-Length) */ kinds of headers (Transfer-Encoding: chunked and Content-Length) */
if(!checkheaders(data, "Content-Length:")) { if(conn->bits.authneg || !checkheaders(data, "Content-Length:")) {
/* we allow replacing this header, although it isn't very wise to /* we allow replacing this header if not during auth negotiation,
actually set your own */ although it isn't very wise to actually set your own */
result = add_bufferf(req_buffer, result = add_bufferf(req_buffer,
"Content-Length: %" FORMAT_OFF_T"\r\n", "Content-Length: %" FORMAT_OFF_T"\r\n",
postsize); postsize);