mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 08:08:50 -05:00
- Setting the Content-Length: header from your app when you do a POST or PUT
is almost always a VERY BAD IDEA. Yet there are still apps out there doing this, and now recently it triggered a bug/side-effect in libcurl as when libcurl sends a POST or PUT with NTLM, it sends an empty post first when it knows it will just get a 401/407 back. If the app then replaced the Content-Length header, it caused the server to wait for input that libcurl wouldn't send. Aaron Oneal reported this problem in bug report #2799008 http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
This commit is contained in:
parent
1c2947581b
commit
1012c5705a
13
CHANGES
13
CHANGES
@ -6,11 +6,24 @@
|
|||||||
|
|
||||||
Changelog
|
Changelog
|
||||||
|
|
||||||
|
<<<<<<< CHANGES
|
||||||
|
Daniel Stenberg (4 June 2009)
|
||||||
|
- Setting the Content-Length: header from your app when you do a POST or PUT
|
||||||
|
is almost always a VERY BAD IDEA. Yet there are still apps out there doing
|
||||||
|
this, and now recently it triggered a bug/side-effect in libcurl as when
|
||||||
|
libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
|
||||||
|
knows it will just get a 401/407 back. If the app then replaced the
|
||||||
|
Content-Length header, it caused the server to wait for input that libcurl
|
||||||
|
wouldn't send. Aaron Oneal reported this problem in bug report #2799008
|
||||||
|
http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
|
||||||
|
|
||||||
|
=======
|
||||||
Yang Tse (4 Jun 2009)
|
Yang Tse (4 Jun 2009)
|
||||||
- Igor Novoseltsev provided patches and information, that after some
|
- Igor Novoseltsev provided patches and information, that after some
|
||||||
adjustments to better fit curl's way of doing things, have resulted
|
adjustments to better fit curl's way of doing things, have resulted
|
||||||
in the posibility of building libcurl for VxWorks.
|
in the posibility of building libcurl for VxWorks.
|
||||||
|
|
||||||
|
>>>>>>> 1.1683
|
||||||
Daniel Fandrich (2 June 2009)
|
Daniel Fandrich (2 June 2009)
|
||||||
- Checked in a Google Android make file. To use it, you must first
|
- Checked in a Google Android make file. To use it, you must first
|
||||||
create a config.h file by running configure in the Android environment,
|
create a config.h file by running configure in the Android environment,
|
||||||
|
@ -20,7 +20,11 @@ This release includes the following bugfixes:
|
|||||||
o libcurl-NSS build fixes
|
o libcurl-NSS build fixes
|
||||||
o libcurl-NSS build fix
|
o libcurl-NSS build fix
|
||||||
o configure script fixed for VMS
|
o configure script fixed for VMS
|
||||||
|
<<<<<<< RELEASE-NOTES
|
||||||
|
o set Content-Length: with POST and PUT failed with NTLM auth
|
||||||
|
=======
|
||||||
o allow building libcurl for VxWorks
|
o allow building libcurl for VxWorks
|
||||||
|
>>>>>>> 1.1030
|
||||||
|
|
||||||
This release includes the following known bugs:
|
This release includes the following known bugs:
|
||||||
|
|
||||||
@ -29,7 +33,13 @@ This release includes the following known bugs:
|
|||||||
This release would not have looked like this without help, code, reports and
|
This release would not have looked like this without help, code, reports and
|
||||||
advice from friends like these:
|
advice from friends like these:
|
||||||
|
|
||||||
|
<<<<<<< RELEASE-NOTES
|
||||||
|
Yang Tse, Daniel Fandrich, Kamil Dudka, Caolan McNamara, Frank McGeough,
|
||||||
|
Andre Guibert de Bruet, Mike Crowe, Claes Jakobsson, John E. Malmberg,
|
||||||
|
Aaron Oneal
|
||||||
|
=======
|
||||||
Kamil Dudka, Caolan McNamara, Frank McGeough, Andre Guibert de Bruet,
|
Kamil Dudka, Caolan McNamara, Frank McGeough, Andre Guibert de Bruet,
|
||||||
Mike Crowe, Claes Jakobsson, John E. Malmberg, Igor Novoseltsev
|
Mike Crowe, Claes Jakobsson, John E. Malmberg, Igor Novoseltsev
|
||||||
|
>>>>>>> 1.1030
|
||||||
|
|
||||||
Thanks! (and sorry if I forgot to mention someone)
|
Thanks! (and sorry if I forgot to mention someone)
|
||||||
|
11
lib/http.c
11
lib/http.c
@ -2032,6 +2032,11 @@ static CURLcode add_custom_headers(struct connectdata *conn,
|
|||||||
/* this header (extended by formdata.c) is sent later */
|
/* this header (extended by formdata.c) is sent later */
|
||||||
checkprefix("Content-Type:", headers->data))
|
checkprefix("Content-Type:", headers->data))
|
||||||
;
|
;
|
||||||
|
else if(conn->bits.authneg &&
|
||||||
|
/* while doing auth neg, don't allow the custom length since
|
||||||
|
we will force length zero then */
|
||||||
|
checkprefix("Content-Length", headers->data))
|
||||||
|
;
|
||||||
else {
|
else {
|
||||||
CURLcode result = add_bufferf(req_buffer, "%s\r\n", headers->data);
|
CURLcode result = add_bufferf(req_buffer, "%s\r\n", headers->data);
|
||||||
if(result)
|
if(result)
|
||||||
@ -2787,9 +2792,9 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
|
|||||||
we don't upload data chunked, as RFC2616 forbids us to set both
|
we don't upload data chunked, as RFC2616 forbids us to set both
|
||||||
kinds of headers (Transfer-Encoding: chunked and Content-Length) */
|
kinds of headers (Transfer-Encoding: chunked and Content-Length) */
|
||||||
|
|
||||||
if(!checkheaders(data, "Content-Length:")) {
|
if(conn->bits.authneg || !checkheaders(data, "Content-Length:")) {
|
||||||
/* we allow replacing this header, although it isn't very wise to
|
/* we allow replacing this header if not during auth negotiation,
|
||||||
actually set your own */
|
although it isn't very wise to actually set your own */
|
||||||
result = add_bufferf(req_buffer,
|
result = add_bufferf(req_buffer,
|
||||||
"Content-Length: %" FORMAT_OFF_T"\r\n",
|
"Content-Length: %" FORMAT_OFF_T"\r\n",
|
||||||
postsize);
|
postsize);
|
||||||
|
Loading…
Reference in New Issue
Block a user