1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-11 22:18:00 -05:00

httpauth: make multi-request auth work with custom port

When doing HTTP authentication and a port number set with CURLOPT_PORT,
the code would previously have the URL's port number override as if it
had been a redirect to an absolute URL.

Added test 1568 to verify.

Reported-by: UrsusArctos on github
Fixes #6397
Closes #6400
This commit is contained in:
Daniel Stenberg 2021-01-01 23:41:21 +01:00
parent 725ec470e2
commit 648712eec1
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
8 changed files with 158 additions and 13 deletions

View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -2211,7 +2211,6 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
multi_done(data, result, TRUE); multi_done(data, result, TRUE);
} }
else if(done) { else if(done) {
followtype follow = FOLLOW_NONE;
/* call this even if the readwrite function returned error */ /* call this even if the readwrite function returned error */
Curl_posttransfer(data); Curl_posttransfer(data);
@ -2219,6 +2218,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
/* When we follow redirects or is set to retry the connection, we must /* When we follow redirects or is set to retry the connection, we must
to go back to the CONNECT state */ to go back to the CONNECT state */
if(data->req.newurl || retry) { if(data->req.newurl || retry) {
followtype follow = FOLLOW_NONE;
if(!retry) { if(!retry) {
/* if the URL is a follow-location and not just a retried request /* if the URL is a follow-location and not just a retried request
then figure out the URL here */ then figure out the URL here */

View File

@ -1537,6 +1537,8 @@ CURLcode Curl_follow(struct Curl_easy *data,
bool reachedmax = FALSE; bool reachedmax = FALSE;
CURLUcode uc; CURLUcode uc;
DEBUGASSERT(type != FOLLOW_NONE);
if(type == FOLLOW_REDIR) { if(type == FOLLOW_REDIR) {
if((data->set.maxredirs != -1) && if((data->set.maxredirs != -1) &&
(data->set.followlocation >= data->set.maxredirs)) { (data->set.followlocation >= data->set.maxredirs)) {
@ -1568,8 +1570,11 @@ CURLcode Curl_follow(struct Curl_easy *data,
} }
} }
if(Curl_is_absolute_url(newurl, NULL, MAX_SCHEME_LEN)) if((type != FOLLOW_RETRY) &&
/* This is an absolute URL, don't allow the custom port number */ (data->req.httpcode != 401) && (data->req.httpcode != 407) &&
Curl_is_absolute_url(newurl, NULL, MAX_SCHEME_LEN))
/* If this is not redirect due to a 401 or 407 response and an absolute
URL: don't allow a custom port number */
disallowport = TRUE; disallowport = TRUE;
DEBUGASSERT(data->state.uh); DEBUGASSERT(data->state.uh);

View File

@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -36,9 +36,8 @@ typedef enum {
allow initing to this */ allow initing to this */
FOLLOW_FAKE, /* only records stuff, not actually following */ FOLLOW_FAKE, /* only records stuff, not actually following */
FOLLOW_RETRY, /* set if this is a request retry as opposed to a real FOLLOW_RETRY, /* set if this is a request retry as opposed to a real
redirect following */ redirect following */
FOLLOW_REDIR, /* a full true redirect */ FOLLOW_REDIR /* a full true redirect */
FOLLOW_LAST /* never used */
} followtype; } followtype;
CURLcode Curl_follow(struct Curl_easy *data, char *newurl, CURLcode Curl_follow(struct Curl_easy *data, char *newurl,

View File

@ -2003,7 +2003,9 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
} }
else { else {
unsigned long port = strtoul(data->state.up.port, NULL, 10); unsigned long port = strtoul(data->state.up.port, NULL, 10);
conn->port = conn->remote_port = curlx_ultous(port); conn->port = conn->remote_port =
(data->set.use_port && data->state.allow_port) ?
(int)data->set.use_port : curlx_ultous(port);
} }
(void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0);

View File

@ -5,7 +5,7 @@
# | (__| |_| | _ <| |___ # | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____| # \___|\___/|_| \_\_____|
# #
# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. # Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
# #
# This software is licensed as described in the file COPYING, which # This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms # you should have received as part of this distribution. The terms
@ -187,7 +187,7 @@ test1540 \
\ \
test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \ test1550 test1551 test1552 test1553 test1554 test1555 test1556 test1557 \
test1558 test1559 test1560 test1561 test1562 test1563 test1564 test1565 \ test1558 test1559 test1560 test1561 test1562 test1563 test1564 test1565 \
test1566 test1567 \ test1566 test1567 test1568 \
\ \
test1590 test1591 test1592 test1593 test1594 test1595 test1596 \ test1590 test1591 test1592 test1593 test1594 test1595 test1596 \
\ \

87
tests/data/test1568 Normal file
View File

@ -0,0 +1,87 @@
<testcase>
# based on test 64
<info>
<keywords>
HTTP
HTTP GET
HTTP Digest auth
</keywords>
</info>
<reply>
<data>
HTTP/1.1 401 Authorization Required swsclose
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
Content-Type: text/html; charset=iso-8859-1
Content-Length: 26
This is not the real page
</data>
# This is supposed to be returned when the server gets a
# Authorization: Digest line passed-in from the client
<data1000>
HTTP/1.1 200 OK swsclose
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
Content-Type: text/html; charset=iso-8859-1
Content-Length: 23
This IS the real page!
</data1000>
<datacheck>
HTTP/1.1 401 Authorization Required swsclose
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
Content-Type: text/html; charset=iso-8859-1
Content-Length: 26
HTTP/1.1 200 OK swsclose
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
Content-Type: text/html; charset=iso-8859-1
Content-Length: 23
This IS the real page!
</datacheck>
</reply>
# Client-side
<client>
<server>
http
</server>
<features>
!SSPI
crypto
</features>
<name>
HTTP with Digest authorization on custom CURLOPT_PORT
</name>
<tool>
lib1568
</tool>
<command>
http://%HOSTIP/1568 %HTTPPORT
</command>
</client>
# Verify data after the test has been "shot"
<verify>
<protocol>
GET /1568 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
User-Agent: lib1568
Accept: */*
GET /1568 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/1568", response="9cbbd857a37e45f2bcad5c7d088191df"
User-Agent: lib1568
Accept: */*
</protocol>
</verify>
</testcase>

View File

@ -5,7 +5,7 @@
# | (__| |_| | _ <| |___ # | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____| # \___|\___/|_| \_\_____|
# #
# Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. # Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
# #
# This software is licensed as described in the file COPYING, which # This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms # you should have received as part of this distribution. The terms
@ -56,7 +56,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \
lib1534 lib1535 lib1536 lib1537 lib1538 lib1539 \ lib1534 lib1535 lib1536 lib1537 lib1538 lib1539 \
lib1540 \ lib1540 \
lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \ lib1550 lib1551 lib1552 lib1553 lib1554 lib1555 lib1556 lib1557 \
lib1558 lib1559 lib1560 lib1564 lib1565 lib1567 \ lib1558 lib1559 lib1560 lib1564 lib1565 lib1567 lib1568 \
lib1591 lib1592 lib1593 lib1594 lib1596 \ lib1591 lib1592 lib1593 lib1594 lib1596 \
lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \ lib1905 lib1906 lib1907 lib1908 lib1910 lib1911 lib1912 lib1913 \
lib1915 lib1916 lib1917 lib1933 \ lib1915 lib1916 lib1917 lib1933 \
@ -601,6 +601,9 @@ lib1565_CPPFLAGS = $(AM_CPPFLAGS)
lib1567_SOURCES = lib1567.c $(SUPPORTFILES) lib1567_SOURCES = lib1567.c $(SUPPORTFILES)
lib1567_CPPFLAGS = $(AM_CPPFLAGS) lib1567_CPPFLAGS = $(AM_CPPFLAGS)
lib1568_SOURCES = lib1568.c $(SUPPORTFILES)
lib1568_CPPFLAGS = $(AM_CPPFLAGS)
lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
lib1591_LDADD = $(TESTUTIL_LIBS) lib1591_LDADD = $(TESTUTIL_LIBS)
lib1591_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1591 lib1591_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1591

49
tests/libtest/lib1568.c Normal file
View File

@ -0,0 +1,49 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
#include "test.h"
#include "testtrace.h"
#include "memdebug.h"
int test(char *URL)
{
CURLcode ret;
CURL *hnd;
hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_URL, URL);
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
curl_easy_setopt(hnd, CURLOPT_HEADER, 1L);
curl_easy_setopt(hnd, CURLOPT_USERPWD, "testuser:testpass");
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "lib1568");
curl_easy_setopt(hnd, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST);
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
curl_easy_setopt(hnd, CURLOPT_PORT, (long)atoi(libtest_arg2));
ret = curl_easy_perform(hnd);
curl_easy_cleanup(hnd);
hnd = NULL;
return (int)ret;
}