mirror of
https://github.com/moparisthebest/curl
synced 2024-11-13 13:05:03 -05:00
test 2027/2030: take duplicate Digest requests into account
With the reversion of ce8311c7e4
and the new clear logic, this flaw
is present and we allow it.
This commit is contained in:
parent
13ce9031cc
commit
8d97bed806
@ -9,6 +9,17 @@ HTTP Digest auth
|
|||||||
# Server-side
|
# Server-side
|
||||||
<reply>
|
<reply>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
|
||||||
|
Explanation for the duplicate 400 requests:
|
||||||
|
|
||||||
|
libcurl doesn't detect that a given Digest password is wrong already on the
|
||||||
|
first 401 response (as the data400 gives). libcurl will instead consider the
|
||||||
|
new response just as a duplicate and it sends another and detects the auth
|
||||||
|
problem on the second 401 response!
|
||||||
|
|
||||||
|
-->
|
||||||
|
|
||||||
<!-- First request has Digest auth, wrong password -->
|
<!-- First request has Digest auth, wrong password -->
|
||||||
<data100>
|
<data100>
|
||||||
HTTP/1.1 401 Need Digest auth
|
HTTP/1.1 401 Need Digest auth
|
||||||
@ -93,16 +104,6 @@ This is a bad password page!
|
|||||||
</data1400>
|
</data1400>
|
||||||
|
|
||||||
<!-- Fifth request has Digest auth, right password -->
|
<!-- Fifth request has Digest auth, right password -->
|
||||||
<data500>
|
|
||||||
HTTP/1.1 401 Need Digest auth (5)
|
|
||||||
Server: Microsoft-IIS/5.0
|
|
||||||
Content-Type: text/html; charset=iso-8859-1
|
|
||||||
Content-Length: 27
|
|
||||||
WWW-Authenticate: Digest realm="testrealm", nonce="8"
|
|
||||||
|
|
||||||
This is not the real page!
|
|
||||||
</data500>
|
|
||||||
|
|
||||||
<data1500>
|
<data1500>
|
||||||
HTTP/1.1 200 Things are fine in server land (2)
|
HTTP/1.1 200 Things are fine in server land (2)
|
||||||
Server: Microsoft-IIS/5.0
|
Server: Microsoft-IIS/5.0
|
||||||
@ -151,6 +152,12 @@ Content-Type: text/html; charset=iso-8859-1
|
|||||||
Content-Length: 29
|
Content-Length: 29
|
||||||
WWW-Authenticate: Digest realm="testrealm", nonce="7"
|
WWW-Authenticate: Digest realm="testrealm", nonce="7"
|
||||||
|
|
||||||
|
HTTP/1.1 401 Sorry wrong password (3)
|
||||||
|
Server: Microsoft-IIS/5.0
|
||||||
|
Content-Type: text/html; charset=iso-8859-1
|
||||||
|
Content-Length: 29
|
||||||
|
WWW-Authenticate: Digest realm="testrealm", nonce="7"
|
||||||
|
|
||||||
This is a bad password page!
|
This is a bad password page!
|
||||||
HTTP/1.1 200 Things are fine in server land (2)
|
HTTP/1.1 200 Things are fine in server land (2)
|
||||||
Server: Microsoft-IIS/5.0
|
Server: Microsoft-IIS/5.0
|
||||||
@ -222,6 +229,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2
|
|||||||
Host: %HOSTIP:%HTTPPORT
|
Host: %HOSTIP:%HTTPPORT
|
||||||
Accept: */*
|
Accept: */*
|
||||||
|
|
||||||
|
GET /20270400 HTTP/1.1
|
||||||
|
Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20270400", response="f5906785511fb60a2af8b1cd53008ead"
|
||||||
|
Host: %HOSTIP:%HTTPPORT
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
GET /20270500 HTTP/1.1
|
GET /20270500 HTTP/1.1
|
||||||
Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20270500", response="8ef4d935fd964a46c3965c0863b52cf1"
|
Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20270500", response="8ef4d935fd964a46c3965c0863b52cf1"
|
||||||
Host: %HOSTIP:%HTTPPORT
|
Host: %HOSTIP:%HTTPPORT
|
||||||
|
@ -13,6 +13,18 @@ HTTP NTLM auth
|
|||||||
<!-- Alternate the order that Digest and NTLM headers appear in responses to
|
<!-- Alternate the order that Digest and NTLM headers appear in responses to
|
||||||
ensure that the order doesn't matter. -->
|
ensure that the order doesn't matter. -->
|
||||||
|
|
||||||
|
<!--
|
||||||
|
|
||||||
|
Explanation for the duplicate 400 requests:
|
||||||
|
|
||||||
|
libcurl doesn't detect that a given Digest password is wrong already on the
|
||||||
|
first 401 response (as the data400 gives). libcurl will instead consider the
|
||||||
|
new response just as a duplicate and it sends another and detects the auth
|
||||||
|
problem on the second 401 response!
|
||||||
|
|
||||||
|
-->
|
||||||
|
|
||||||
|
|
||||||
<!-- First request has NTLM auth, wrong password -->
|
<!-- First request has NTLM auth, wrong password -->
|
||||||
<data100>
|
<data100>
|
||||||
HTTP/1.1 401 Need Digest or NTLM auth
|
HTTP/1.1 401 Need Digest or NTLM auth
|
||||||
@ -186,6 +198,13 @@ Content-Length: 29
|
|||||||
WWW-Authenticate: NTLM
|
WWW-Authenticate: NTLM
|
||||||
WWW-Authenticate: Digest realm="testrealm", nonce="7"
|
WWW-Authenticate: Digest realm="testrealm", nonce="7"
|
||||||
|
|
||||||
|
HTTP/1.1 401 Sorry wrong password (3)
|
||||||
|
Server: Microsoft-IIS/5.0
|
||||||
|
Content-Type: text/html; charset=iso-8859-1
|
||||||
|
Content-Length: 29
|
||||||
|
WWW-Authenticate: NTLM
|
||||||
|
WWW-Authenticate: Digest realm="testrealm", nonce="7"
|
||||||
|
|
||||||
This is a bad password page!
|
This is a bad password page!
|
||||||
HTTP/1.1 200 Things are fine in server land (2)
|
HTTP/1.1 200 Things are fine in server land (2)
|
||||||
Server: Microsoft-IIS/5.0
|
Server: Microsoft-IIS/5.0
|
||||||
@ -259,6 +278,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2
|
|||||||
Host: %HOSTIP:%HTTPPORT
|
Host: %HOSTIP:%HTTPPORT
|
||||||
Accept: */*
|
Accept: */*
|
||||||
|
|
||||||
|
GET /20300400 HTTP/1.1
|
||||||
|
Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20300400", response="d6262e9147db08c62ff2f53b515861e8"
|
||||||
|
Host: %HOSTIP:%HTTPPORT
|
||||||
|
Accept: */*
|
||||||
|
|
||||||
GET /20300500 HTTP/1.1
|
GET /20300500 HTTP/1.1
|
||||||
Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20300500", response="198757e61163a779cf24ed4c49c1ad7d"
|
Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20300500", response="198757e61163a779cf24ed4c49c1ad7d"
|
||||||
Host: %HOSTIP:%HTTPPORT
|
Host: %HOSTIP:%HTTPPORT
|
||||||
|
Loading…
Reference in New Issue
Block a user