moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-12 04:25:08 -05:00
Code Issues Releases Wiki Activity

test 2027/2030: take duplicate Digest requests into account

Browse Source 
With the reversion of ce8311c7e4 and the new clear logic, this flaw
is present and we allow it.
This commit is contained in:
Daniel Stenberg 2012-11-05 23:58:31 +01:00
parent 13ce9031cc
commit 8d97bed806
2 changed files with 46 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
tests/data/test2027
View File

@ -9,6 +9,17 @@ HTTP Digest auth
# Server-side # Server-side
<reply> <reply>
<!--
Explanation for the duplicate 400 requests:
libcurl doesn't detect that a given Digest password is wrong already on the
first 401 response (as the data400 gives). libcurl will instead consider the
new response just as a duplicate and it sends another and detects the auth
problem on the second 401 response!
-->
<!-- First request has Digest auth, wrong password --> <!-- First request has Digest auth, wrong password -->
<data100> <data100>
HTTP/1.1 401 Need Digest auth HTTP/1.1 401 Need Digest auth
@ -93,16 +104,6 @@ This is a bad password page!
</data1400> </data1400>
<!-- Fifth request has Digest auth, right password --> <!-- Fifth request has Digest auth, right password -->
<data500>
HTTP/1.1 401 Need Digest auth (5)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27
WWW-Authenticate: Digest realm="testrealm", nonce="8"
This is not the real page!
</data500>
<data1500> <data1500>
HTTP/1.1 200 Things are fine in server land (2) HTTP/1.1 200 Things are fine in server land (2)
Server: Microsoft-IIS/5.0 Server: Microsoft-IIS/5.0
@ -151,6 +152,12 @@ Content-Type: text/html; charset=iso-8859-1
Content-Length: 29 Content-Length: 29
WWW-Authenticate: Digest realm="testrealm", nonce="7" WWW-Authenticate: Digest realm="testrealm", nonce="7"
HTTP/1.1 401 Sorry wrong password (3)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29
WWW-Authenticate: Digest realm="testrealm", nonce="7"
This is a bad password page! This is a bad password page!
HTTP/1.1 200 Things are fine in server land (2) HTTP/1.1 200 Things are fine in server land (2)
Server: Microsoft-IIS/5.0 Server: Microsoft-IIS/5.0
@ -222,6 +229,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2
Host: %HOSTIP:%HTTPPORT Host: %HOSTIP:%HTTPPORT
Accept: */* Accept: */*
GET /20270400 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20270400", response="f5906785511fb60a2af8b1cd53008ead"
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /20270500 HTTP/1.1 GET /20270500 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20270500", response="8ef4d935fd964a46c3965c0863b52cf1" Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20270500", response="8ef4d935fd964a46c3965c0863b52cf1"
Host: %HOSTIP:%HTTPPORT Host: %HOSTIP:%HTTPPORT

24
tests/data/test2030
View File

@ -13,6 +13,18 @@ HTTP NTLM auth
<!-- Alternate the order that Digest and NTLM headers appear in responses to <!-- Alternate the order that Digest and NTLM headers appear in responses to
ensure that the order doesn't matter. --> ensure that the order doesn't matter. -->
<!--
Explanation for the duplicate 400 requests:
libcurl doesn't detect that a given Digest password is wrong already on the
first 401 response (as the data400 gives). libcurl will instead consider the
new response just as a duplicate and it sends another and detects the auth
problem on the second 401 response!
-->
<!-- First request has NTLM auth, wrong password --> <!-- First request has NTLM auth, wrong password -->
<data100> <data100>
HTTP/1.1 401 Need Digest or NTLM auth HTTP/1.1 401 Need Digest or NTLM auth
@ -186,6 +198,13 @@ Content-Length: 29
WWW-Authenticate: NTLM WWW-Authenticate: NTLM
WWW-Authenticate: Digest realm="testrealm", nonce="7" WWW-Authenticate: Digest realm="testrealm", nonce="7"
HTTP/1.1 401 Sorry wrong password (3)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29
WWW-Authenticate: NTLM
WWW-Authenticate: Digest realm="testrealm", nonce="7"
This is a bad password page! This is a bad password page!
HTTP/1.1 200 Things are fine in server land (2) HTTP/1.1 200 Things are fine in server land (2)
Server: Microsoft-IIS/5.0 Server: Microsoft-IIS/5.0
@ -259,6 +278,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2
Host: %HOSTIP:%HTTPPORT Host: %HOSTIP:%HTTPPORT
Accept: */* Accept: */*
GET /20300400 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20300400", response="d6262e9147db08c62ff2f53b515861e8"
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /20300500 HTTP/1.1 GET /20300500 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20300500", response="198757e61163a779cf24ed4c49c1ad7d" Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20300500", response="198757e61163a779cf24ed4c49c1ad7d"
Host: %HOSTIP:%HTTPPORT Host: %HOSTIP:%HTTPPORT