Dave Dribin made libcurl understand and handle cases when the server

(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
never happen in a sane world, libcurl previously got into an infinite loop
when this occurred. Dave added test 273 to verify this.
This commit is contained in:
Daniel Stenberg 2005-10-20 20:07:32 +00:00
parent 034d80f6cd
commit be9c873a6e
5 changed files with 98 additions and 11 deletions

View File

@ -9,6 +9,11 @@
Daniel (20 October 2005)
- Dave Dribin made libcurl understand and handle cases when the server
(wrongly) sends *two* WWW-Authenticate headers for Digest. While this should
never happen in a sane world, libcurl previously got into an infinite loop
when this occurred. Dave added test 273 to verify this.
- Temprimus improved the MSVC makefile: "makes a build option available so if
you set rtlibcfg=static for the make, then it would build with /MT. The
default behaviour is /MD (the original)."

View File

@ -15,6 +15,7 @@ This release includes the following changes:
This release includes the following bugfixes:
o double WWW-Authenticate Digest headers are now handled
o curl-config --vernum fixed
Other curl-related news since the previous public release:

View File

@ -621,18 +621,23 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
#endif
#ifndef CURL_DISABLE_CRYPTO_AUTH
if(checkprefix("Digest", start)) {
CURLdigest dig;
*availp |= CURLAUTH_DIGEST;
authp->avail |= CURLAUTH_DIGEST;
if((authp->avail & CURLAUTH_DIGEST) != 0) {
infof(data, "Ignoring duplicate digest auth header.\n");
}
else {
CURLdigest dig;
*availp |= CURLAUTH_DIGEST;
authp->avail |= CURLAUTH_DIGEST;
/* We call this function on input Digest headers even if Digest
* authentication isn't activated yet, as we need to store the
* incoming data from this header in case we are gonna use Digest. */
dig = Curl_input_digest(conn, (bool)(httpcode == 407), start);
/* We call this function on input Digest headers even if Digest
* authentication isn't activated yet, as we need to store the
* incoming data from this header in case we are gonna use Digest. */
dig = Curl_input_digest(conn, (bool)(httpcode == 407), start);
if(CURLDIGEST_FINE != dig) {
infof(data, "Authentication problem. Ignoring this.\n");
data->state.authproblem = TRUE;
if(CURLDIGEST_FINE != dig) {
infof(data, "Authentication problem. Ignoring this.\n");
data->state.authproblem = TRUE;
}
}
}
else

View File

@ -33,4 +33,4 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46 \
test237 test238 test239 test243 test245 test246 test247 test248 test249 \
test250 test251 test252 test253 test254 test255 test521 test522 test523 \
test256 test257 test258 test259 test260 test261 test262 test263 test264 \
test265 test266 test267 test268 test269 test270 test271 test272
test265 test266 test267 test268 test269 test270 test271 test272 test273

76
tests/data/test273 Normal file
View File

@ -0,0 +1,76 @@
<info>
<keywords>
HTTP
HTTP GET
HTTP Digest auth
</keywords>
</info>
# Server-side
<reply>
<data>
HTTP/1.1 401 Authorization Required swsclose
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
Content-Type: text/html; charset=iso-8859-1
This is not the real page
</data>
# This is supposed to be returned when the server gets a
# Authorization: Digest line passed-in from the client
<data1000>
HTTP/1.1 200 OK swsclose
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
Content-Type: text/html; charset=iso-8859-1
This IS the real page!
</data1000>
<datacheck>
HTTP/1.1 401 Authorization Required swsclose
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
WWW-Authenticate: Digest realm="testrealm", nonce="1053604145"
Content-Type: text/html; charset=iso-8859-1
HTTP/1.1 200 OK swsclose
Server: Apache/1.3.27 (Darwin) PHP/4.1.2
Content-Type: text/html; charset=iso-8859-1
This IS the real page!
</datacheck>
</reply>
# Client-side
<client>
<server>
http
</server>
<name>
HTTP with two Digest authorization headers
</name>
<command>
http://%HOSTIP:%HTTPPORT/273 -u testuser:testpass --digest
</command>
</client>
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET /273 HTTP/1.1
Host: 127.0.0.1:%HTTPPORT
Accept: */*
GET /273 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/273", response="576ae57b1db0039f8c0de43ef58e49e3"
User-Agent: curl/7.10.5 (i686-pc-linux-gnu) libcurl/7.10.5 OpenSSL/0.9.7a ipv6 zlib/1.1.3
Host: 127.0.0.1:%HTTPPORT
Accept: */*
</protocol>
</verify>