From be9c873a6e97423bc0b2a2dd45835c35c7d81231 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 20 Oct 2005 20:07:32 +0000 Subject: [PATCH] Dave Dribin made libcurl understand and handle cases when the server (wrongly) sends *two* WWW-Authenticate headers for Digest. While this should never happen in a sane world, libcurl previously got into an infinite loop when this occurred. Dave added test 273 to verify this. --- CHANGES | 5 +++ RELEASE-NOTES | 1 + lib/http.c | 25 ++++++++------ tests/data/Makefile.am | 2 +- tests/data/test273 | 76 ++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 98 insertions(+), 11 deletions(-) create mode 100644 tests/data/test273 diff --git a/CHANGES b/CHANGES index 2c5b455c2..7ec9b1460 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,11 @@ Daniel (20 October 2005) +- Dave Dribin made libcurl understand and handle cases when the server + (wrongly) sends *two* WWW-Authenticate headers for Digest. While this should + never happen in a sane world, libcurl previously got into an infinite loop + when this occurred. Dave added test 273 to verify this. + - Temprimus improved the MSVC makefile: "makes a build option available so if you set rtlibcfg=static for the make, then it would build with /MT. The default behaviour is /MD (the original)." diff --git a/RELEASE-NOTES b/RELEASE-NOTES index cded82901..4c801f9a7 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -15,6 +15,7 @@ This release includes the following changes: This release includes the following bugfixes: + o double WWW-Authenticate Digest headers are now handled o curl-config --vernum fixed Other curl-related news since the previous public release: diff --git a/lib/http.c b/lib/http.c index f46c1585a..fe06c7dc7 100644 --- a/lib/http.c +++ b/lib/http.c @@ -621,18 +621,23 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, #endif #ifndef CURL_DISABLE_CRYPTO_AUTH if(checkprefix("Digest", start)) { - CURLdigest dig; - *availp |= CURLAUTH_DIGEST; - authp->avail |= CURLAUTH_DIGEST; + if((authp->avail & CURLAUTH_DIGEST) != 0) { + infof(data, "Ignoring duplicate digest auth header.\n"); + } + else { + CURLdigest dig; + *availp |= CURLAUTH_DIGEST; + authp->avail |= CURLAUTH_DIGEST; - /* We call this function on input Digest headers even if Digest - * authentication isn't activated yet, as we need to store the - * incoming data from this header in case we are gonna use Digest. */ - dig = Curl_input_digest(conn, (bool)(httpcode == 407), start); + /* We call this function on input Digest headers even if Digest + * authentication isn't activated yet, as we need to store the + * incoming data from this header in case we are gonna use Digest. */ + dig = Curl_input_digest(conn, (bool)(httpcode == 407), start); - if(CURLDIGEST_FINE != dig) { - infof(data, "Authentication problem. Ignoring this.\n"); - data->state.authproblem = TRUE; + if(CURLDIGEST_FINE != dig) { + infof(data, "Authentication problem. Ignoring this.\n"); + data->state.authproblem = TRUE; + } } } else diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index ad13b139b..5b646ddf9 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -33,4 +33,4 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46 \ test237 test238 test239 test243 test245 test246 test247 test248 test249 \ test250 test251 test252 test253 test254 test255 test521 test522 test523 \ test256 test257 test258 test259 test260 test261 test262 test263 test264 \ - test265 test266 test267 test268 test269 test270 test271 test272 + test265 test266 test267 test268 test269 test270 test271 test272 test273 diff --git a/tests/data/test273 b/tests/data/test273 new file mode 100644 index 000000000..dbc8f8429 --- /dev/null +++ b/tests/data/test273 @@ -0,0 +1,76 @@ + + +HTTP +HTTP GET +HTTP Digest auth + + +# Server-side + + +HTTP/1.1 401 Authorization Required swsclose +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" +WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" +Content-Type: text/html; charset=iso-8859-1 + +This is not the real page + + +# This is supposed to be returned when the server gets a +# Authorization: Digest line passed-in from the client + +HTTP/1.1 200 OK swsclose +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +Content-Type: text/html; charset=iso-8859-1 + +This IS the real page! + + + +HTTP/1.1 401 Authorization Required swsclose +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" +WWW-Authenticate: Digest realm="testrealm", nonce="1053604145" +Content-Type: text/html; charset=iso-8859-1 + +HTTP/1.1 200 OK swsclose +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +Content-Type: text/html; charset=iso-8859-1 + +This IS the real page! + + + + +# Client-side + + +http + + +HTTP with two Digest authorization headers + + +http://%HOSTIP:%HTTPPORT/273 -u testuser:testpass --digest + + + +# Verify data after the test has been "shot" + + +^User-Agent:.* + + +GET /273 HTTP/1.1 +Host: 127.0.0.1:%HTTPPORT +Accept: */* + +GET /273 HTTP/1.1 +Authorization: Digest username="testuser", realm="testrealm", nonce="1053604145", uri="/273", response="576ae57b1db0039f8c0de43ef58e49e3" +User-Agent: curl/7.10.5 (i686-pc-linux-gnu) libcurl/7.10.5 OpenSSL/0.9.7a ipv6 zlib/1.1.3 +Host: 127.0.0.1:%HTTPPORT +Accept: */* + + +