From c2b3f264cb5210f82bdc84a3b89250a611b68dd3 Mon Sep 17 00:00:00 2001 From: Marcel Raad Date: Mon, 15 Feb 2016 08:58:36 +0100 Subject: [PATCH] CONNECT_ONLY: don't close connection on GSS 401/407 reponses Previously, connections were closed immediately before the user had a chance to extract the socket when the proxy required Negotiate authentication. This regression was brought in with the security fix in commit 79b9d5f1a42578f Closes #655 --- lib/http.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/http.c b/lib/http.c index 1b1cd2235..471685001 100644 --- a/lib/http.c +++ b/lib/http.c @@ -1454,8 +1454,10 @@ CURLcode Curl_http_done(struct connectdata *conn, data->state.negotiate.state == GSS_AUTHSENT) { /* add forbid re-use if http-code != 401/407 as a WA only needed for * 401/407 that signal auth failure (empty) otherwise state will be RECV - * with current code */ - if((data->req.httpcode != 401) && (data->req.httpcode != 407)) + * with current code. + * Do not close CONNECT_ONLY connections. */ + if((data->req.httpcode != 401) && (data->req.httpcode != 407) && + !data->set.connect_only) connclose(conn, "Negotiate transfer completed"); Curl_cleanup_negotiate(data); }