Curl_http_input_auth: handle multiple auths in WWW-Authenticate

The fix is pretty much the one Nick Zitzmann provided, just edited to do the right indent levels and with test case 1204 added to verify the fix. Bug: http://curl.haxx.se/mail/lib-2011-10/0190.html Reported by: Nick Zitzmann
2024-12-21 23:58:49 -05:00 · 2011-10-20 13:05:09 +02:00 · 2011-10-20 13:05:09 +02:00 · ff0a295cdb
commit ff0a295cdb
parent 4fa0166173
3 changed files with 179 additions and 89 deletions
--- a/lib/http.c
+++ b/lib/http.c
@ -731,6 +731,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
   *
   */

+  while(*start) {
 #ifdef USE_HTTP_NEGOTIATE
    if(checkprefix("GSS-Negotiate", start) ||
       checkprefix("Negotiate", start)) {
@ -739,8 +740,8 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
      authp->avail |= CURLAUTH_GSSNEGOTIATE;

      if(data->state.negotiate.state == GSS_AUTHSENT) {
-      /* if we sent GSS authentication in the outgoing request and we get this
-         back, we're in trouble */
+        /* if we sent GSS authentication in the outgoing request and we get
+           this back, we're in trouble */
        infof(data, "Authentication problem. Ignoring this.\n");
        data->state.authproblem = TRUE;
      }
@ -816,7 +817,8 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,

            /* We call this function on input Digest headers even if Digest
             * authentication isn't activated yet, as we need to store the
-           * incoming data from this header in case we are gonna use Digest. */
+             * incoming data from this header in case we are gonna use
+             * Digest. */
            dig = Curl_input_digest(conn, (httpcode == 407)?TRUE:FALSE, start);

            if(CURLDIGEST_FINE != dig) {
@ -840,6 +842,14 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
            }
          }

+    /* there may be multiple methods on one line, so keep reading */
+    while(*start && *start != ',') /* read up to the next comma */
+      start++;
+    if(*start == ',') /* if we're on a comma, skip it */
+      start++;
+    while(*start && ISSPACE(*start))
+      start++;
+  }
  return CURLE_OK;
 }

--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@ -73,8 +73,9 @@ test1094 test1095 test1096 test1097 test1098 test1099 test1100 test1101	\
 test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109	\
 test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117	\
 test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125	\
-test1126 test1127 test1128 test1129 test1130 test1131 test1200 test1201	\
-test1202 test1203 test1300 test1301 test1302 test1303 test1304 test1305	\
+test1126 test1127 test1128 test1129 test1130 test1131 \
+test1200 test1201 test1202 test1203 test1204 \
+test1300 test1301 test1302 test1303 test1304 test1305	\
 test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \
 test1314 \
 test2000 test2001 test2002 test2003 test2004
--- a/tests/data/test1204
+++ b/tests/data/test1204
@ -0,0 +1,79 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+HTTP Basic auth
+--anyauth
+</keywords>
+</info>
+# Server-side
+<reply>
+<data>
+HTTP/1.1 401 Authorization Required swsbounce
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle", Basic realm="fun fun  fun"
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 26
+
+This is not the real page
+</data>
+
+# This is supposed to be returned when the server gets the second request
+<data1>
+HTTP/1.1 200 OK
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 23
+
+This IS the real page!
+</data1>
+
+<datacheck>
+HTTP/1.1 401 Authorization Required swsbounce
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle", Basic realm="fun fun  fun"
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 26
+
+HTTP/1.1 200 OK
+Server: Apache/1.3.27 (Darwin) PHP/4.1.2
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 23
+
+This IS the real page!
+</datacheck>
+
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP with WWW-Authenticate and multiple auths in a single line
+ </name>
+ <command>
+http://%HOSTIP:%HTTPPORT/1204 -u testuser:testpass --anyauth
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /1204 HTTP/1.1
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+GET /1204 HTTP/1.1
+Authorization: Basic dGVzdHVzZXI6dGVzdHBhc3M=
+Host: %HOSTIP:%HTTPPORT
+Accept: */*
+
+</protocol>
+</verify>
+</testcase>