cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: user:password inside URL

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 3 Oct 2003 15:42:24 +0200 (CEST)

On Tue, 30 Sep 2003, David Byron wrote:

> It seems there are two choices for providing user name and password
> information:
>
> (1) embedded in the URL like http://user:password@host:port
> (2) with --user
>
> There's a big note in docs/MANUAL that (1) doesn't work when using a proxy.
> I'm curious as to why since curl seems to be doing the parsing anyway and it
> seems like curl could make the bytes on the wire appear the same whether (1)
> or (2) was used.

I agree. I think that if this is still true, it could easily be fixed and then
both ways should work fine in all cases.

> In any case, (2) worked fine for me using https, -k, --ntlm, both with and
> without --proxy. However, (1) didn't work for me even without --proxy, like
> this:
>
> $ curl -k "https://user:password@host/path" --trace trace2.out --ntlm
> Error: Access is Denied.
> $ echo $?
> 0

This definitly looks like a bug. I'll try to write up a test case for this and
make sure it behaves the same way as with --user... It may take a little while
though.

> or with --fail, I get:
> $ curl -k "https://user:password@host/path" --trace trace2.out --ntlm --fail
> curl: (22) The requested URL returned error: 401
> $ echo $?
> 22

--fail doesn't work with NTLM authentication. I've added a note about this in
the KNOWN_BUGS document. Fixing this is not as straight-forward as it may
sound.

> In both cases I get a 401 error from the server after the first GET. In the
> case that works (with --user), the second GET works. I'm a bit nervous
> about sending the whole trace to folks as it contains some sensitive
> information.

I don't think showing the trace will help us very much. I think we better make
an attempt to repeat the problem first and see where that leads us.

> - Should MANUAL say something more restrictive about when embedding user and
> password info in the URL works?

Only if we can't fix this, or as a temporary note until we fix it.

> - Is there some way to may the embedded user and password work all the time,
> even with proxies, https, -k (or not), etc.?

We should make the code support this.

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

Received on 2003-10-03

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: SSL transport failure during handshake"
Previous message: Daniel Stenberg: "Re: curl_hash_clean_with_criterium"
In reply to: David Byron: "user:password inside URL"
Next in thread: Roth, Kevin P.: "RE: user:password inside URL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]