cURL / Mailing Lists / curl-users / Single Mail

curl-users

RE: user:password inside URL

From: David Byron <DByron_at_everdreamcorp.com>
Date: Fri, 3 Oct 2003 09:32:48 -0700

> On Tue, 30 Sep 2003, David Byron wrote:
>
> > It seems there are two choices for providing user name and
> > password information:
> >
> > (1) embedded in the URL like http://user:password@host:port
> > (2) with --user
> >
> > There's a big note in docs/MANUAL that (1) doesn't work when
> > using a proxy. I'm curious as to why since curl seems to be
> > doing the parsing anyway and it seems like curl could make
> > the bytes on the wire appear the same whether (1) or (2) was
> > used.
>
> I agree. I think that if this is still true, it could easily
> be fixed and then both ways should work fine in all cases.

Great.

> > In any case, (2) worked fine for me using https, -k, --ntlm,
> > both with and without --proxy. However, (1) didn't work for
> > me even without --proxy, like this:
> >
> > $ curl -k "https://user:password@host/path" --trace trace2.out --ntlm
> > Error: Access is Denied.
> > $ echo $?
> > 0
>
> This definitly looks like a bug. I'll try to write up a test
> case for this and make sure it behaves the same way as with
> --user... It may take a little while though.

Thank you.

> > or with --fail, I get:
> >
> > $ curl -k "https://user:password@host/path" --trace
> > trace2.out --ntlm
> > --fail
> > curl: (22) The requested URL returned error: 401
> > $ echo $?
> > 22
>
> --fail doesn't work with NTLM authentication. I've added a
> note about this in the KNOWN_BUGS document. Fixing this is
> not as straight-forward as it may sound.

This part is a little scary. I looked in docs/KNOWN_BUGS in cvs and didn't
see anything about it in rev 1.12. Can you elaborate?

I have a feeling this may move near the top of my list. Can you provide any
pointers for getting started on a fix, or should I just dive in and see what
I can see?

> > - Is there some way to may the embedded user and password
> > work all the time, even with proxies, https, -k (or not),
> > etc.?
>
> We should make the code support this.

If I'm doing the above, perhaps I can do this as well. I took a brief look
at url.c and it seemed like the fix would involve only changing that file.
Do you agree?

Thanks much.

-DB

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
Received on 2003-10-03