Hello curl-users,

While upgrading an admittedly ancient installation from 7.18.0 to 7.34.0, I discovered that a number of our scripts which use SPNEGO (+ Kerberos) authentication broke. Specifically, this no longer works:

curl --negotiate -u : http://internal.server.name/resource

However, it works if a non-empty username/password is specified:
curl --negotiate -u ignored:ignored http://internal.server.name/resource

I wouldn’t even bother mentioning this (and just go fix our scripts), except that the -u : workaround is mentioned in a few other (archived) posts, so I thought I’d raise a flag here in case the maintainers are interested.

The commit which broke this is the refactoring of the username/password parsing into parse_login_details:
bb20989a6384f95a73fd68b0e109fc860e0c7a57

Specifically, the refactored code checks to see if username/password are also non-empty and sets up some connection flags. Obviously, it fails when we pass in "-u :".

The patch below fixes this, but I’m not sure if it breaks anything else (specifically, if username/password are empty, it now sets user_passwd in the ConnectBits struct).

% git diff curl/lib/url.c
diff --git a/curl/lib/url.c b/curl/lib/url.c
index 7ba4969..8efc8ae 100644
--- a/curl/lib/url.c
+++ b/curl/lib/url.c
@@ -4531,14 +4531,14 @@ static CURLcode parse_login_details(const char *login, const size_t len,
                                  (size_t)(login + len - osep)) - 1 : 0);

   /* Allocate the user portion buffer */
- if(userp && ulen) {
+ if(userp) {
     ubuf = malloc(ulen + 1);
     if(!ubuf)
       result = CURLE_OUT_OF_MEMORY;
   }

   /* Allocate the password portion buffer */
- if(!result && passwdp && plen) {
+ if(!result && passwdp) {
     pbuf = malloc(plen + 1);
     if(!pbuf)
       result = CURLE_OUT_OF_MEMORY;
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-01-29