On Fri, 14 Mar 2014, Dan Fandrich wrote:

> I can confirm this, and it does seem a bit odd, but it does appear to be
> intentional; test 176 confirms this. If NTLM is truly required then the
> server will ignore the initial POST and respond with an NTLM handshake, so
> this 0-byte post will be ignored. But, if the server doesn't actually
> require authentication, then the server will act on this 0 byte post and
> could perform some undesired action. What probably should happen is
> something similar to what happens if --anyauth is used in place of --ntlm;
> curl sends a Expect: 100-continue instead of a 0 byte request (like test
> 155).

Correct, it is made on purpose. If you explicitly ask for NTLM, you probably
do that because you know the server requires it and then you most often prefer
not having to send a (potentially huge) POST body twice. The first time would
only be discarded by the server anyway.

This is also due to NTLM authenticating a *connection* and not a request like
other auth mechanisms.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html