cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [BUG] CURLOPT_HTTPAUTH + CURLAUTH_DIGEST + CURLOPT_USERPWD = broken http request

From: Daniel Stenberg <daniel-curl_at_haxx.se>
Date: Tue, 27 Jan 2004 14:18:48 +0100 (CET)

On Tue, 27 Jan 2004, root wrote:

> The problem is the following:
>
> 1) if CURLAUTH_DIGEST is used without CURLOPT_USERPWD, then a request is
> made, but, of course, it fails because the user and password are unknown ;-)

Why is this a problem?

> 2) if CURLAUTH_DIGEST is used with CURLOPT_USERPWD, then the request is
> broken: the body is empty, without the post data. So the server does not
> even reply with the nounce field...

This is what the TODO-RELEASE issue 12 is all about. I have not received
feedback that I understand on this topic just yet so there's still no fix for
this. (http://curl.haxx.se/lxr/source/TODO-RELEASE)

Why does the server require a body to be sent when the authentication isn't
done? It can't possibly accept any body yet, can it?

> 3) I can have everything right if I force conn->user & conn->passwd in
> http_digest.c, not using CURLOPT_USERPWD.
>
> So there is something very strange going on when someone tries to set
> user/passwd while using digest authentification.

In combination with HTTP POST, yes. It works fine if you use GET.

> I do not know libcurl enough to correctly locate the problem and offer a
> nice fix, I'm afraid I could break something else.

Run 'make test' in the curl build dir root. It should run some 160+ tests and
they tests a majority of all use cases. If that still runs fine, you're on the
safe side.

> I've just found that:
[snip]
> then it's also okay.

Well, by chopping off your arms you won't suffer from itching hands. :-)
Seriously, those changes severly cripple libcurl from functioning and they're
not the correct way to fix this.

> I can test any fix on a server with digest authentification if needed,
> however I can not provide credentials to someone else since the server is
> not mine.
>
> However it is very easy to test the problem with any URL, even one that does
> not exist, since one can see that the request is really broken when both
> options are activated.

Why is the request broken? What does the server expects to get POSTed before
the authentication is done?

-- 
    Daniel Stenberg -- http://curl.haxx.se/ -- http://daniel.haxx.se/
   [[ Do not send mails to this email address. They won't reach me. ]]
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn

Received on 2004-01-27

This message: [ Message body ]
Next message: Ken Hirsch: "Changes for MPE/iX"
Previous message: RBramante_at_on.com: "Re: chunked uploads aren't working"
In reply to: root: "[BUG] CURLOPT_HTTPAUTH + CURLAUTH_DIGEST + CURLOPT_USERPWD = broken http request"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]