Hello

It is time again. Time to once again scratch our heads and figure out the most
appropriate behaviour when doing multi-pass authentication and PUT/POST.

This time Grant Murray hit a problem and filed bug report #1054859 [1].

To be honest, I never thought doing a HEAD was a very good idea for PUTs,
since the URL identifies a new resource and thus servers might do just as
Grant's does: it says "no such file", even though we're not authenticated.
While it seems like a mild information leak to me, we need to deal with this.

Previously (in the version that works for Grant), curl did a PUT with no
content-length first just to trigger the auth negotiation and once settled, we
did the real post. This didn't work either all over since doing a PUT with no
Content-Length is frowned upon by several servers.

Now what? We want to avoid having to send the whole file twice. I _think_ the
HEAD approach can still be used for POST since the URL exists already before
the POST then, but we obviously need a new approach for PUT.

Also remember that we cannot disconnect to cancel the initial PUT prematurely,
since we want to support NTLM too and that authenticates _connections_.

[1] =
http://sourceforge.net/tracker/index.php?func=detail&aid=1054859&group_id=976&atid=100976

-- 
      Daniel Stenberg -- http://curl.haxx.se -- http://daniel.haxx.se
       Dedicated custom curl help for hire: http://haxx.se/curl.html