cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Double WWW-Authenticate headers for Digest

From: Daniel Stenberg <daniel-curl_at_haxx.se>
Date: Mon, 17 Oct 2005 22:53:40 +0200 (CEST)

On Mon, 17 Oct 2005, Dave Dribin wrote:

> I'm dealing with a server that is sending the WWW-Authenticate twice in the
> same response for it's digest authentication. This is clearly out of spec,
> and I don't think that libcurl should support this for the general public.
> However, I would still like to use libcurl for my project, and I'm thinking
> of making private modifications to get this to work.

You know any details about the server or the specific circumstances that makes
it do this? I mean, how likely is it that others will face this same issue
with a similar setup?

> So I'm soliciting some advice on how best to modify libcurl to get around
> this. Since the two headers are identical, the second header gets bonged
> because Curl gets another nonce without it being marked as stale
> (http_digest.c:189) Curl_input_digest returns CURLDIGEST_BAD, this
> essentially ignores the header, and we don't get past the 401s. Since this
> is a private fix, I'm tempted to just ignore this situation (i.e. comment
> out lines 189 and 190 in http_digest.c). This is a simple fix and it's easy
> to re-apply to future versions of libcurl. However, it causes an infinite
> loop if the credentials are bad. Maybe I should add a count to
> data->state.digest so that I can detect this situation? Or maybe I should
> deal with this in transfer.c where the headers are being parsed?

I think the fix would involve detecting that it is a second header within the
same response. The current logic is written and assumes that the second header
is from the _next_ response.

Thinking about it, I think fixing this in the generic code would make sense -
as otherwise, as you say, you (the server) can easily "fool" libcurl to behave
silly by sending it stupid headers. Adding code for this would be it more
robust.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Received on 2005-10-17