On Oct 17, 2005, at 3:53 PM, Daniel Stenberg wrote:
> I think the fix would involve detecting that it is a second header
> within the same response. The current logic is written and assumes
> that the second header is from the _next_ response.

Okay, I'm attaching a patch that tries to do this. In http.c, if the
prefix is "Digest" and authp->avail already has CURLAUTH_DIGEST set,
then this header is ignored (i.e. Curl_input_digest() is not called),
and this situation is logged. The patch includes a test case (test
273), too.

> Thinking about it, I think fixing this in the generic code would make
> sense - as otherwise, as you say, you (the server) can easily "fool"
> libcurl to behave silly by sending it stupid headers. Adding code for
> this would be it more robust.

Okay, well my fix just protects against duplicate WWW-Authenticate for
digest auth, only. Other authorization types still behave the same
way.

-Dave