cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: patch for unordered body and header in re-authentication

From: Jari Urpalainen <jari.urpalainen_at_nokia.com>
Date: Thu, 24 Apr 2008 15:29:19 +0300

ext Daniel Stenberg wrote:
> On Thu, 24 Apr 2008, Jari Urpalainen wrote:
>
>> When re-authentication of an http request is being required by the
>> server (when a request body exists)
>
> Can you please elaborate? I suspect "re-authentication" refers to
> Digest auth here? What libcurl version on what platform is it? Any
> chance you can provide some logs or outputs etc that clarifies this
> effect somewhat more?
>
Sample debug output:

REPORT /carddav/urpalain/ HTTP/1.1
Authorization: Digest username="urpalain", realm="testing",
nonce="0YOCJ51LBAA=922c07ee05ffe1e82e43a50a397b7c422df88a49",
uri="/carddav/urpalain/", cnonce="MTIwOTAz", nc=00000006, qop="auth",
response="f1de6a8697c9e0a7e697598412957fff", algorithm="MD5"
Host: localhost
Accept: */*
Depth: 1
Content-Type: application/xml
Content-Length: 199

<C:addressbook-query xmlns:C="urn:ietf:params:xml:ns:carddav"
xmlns:D="DAV:">
  <D:prop>
    <D:getetag/>
  </D:prop>
  <C:filter>
    <C:prop-filter name="UID"/>
  </C:filter>
</C:addressbook-query>
HTTP/1.1 401 Authorization Required
Date: Thu, 24 Apr 2008 12:02:39 GMT
Server: Apache/2.2.6 (Ubuntu) DAV/2
WWW-Authenticate: Digest realm="testing",
nonce="xL3XOZ1LBAA=9cabc520a93bc1749f0f308a35067df8277933d8",
algorithm=MD5, stale=true, qop="auth"
Content-Length: 481
Content-Type: text/html; charset=iso-8859-1
 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.6 (Ubuntu) DAV/2 Server at localhost Port 80</address>
</body></html>

<C:addressbook-query xmlns:C="urn:ietf:params:xml:ns:carddav"
xmlns:D="DAV:">
  <D:prop>
    <D:getetag/>
  </D:prop>
  <C:filter>
    <C:prop-filter name="UID"/>
  </C:filter>
</C:addressbook-query>REPORT /carddav/urpalain/ HTTP/1.1
Authorization: Digest username="urpalain", realm="testing",
nonce="xL3XOZ1LBAA=9cabc520a93bc1749f0f308a35067df8277933d8",
uri="/carddav/urpalain/", cnonce="MTIwOTAz", nc=00000001, qop="auth",
response="0dcd45a5f2d0248ce844418a8f7568fb", algorithm="MD5"
Host: localhost
Accept: */*
Depth: 1
Content-Type: application/xml
Content-Length: 199

HTTP/1.1 400 Bad Request
....

Ubuntu (curl 7.16.4-2ubuntu1)

>> the re-authentication of libcurl responds with the incorrect order,
>> i.e. body is written _before_ the header information.
>
> I fail to see how this is even possible. What makes you think this is
> what happens?
Ok, I admit i don't follow the state machine indeed in Curl_readwrite
(this function is _long_) & Curl_perform etc., but it seemed that
somehow Curl_readwrite rewrites the body second time before
add_buffer_send is called again. But i MAY really be totally wrong here
and my bug lies somewhere else, e.g. in the client itself. But anyway my
ugly fix seemed to have fixed this...

>
>> Attached a patch which at least WFM. If there's a better way to fix
>> this that's fine by me as long as this gets fixed, please ;-).
>
> Yeah, that patch will break other stuff so it's not very good.
>
Could you look at least boolean writedone in Curl_readwrite (if i'm not
totally blind ;-) indeed)

>> A _better_ fix would certainly include a body in the test153 or add a
>> new test with body.
>
> Yeah, a new test for that would be great!
>

thanks and sorry if i'm barking at the wrong item,
jari
Received on 2008-04-24