curl-library
Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header
Date: Thu, 17 Jul 2014 13:28:22 +0200 (CEST)
On Thu, 17 Jul 2014, Michael Osipov wrote:
> WWW-Authenticate: Basic ream="A"
> WWW-Authenticate: Basic ream="B"
>
> That makes no sense and is incorrect.
Is it really? What if it has two overlapping realms and offer you to login to
any of them to access that resource?
I'm fully convinved you will find servers out there returning headers like
that.
>> $ curl --verbose --basic -u michael-o:secret http://<host> -o /dev/null
> The client has never been challenged to authenticate but performs preemptive
> auth, thus disclosing his password.
Yes, because you're asking for it!
>> I don't see a need for --preemptive.
>
> The above shows the need.
I disagree. Use --anyauth instead of --basic and it'll probe and use whatever
method the server and curl agree to use.
If there's a missing option it would then rather be one that allows you to say
"I only want to use {basic,digest,ntlm,...} but I still want to probe first" -
which libcurl can do but that ability isn't exposed to the command line tool
afair.
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2014-07-17