curl-library
Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header
Date: Thu, 17 Jul 2014 13:53:54 +0200
> Von: "Daniel Stenberg" <daniel_at_haxx.se>
> On Thu, 17 Jul 2014, Michael Osipov wrote:
>
> > WWW-Authenticate: Basic ream="A"
> > WWW-Authenticate: Basic ream="B"
> >
> > That makes no sense and is incorrect.
>
> Is it really? What if it has two overlapping realms and offer you to login to
> any of them to access that resource?
>
> I'm fully convinved you will find servers out there returning headers like
> that.
Maybe true but that is not covered in libcurl also. You cannot scope the auth.
> >> $ curl --verbose --basic -u michael-o:secret http://<host> -o /dev/null
>
> > The client has never been challenged to authenticate but performs preemptive
> > auth, thus disclosing his password.
>
> Yes, because you're asking for it!
Then I would at least require the docs to say that preempive is is performed by default.
Users should be aware that they could disclose information.
After that at least, I have found a bug in curl which ends in an endless redirect.
I will report shortly.
> >> I don't see a need for --preemptive.
> >
> > The above shows the need.
>
> I disagree. Use --anyauth instead of --basic and it'll probe and use whatever
> method the server and curl agree to use.
>
> If there's a missing option it would then rather be one that allows you to say
> "I only want to use {basic,digest,ntlm,...} but I still want to probe first" -
> which libcurl can do but that ability isn't exposed to the command line tool
> afair.
How would that go in libcurl, I mean not preemptive?
Michael
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-17