curl-library
Re: Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header
Date: Thu, 17 Jul 2014 14:39:37 +0200
> Von: "Daniel Stenberg" <daniel_at_haxx.se>
> On Thu, 17 Jul 2014, Michael Osipov wrote:
> >> Yes, because you're asking for it!
> >
> > Then I would at least require the docs to say that preempive is is performed
> > by default. Users should be aware that they could disclose information.
>
> Yes it should! But you're expressing this funnily. If if _does_ probe first,
> it will disclose the exact same information if the server asks for basic auth
Haven't noticed that I brought some fun into it. I am trying to make a point.
Doing $ 'curl --basic -u ... http://host/proctected http://host2/unprotected'
without using next will reveal. Am I wrong?
> > After that at least, I have found a bug in curl which ends in an endless
> > redirect. I will report shortly.
>
> Ouch!
>
> >> If there's a missing option it would then rather be one that allows you to
> >> say "I only want to use {basic,digest,ntlm,...} but I still want to probe
> >> first" - which libcurl can do but that ability isn't exposed to the command
> >> line tool afair.
> >
> > How would that go in libcurl, I mean not preemptive?
>
> Add the 'CURLAUTH_ONLY' bit. Like when asking for only basic with a probe:
>
> CURLAUTH_BASIC | CURLAUTH_ONLY
So adding --auth-only and --proxy-auth-only tied to CURLAUTH_ONLY would disable preemptive
auth and perform of if challenged? E.g.,
$ curl --basic --digest -u ... --auth-only <URL>
Michael
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-17