cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 17 Jul 2014 15:06:43 +0200 (CEST)

On Thu, 17 Jul 2014, Michael Osipov wrote:

>> Yes it should! But you're expressing this funnily. If if _does_ probe
>> first, it will disclose the exact same information if the server asks for
>> basic auth
>
> Haven't noticed that I brought some fun into it.

"funny" in the meaning of "strange" or "peculiar".

> I am trying to make a point.
>
> Doing $ 'curl --basic -u ... http://host/proctected
> http://host2/unprotected'

> without using next will reveal. Am I wrong?

No, that's exactly how it works. It sends HTTP Basic credentials in both
requests immediately without probing.

>> CURLAUTH_BASIC | CURLAUTH_ONLY
>
> So adding --auth-only and --proxy-auth-only tied to CURLAUTH_ONLY would
> disable preemptive auth and perform of if challenged? E.g.,
>
> $ curl --basic --digest -u ... --auth-only <URL>

Yes - if you truly want only that particular auth method AND a "probe". But I
would argue that the options should be named differently! =)

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-18