curl / Mailing Lists / curl-library / Single Mail

curl-library

AW: HTTP POST/PUT request with NTLM authentication leads to HTTP Status 411 Length required

From: Hölzl, Dominik <Dominik.Hoelzl_at_fabasoft.com>
Date: Fri, 3 Feb 2017 10:11:03 +0000

Hello!

Thank you for your Answer!


I have figured out what the problem is and how it is reproducible (Adopted from the POST example https://curl.haxx.se/libcurl/c/http-post.html):


size_t CURLheaderfunction(void *ptr, size_t size, size_t nmemb, void *stream)
{
  printf("RECEIVED HEADER: %s", (const char *)ptr);
  return size*nmemb;
}
int main(void)
{
  CURL *curl;
  CURLcode res;

  /* In windows, this will init the winsock stuff */
  curl_global_init(CURL_GLOBAL_ALL);

  /* get a curl handle */
  curl = curl_easy_init();
  if (curl) {
    /* First set the URL that is about to receive our POST. This URL can
    just as well be a https:// URL if that is what should receive the
    data. */
    curl_easy_setopt(curl, CURLOPT_URL, "http://url-to-ntlm-enabled-server-goes-here");
    /* Specify header callback */
    curl_easy_setopt(curl, CURLOPT_HEADERFUNCTION, CURLheaderfunction);
    /* Specify NTLM authentication method */
    curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_NTLM);
    curl_easy_setopt(curl, CURLOPT_USERNAME, "<Username>");
    curl_easy_setopt(curl, CURLOPT_PASSWORD, "<Password>");
    /* Now specify the POST data */
    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, "name=daniel&project=curl");
    /* Add some headers, in this case a redundant Content-Length header */
    struct curl_slist *headers = NULL;
    headers = curl_slist_append(headers, "Content-Length: 24");
   curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
    /* Perform the request, res will get the return code */
    res = curl_easy_perform(curl);
    /* Check for errors */
    if (res != CURLE_OK) {
      fprintf(stderr, "curl_easy_perform() failed: %s\n",
      curl_easy_strerror(res));
    }
    else {
      long http_code = 0;
      curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code);
      printf("CURL STATUS: %ld", http_code);
    }

    /* always cleanup */
    curl_easy_cleanup(curl);
 }
  curl_global_cleanup();

}





If setting an additional Content-Length header (which is redundant as cURL controls the Content-Lenght header itself anyway), a Content-Length header is curiously NOT sent to the server in the NTLM challenge request.



Removing the marked lines solves the problem.



In cURL version 7.19.6 it also works if the superfluous Content-Length header is added.



Regards,

Dominik



| -----Ursprüngliche Nachricht-----

| Von: curl-library [mailto:curl-library-bounces_at_cool.haxx.se] Im Auftrag von

| Isaac Boukris

| Gesendet: Freitag, 03. Februar 2017 00:14

| An: libcurl development

| Betreff: Re: HTTP POST/PUT request with NTLM authentication leads to HTTP

| Status 411 Length required

|

| On Thu, Feb 2, 2017 at 2:16 PM, Hölzl, Dominik

| <Dominik.Hoelzl_at_fabasoft.com<mailto:Dominik.Hoelzl_at_fabasoft.com>> wrote:

| > Hello!

| >

| >

| >

| > I have the following problem:

| >

| >

| >

| > I want to perform an HTTP POST request, PUT request or another custom

| > request (CURLOPT_CUSTOMREQUEST) with some data

| (CURLOPT_UPLOAD,

| > CURLOPT_INFILESIZE_LARGE) with using NTLM authentication

| (CURLOPT_HTTPAUTH

| > CURLAUTH_NTLM, CURLOPT_USERPWD).

| >

| >

| >

| > But the request fails with 411 Length required (Server: IIS 6.2), if this is

| > the first request of a CURL-handle.

| >

| > Performing a GET request always works as expected.

| >

| >

| >

| > WireShark shows, that cURL removes the “Content-Length” header in the

| NTLM

| > challenge request and therefore the Server complains about the missing

| > header.

| >

| > Adding the “Content-Length” header additionally to the request does not

| > help. If I add a “Content-Length-X”-Header, I can see in WireShark that this

| > header survives, but the Content-Length header is missing.

| >

| > Adding a “Expect: 100-continue” header does not help either.

| >

| >

| >

| >

| >

| > Regarding to the change-logs this bug has been fixed in version 7.19.6

| > (https://curl.haxx.se/changes.html#7_19_6):

| >

| > Bugfixes:

| >

| > · …

| >

| > · set Content-Length: with POST and PUT failed with NTLM auth

| >

| > · …

| >

| >

| >

| > I have following discussion about this bug found:

| >

| > http://marc.info/?t=107172137000001&r=1&w=2

| >

| >

| >

| >

| >

| > If I use cURL Library version 7.19.6 where this bug was initially fixed the

| > problem disappears and the request works as expected.

| >

| >

| >

| > If I use cURL Library version 7.49.1 or the latest Version, 7.52.1, the

| > request fails with 411 Length required as mentioned above.

| >

| > It seems some changes to cURL broke that. I did not test in which version

| > the bug reappeared.

| >

| >

| >

| >

| >

| > Do you have any suggestions how to work around that problem? I want to

| use

| > the latest cURL Library version for security reasons.

|

| Can you show us how to reproduce this (code sample or curl command)?

| It doesn't reproduce by me.

|

| There is some logic in curl to set Content-Length:0 in the initial

| request of ntlm connections (in order

| to avoid having to send the data to be discarded), but that should be

| ok, example:

| curl -v -uavi:zubur1 --ntlm -Fa=b http://httpbin.org/post

|

| -------------------------------------------------------------------

| Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library

| Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-02-03