curl / Mailing Lists / curl-library / Single Mail

curl-library

Bug in curl_easy_reset: Re-using the handle fails with HTTP 401

From: Ruurd Beerstra via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 17 Jan 2018 15:44:54 +0000

Hi,

<first post on this list, please be kind :->

We use curl (version 7.57.0) in our product and discovered a bug in curl_easy_reset().

We have an application that connects to two hosts (using HTTP).
When the code is executed to establish just a session with host 1, result is OK.
When the code is executed to establish just a session with host 2, result is OK.

When the code is executed to establish a session to host 1, do a curl_easy_reset, then contact host 2 (re-using the handle), the result is a HTTP 401 (unauthorized) for the connection to host 2.

So it would seem the curl_easy_reset handle retains some information about the previous connection which causes the next connection to host 2 to fail.
Host 1 uses HTTP, host 2 HTTPS (don't know if that is relevant).

I've reproduced the problem in a small C program (attached, with some userid/password stuff blanked out).
Output in our environment (where XXXX and YYYY are working usrenames/passwords):

rbeerstr_at_nlbaldev3: ./curl_test one
Start with http://XXXXXX:YYYYYY@nlbavwtech7:8312/webui/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3: ./curl_test two
Start with https://XXXXXX:YYYYYY@nlbavwtech11.infor.com:8447/lnui_ux/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3: ./curl_test both
Start with http://XXXXXX:XXXXXX@nlbavwtech7:8312/webui/servlet/deploy?command=ping
HTTP 302
Start with https://XXXXXX:YYYYYY@nlbavwtech11.infor.com:8447/lnui_ux/servlet/deploy?command=ping
HTTP 401
rbeerstr_at_nlbaldev3:

When I change the curl_easy_reset() call into a curl_easy_cleanup() followed by curl_easy_init, the output becomes:
rbeerstr_at_nlbaldev3: ./curl_test one
Start with http://XXXXXX:YYYYYY@nlbavwtech7:8312/webui/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3: ./curl_test two
Start with https://XXXXXX:YYYYYY@nlbavwtech11.infor.com:8447/lnui_ux/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3: ./curl_test both
Start with http://XXXXXX:XXXXXX@nlbavwtech7:8312/webui/servlet/deploy?command=ping
HTTP 302
Start with https://XXXXXX:YYYYYY@nlbavwtech11.infor.com:8447/lnui_ux/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3:

I.e., then it works fine.

We have a reasonable workaround (separate sessions) but any insights or solutions would be much appreciated.

  Regards,
                Ruurd Beerstra
                Infor.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

Received on 2018-01-17