Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Bug in curl_easy_reset: Re-using the handle fails with HTTP 401

From: Ruurd Beerstra via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 17 Jan 2018 15:44:54 +0000

Hi,

<first post on this list, please be kind :->

We use curl (version 7.57.0) in our product and discovered a bug in curl_easy_reset().

We have an application that connects to two hosts (using HTTP).
When the code is executed to establish just a session with host 1, result is OK.
When the code is executed to establish just a session with host 2, result is OK.

When the code is executed to establish a session to host 1, do a curl_easy_reset, then contact host 2 (re-using the handle), the result is a HTTP 401 (unauthorized) for the connection to host 2.

So it would seem the curl_easy_reset handle retains some information about the previous connection which causes the next connection to host 2 to fail.
Host 1 uses HTTP, host 2 HTTPS (don't know if that is relevant).

I've reproduced the problem in a small C program (attached, with some userid/password stuff blanked out).
Output in our environment (where XXXX and YYYY are working usrenames/passwords):

rbeerstr_at_nlbaldev3: ./curl_test one
Start with http://XXXXXX:YYYYYY@nlbavwtech7:8312/webui/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3: ./curl_test two
Start with https://XXXXXX:YYYYYY@nlbavwtech11.infor.com:8447/lnui_ux/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3: ./curl_test both
Start with http://XXXXXX:XXXXXX@nlbavwtech7:8312/webui/servlet/deploy?command=ping
HTTP 302
Start with https://XXXXXX:YYYYYY@nlbavwtech11.infor.com:8447/lnui_ux/servlet/deploy?command=ping
HTTP 401
rbeerstr_at_nlbaldev3:

When I change the curl_easy_reset() call into a curl_easy_cleanup() followed by curl_easy_init, the output becomes:
rbeerstr_at_nlbaldev3: ./curl_test one
Start with http://XXXXXX:YYYYYY@nlbavwtech7:8312/webui/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3: ./curl_test two
Start with https://XXXXXX:YYYYYY@nlbavwtech11.infor.com:8447/lnui_ux/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3: ./curl_test both
Start with http://XXXXXX:XXXXXX@nlbavwtech7:8312/webui/servlet/deploy?command=ping
HTTP 302
Start with https://XXXXXX:YYYYYY@nlbavwtech11.infor.com:8447/lnui_ux/servlet/deploy?command=ping
HTTP 302
rbeerstr_at_nlbaldev3:

I.e., then it works fine.

We have a reasonable workaround (separate sessions) but any insights or solutions would be much appreciated.

  Regards,
                Ruurd Beerstra
                Infor.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

Received on 2018-01-17