Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

curl doesn't handle multiple WWW-Authenticate challenges properly (Negotiate)

From: Jung Michel via curl-library <curl-library_at_cool.haxx.se>
Date: Tue, 28 Jan 2020 15:02:04 +0000

Hi all,

The following has been tested with versions

    - 7.29.0 (x86_64-redhat-linux-gnu)
    - 7.61.1 (x86_64-redhat-linux-gnu)
    - 7.64.0 (x86_64-w64-mingw32)

I'm trying to use curl with Negotiate like so:

    curl -kv -L --negotiate -u : -b ~/cookie.txt -c ~/cookie.txt http://localhost:8081/negotiate

If the first 401 response contains

    WWW-Authenticate: Negotiate

curl will then, as expected, send another request with an Authorization header:

    Authorization: Negotiate xxxxxxxxxxxxx

However, if the 401 response contains more than one challenge, like so:

    WWW-Authenticate: Negotiate, Basic realm="TM1"

curl will NOT send another request. According to RFC2616 [1], sending multiple challenges like this is valid.
Is there a way to handle this case, or is this a bug in libcurl? Ultimately, I'm trying to do such requests using
R which uses libcurl under the hood.

Thank you for taking the time,
Michel Jung

[1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47

________________________________

Disclaimer:

Diese E-Mail enthält möglicherweise vertrauliche Informationen und ist einzig für den beabsichtigten Empfänger bestimmt. Sollten Sie diese E-Mail irrtümlicherweise erhalten haben, bitten wir Sie, die Zürcher Kantonalbank unverzüglich zu benachrichtigen und diese E-Mail sowie deren Anhänge sofort zu löschen. Unbefugte Verwendung kann geahndet werden.

Vielen Dank.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-01-28