Bugs item #2203193, was opened at 2008-10-28 07:54
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2203193&group_id=976
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: http
Group: wrong content
Status: Open
Resolution: None
Priority: 6
Private: No
Submitted By: Yossi Nakash (yossinakash)
Assigned to: Daniel Stenberg (bagder)
Summary: NTLM authentication and POST wrong behavior
Initial Comment:
Hi,
I found a wrong behavior in CURL.
My libcurl version is 7.18.2.
My OS is Windows XP, the server I'm testing is windows 2003, and the server is IIS 6.
The wrong behavior I get:
Wnen I do POST with NTLM Authentication, I get 400 Bad request.
I used WireShark to viw the traffic and I saw the following:
1. POST is performed with "Content-Length: 214" + data.
2. Response 401.
3. POST is performed with "Content-Length: 214" with no data !!
4. Response 401.
5. POST is performed with "Content-Length: 214" + data.
6. Response 400 Bad Request.
I would expect the POST in paragraph 3 to send either "Content-Length: 0", or attach the data.
I'm not familiar with CURL too much, so I briefly did the following change to fix the issue:
I commented the following code, in http.c in line 2661:
case HTTPREQ_POST:
/* my comment
if(conn->bits.authneg)
postsize = 0;
else
*/
This fix did the trick to solve the issue.
I hope that you'll supply a better fix than that.
I don't have an open site for it, so I can't attach a link.
I work in RadView, and I had a similar issue in the past, I worked then with Daniel Stenberg.
Regards,
Yossi
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2008-11-02 23:38
Message:
But can you then tell me why the current code DOESN'T add that header?
What's wrong with the logic that in my eyes already does this? And the
current logic already does this for the PUT case as well.
You say the correct fix is the way I say the code already works!
----------------------------------------------------------------------
Comment By: Yossi Nakash (yossinakash)
Date: 2008-11-02 08:28
Message:
The correct fix, in my opinion, is to set the content length to 0. but, it
is important to check where are the other places that set the content data
to 0 - I saw at least one other place - in PUT.
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2008-10-31 14:47
Message:
The code is _already there_ to set "Content-Length: 0" for the case where
libcurl isn't going to send anything. In the 7.19.0 code base the exact
code line is lib/http.c:2755
What fix do you consider to be the correct one?
----------------------------------------------------------------------
Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-31 14:40
Message:
It's a simple POST (with data) with NTLM authentication on a IIS 6 server.
I would love to help, if you could only guide me where is the best place
to set the content length to 0 on NTLM authentication, and I'll do that.
I believe the fix is correct in any case (because curl sends no data
anyways). and w edo not want to forget the PUT, and maybe more(?).
Yossi
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2008-10-31 00:37
Message:
I understand that but since I cannot reproduce the issue nor do I even
understand how it can do what you say it does, I pretty much depend on
someone (like you) to help me out.
----------------------------------------------------------------------
Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-30 08:26
Message:
I agree.
The best solution would be to the set the Content-Length to be 0 on step
3.
There are two ways that I am aware of to do it, but as I mentioned
earlier, I am not familiar enough with CURL, and I don't like entering
'patches' without understanding the full architecture - There might be
other issues I'm missing - such as PUT (has the same thing there), or
something else.
That's why I submitted the issue, for you experts to give a better
diagnostic and fix.
Thanks,
Yossi
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2008-10-29 22:58
Message:
But your "fix" will make libcurl send away the data in step 3 in vain
(since the server doesn't want it), and if that is a lot of data you (==
all users doing POST over NTLM) get a serious penalty. Thus it is worth
pursuing a better fix...
----------------------------------------------------------------------
Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-29 16:18
Message:
Hi,
I'm using CURL as client in a man-in-the-middle proxy, so I get a lot of
data, that I'm not sure was got before. (posts with data with NTLM, for
this matter).
Regarding IIS strange behavior(step 3 wrong message cause error in step
6), It's a fact that it has this issue, I didn't investigate why IIS
behaves like that, I just noticed the problem and fixed it (it works fine
now).
I just googled it now, and found the following:
http://osdir.com/ml/web.curl.library/2004-03/msg00261.html maybe it's
related.
maybe there are more issues.
Thanks,
Yossi
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2008-10-29 00:35
Message:
First, this approach has been proven to work numerous times in the past so
it's a bit strange that you get a problem with it all of a sudden. If step
3 is the bad one, why don't you get the error until after step 5?
I don't see how that code _doesn't_ send "Content-Lenth: 0" at step 3. Can
you see why/how?
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2203193&group_id=976
Received on 2008-11-02