cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[ curl-Bugs-3582718 ] Regression with HTTP Digest auth and connection reuse

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Fri, 02 Nov 2012 11:32:20 -0700

Bugs item #3582718, was opened at 2012-11-02 11:31
Message generated for change (Comment added) made by jmasonrim
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3582718&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: http
Group: bad behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Joe Mason (jmasonrim)
Assigned to: Daniel Stenberg (bagder)
Summary: Regression with HTTP Digest auth and connection reuse

Initial Comment:
As reported by Nick Zitzmann in this email thread: http://curl.haxx.se/mail/lib-2012-10/0120.html

I didn't see this on the list of known bugs. I found a problem today where, if a server advertises support for HTTP Digest authentication and libcurl authenticates with the server successfully, and then re-uses the connection, then the next attempt to fetch something that requires authentication will fail. This does not happen when using HTTP Basic authentication to authenticate with the server.
Specifically, what happens is:
1. The app using libcurl creates a new easy handle and configures it with the URL, authentication information, etc.
2. libcurl opens a connection to the server
3. libcurl sends an HTTP request
4. The server returns HTTP 401 (as expected)
5. libcurl automatically rewinds and sends another request to the URL, this time with an Authorization header (correct behavior)
6. The server returns the requested information
7. The app using libcurl calls curl_easy_perform() again on the same easy handle with a URL pointing to the same server
8. Re-using the connection, libcurl sends an HTTP request, but does not print the Authorization header (oops, that's not expected behavior)
9. The server returns HTTP 401
10. libcurl gives up and returns an authentication error to the app
This used to work as expected in the older version of libcurl that this particular project was using, which was 7.23.1.
After a lot of searching, I finally figured out what caused this regression. It was this commit:
<https://github.com/bagder/curl/commit/ce8311c7e49eca93c136b58efa6763853541ec97>
The code in that commit zeros out the authentication state in Curl_pretransfer(), which means if we knew that the server wanted digest authorization in the past, we sure didn't anymore. If I comment out that code, then the regression goes away

----------------------------------------------------------------------

>Comment By: Joe Mason (jmasonrim)
Date: 2012-11-02 11:32

Message:
Forgot to mention in the description that this regression appeared in
7.28.0

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3582718&group_id=976
Received on 2012-11-02

These mail archives are generated by hypermail.

donate! Page updated January 05, 2012.
web site info

File upload with ASP.NET