From 1012c5705aedc6730244c22cd9d2bcb3c5c13212 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 5 Jun 2009 06:18:42 +0000
Subject: [PATCH] - Setting the Content-Length: header from your app when you
 do a POST or PUT   is almost always a VERY BAD IDEA. Yet there are still apps
 out there doing   this, and now recently it triggered a bug/side-effect in
 libcurl as when   libcurl sends a POST or PUT with NTLM, it sends an empty
 post first when it   knows it will just get a 401/407 back. If the app then
 replaced the   Content-Length header, it caused the server to wait for input
 that libcurl   wouldn't send. Aaron Oneal reported this problem in bug report
 #2799008   http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify
 the fix.

---
 CHANGES       | 13 +++++++++++++
 RELEASE-NOTES | 10 ++++++++++
 lib/http.c    | 11 ++++++++---
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 2b934415e8..1c9745a3d5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,11 +6,24 @@
 
                                   Changelog
 
+<<<<<<< CHANGES
+Daniel Stenberg (4 June 2009)
+- Setting the Content-Length: header from your app when you do a POST or PUT
+  is almost always a VERY BAD IDEA. Yet there are still apps out there doing
+  this, and now recently it triggered a bug/side-effect in libcurl as when
+  libcurl sends a POST or PUT with NTLM, it sends an empty post first when it
+  knows it will just get a 401/407 back. If the app then replaced the
+  Content-Length header, it caused the server to wait for input that libcurl
+  wouldn't send. Aaron Oneal reported this problem in bug report #2799008
+  http://curl.haxx.se/bug/view.cgi?id=2799008) and helped us verify the fix.
+
+=======
 Yang Tse (4 Jun 2009)
 - Igor Novoseltsev provided patches and information, that after some
   adjustments to better fit curl's way of doing things, have resulted
   in the posibility of building libcurl for VxWorks.
 
+>>>>>>> 1.1683
 Daniel Fandrich (2 June 2009)
 - Checked in a Google Android make file. To use it, you must first
   create a config.h file by running configure in the Android environment,
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 035473d2a6..9866e5d927 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -20,7 +20,11 @@ This release includes the following bugfixes:
  o libcurl-NSS build fixes
  o libcurl-NSS build fix
  o configure script fixed for VMS
+<<<<<<< RELEASE-NOTES
+ o set Content-Length: with POST and PUT failed with NTLM auth
+=======
  o allow building libcurl for VxWorks
+>>>>>>> 1.1030
 
 This release includes the following known bugs:
 
@@ -29,7 +33,13 @@ This release includes the following known bugs:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
+<<<<<<< RELEASE-NOTES
+ Yang Tse, Daniel Fandrich, Kamil Dudka, Caolan McNamara, Frank McGeough,
+ Andre Guibert de Bruet, Mike Crowe, Claes Jakobsson, John E. Malmberg,
+ Aaron Oneal
+=======
  Kamil Dudka, Caolan McNamara, Frank McGeough, Andre Guibert de Bruet,
  Mike Crowe, Claes Jakobsson, John E. Malmberg, Igor Novoseltsev
+>>>>>>> 1.1030
 
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/http.c b/lib/http.c
index 466d9539aa..ccbec227fe 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -2032,6 +2032,11 @@ static CURLcode add_custom_headers(struct connectdata *conn,
                 /* this header (extended by formdata.c) is sent later */
                 checkprefix("Content-Type:", headers->data))
           ;
+        else if(conn->bits.authneg &&
+                /* while doing auth neg, don't allow the custom length since
+                   we will force length zero then */
+                checkprefix("Content-Length", headers->data))
+          ;
         else {
           CURLcode result = add_bufferf(req_buffer, "%s\r\n", headers->data);
           if(result)
@@ -2787,9 +2792,9 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
          we don't upload data chunked, as RFC2616 forbids us to set both
          kinds of headers (Transfer-Encoding: chunked and Content-Length) */
 
-      if(!checkheaders(data, "Content-Length:")) {
-        /* we allow replacing this header, although it isn't very wise to
-           actually set your own */
+      if(conn->bits.authneg || !checkheaders(data, "Content-Length:")) {
+        /* we allow replacing this header if not during auth negotiation,
+           although it isn't very wise to actually set your own */
         result = add_bufferf(req_buffer,
                              "Content-Length: %" FORMAT_OFF_T"\r\n",
                              postsize);
-- 
GitLab