Commit 13e3a18b authored by Isaac Boukris's avatar Isaac Boukris Committed by Jay Satiro
Browse files

http: fix missing 'Content-Length: 0' while negotiating auth 

- While negotiating auth during PUT/POST if a user-specified
  Content-Length header is set send 'Content-Length: 0'.

This is what we do already in HTTPREQ_POST_FORM and what we did in the
HTTPREQ_POST case (regression since afd288b2).

Prior to this change no Content-Length header would be sent in such a
case.

Bug: https://curl.haxx.se/mail/lib-2017-02/0006.html
Reported-by: Dominik Hölzl

Closes https://github.com/curl/curl/pull/1242
parent 3cc30e82

lib/http.c

+2 −2
Original line number Original line Diff line number Diff line
@@ -2512,7 +2512,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) 
      postsize = data->state.infilesize;

      postsize = data->state.infilesize;





    if((postsize != -1) && !data->req.upload_chunky &&

    if((postsize != -1) && !data->req.upload_chunky &&

       !Curl_checkheaders(conn, "Content-Length:")) {

       (conn->bits.authneg || !Curl_checkheaders(conn, "Content-Length:"))) {

      /* only add Content-Length if not uploading chunked */

      /* only add Content-Length if not uploading chunked */

      result = Curl_add_bufferf(req_buffer,

      result = Curl_add_bufferf(req_buffer,

                                "Content-Length: %" CURL_FORMAT_CURL_OFF_T

                                "Content-Length: %" CURL_FORMAT_CURL_OFF_T
@@ -2564,7 +2564,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) 
       we don't upload data chunked, as RFC2616 forbids us to set both

       we don't upload data chunked, as RFC2616 forbids us to set both

       kinds of headers (Transfer-Encoding: chunked and Content-Length) */

       kinds of headers (Transfer-Encoding: chunked and Content-Length) */

    if((postsize != -1) && !data->req.upload_chunky &&

    if((postsize != -1) && !data->req.upload_chunky &&

       !Curl_checkheaders(conn, "Content-Length:")) {

       (conn->bits.authneg || !Curl_checkheaders(conn, "Content-Length:"))) {

      /* we allow replacing this header if not during auth negotiation,

      /* we allow replacing this header if not during auth negotiation,

         although it isn't very wise to actually set your own */

         although it isn't very wise to actually set your own */

      result = Curl_add_bufferf(req_buffer,

      result = Curl_add_bufferf(req_buffer,

tests/data/Makefile.inc

+1 −1
Original line number Original line Diff line number Diff line
@@ -130,7 +130,7 @@ test1236 test1237 test1238 test1239 test1240 test1241 test1242 test1243 \ 
test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \

test1244 test1245 test1246 test1247 test1248 test1249 test1250 test1251 \

test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \

test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \

\

\

test1280 test1281 test1282 test1283 \

test1280 test1281 test1282 test1283 test1284 test1285 \

\

\

test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \

test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \

test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \

test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \

tests/data/test1284

0 → 100644
+89 −0
Original line number Original line Diff line number Diff line 
<testcase>

<info>

<keywords>

HTTP

HTTP POST

HTTP Digest auth

</keywords>

</info>



# Server-side

<reply>

<data>

HTTP/1.1 401 authentication please swsbounce

Server: Microsoft-IIS/6.0

WWW-Authenticate: Digest realm="testrealm", nonce="1053604144"

Content-Type: text/html; charset=iso-8859-1

Content-Length: 0



</data>

<data1000>

HTTP/1.1 200 A OK

Server: Microsoft-IIS/6.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 3



ok

</data1000>



<datacheck>

HTTP/1.1 401 authentication please swsbounce

Server: Microsoft-IIS/6.0

WWW-Authenticate: Digest realm="testrealm", nonce="1053604144"

Content-Type: text/html; charset=iso-8859-1

Content-Length: 0



HTTP/1.1 200 A OK

Server: Microsoft-IIS/6.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 3



ok

</datacheck>



</reply>



# Client-side

<client>

#

<server>

http

</server>

<features>

!SSPI

crypto

</features>

<name>

HTTP POST --digest with user-specified Content-Length header

</name>

# This test is to ensure 'Content-Length: 0' is sent while negotiating auth

# even when there is a user-specified Content-Length header.

# https://github.com/curl/curl/pull/1242

<command>

-H "Content-Length: 11" -u auser:apasswd --digest -d "junkelijunk" http://%HOSTIP:%HTTPPORT/1284

</command>

</client>



# Verify data after the test has been "shot"

<verify>

<strip>

^User-Agent:.*

</strip>

<protocol nonewline="yes">

POST /1284 HTTP/1.1

Host: %HOSTIP:%HTTPPORT

Accept: */*

Content-Length: 0

Content-Type: application/x-www-form-urlencoded



POST /1284 HTTP/1.1

Host: %HOSTIP:%HTTPPORT

Authorization: Digest username="auser", realm="testrealm", nonce="1053604144", uri="/1284", response="5763079608de439072861a59ac733515"

Accept: */*

Content-Length: 11

Content-Type: application/x-www-form-urlencoded



junkelijunk

</protocol>

</verify>

</testcase>

tests/data/test1285

0 → 100644
+97 −0
Original line number Original line Diff line number Diff line 
<testcase>

<info>

<keywords>

HTTP

HTTP PUT

HTTP Digest auth

</keywords>

</info>



# Server-side

<reply>

<data>

HTTP/1.1 401 authentication please swsbounce

Server: Microsoft-IIS/6.0

WWW-Authenticate: Digest realm="testrealm", nonce="1053604144"

Content-Type: text/html; charset=iso-8859-1

Content-Length: 0



</data>

<data1000>

HTTP/1.1 200 A OK

Server: Microsoft-IIS/6.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 3



ok

</data1000>



<datacheck>

HTTP/1.1 401 authentication please swsbounce

Server: Microsoft-IIS/6.0

WWW-Authenticate: Digest realm="testrealm", nonce="1053604144"

Content-Type: text/html; charset=iso-8859-1

Content-Length: 0



HTTP/1.1 200 A OK

Server: Microsoft-IIS/6.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 3



ok

</datacheck>



</reply>



# Client-side

<client>

#

<server>

http

</server>

<features>

!SSPI

crypto

</features>

<name>

HTTP PUT --digest with user-specified Content-Length header

</name>

# This test is to ensure 'Content-Length: 0' is sent while negotiating auth

# even when there is a user-specified Content-Length header.

# https://github.com/curl/curl/pull/1242

<command>

-H "Content-Length: 85" -u auser:apasswd --digest -T log/put1285 http://%HOSTIP:%HTTPPORT/1285

</command>

<file name="log/put1285">

This is data we upload with PUT

a second line

line three

four is the number of lines

</file>

</client>



# Verify data after the test has been "shot"

<verify>

<strip>

^User-Agent:.*

</strip>

<protocol>

PUT /1285 HTTP/1.1

Host: %HOSTIP:%HTTPPORT

Accept: */*

Content-Length: 0



PUT /1285 HTTP/1.1

Host: %HOSTIP:%HTTPPORT

Authorization: Digest username="auser", realm="testrealm", nonce="1053604144", uri="/1285", response="dc185587d5e8391b347eef194c2a3cd6"

Accept: */*

Content-Length: 85

Expect: 100-continue



This is data we upload with PUT

a second line

line three

four is the number of lines

</protocol>

</verify>

</testcase>