Commit 8d97bed8 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

test 2027/2030: take duplicate Digest requests into account 

With the reversion of ce8311c7 and the new clear logic, this flaw
is present and we allow it.
parent 13ce9031

tests/data/test2027

+22 −10
Original line number Diff line number Diff line
@@ -9,6 +9,17 @@ HTTP Digest auth 
# Server-side

<reply>



<!--



 Explanation for the duplicate 400 requests:



 libcurl doesn't detect that a given Digest password is wrong already on the

 first 401 response (as the data400 gives). libcurl will instead consider the

 new response just as a duplicate and it sends another and detects the auth

 problem on the second 401 response!



-->



<!-- First request has Digest auth, wrong password -->

<data100>

HTTP/1.1 401 Need Digest auth
@@ -93,16 +104,6 @@ This is a bad password page! 
</data1400>



<!-- Fifth request has Digest auth, right password -->

<data500>

HTTP/1.1 401 Need Digest auth (5)

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 27

WWW-Authenticate: Digest realm="testrealm", nonce="8"



This is not the real page!

</data500>



<data1500>

HTTP/1.1 200 Things are fine in server land (2)

Server: Microsoft-IIS/5.0
@@ -151,6 +152,12 @@ Content-Type: text/html; charset=iso-8859-1 
Content-Length: 29

WWW-Authenticate: Digest realm="testrealm", nonce="7"



HTTP/1.1 401 Sorry wrong password (3)

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 29

WWW-Authenticate: Digest realm="testrealm", nonce="7"



This is a bad password page!

HTTP/1.1 200 Things are fine in server land (2)

Server: Microsoft-IIS/5.0
@@ -222,6 +229,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2 
Host: %HOSTIP:%HTTPPORT

Accept: */*



GET /20270400 HTTP/1.1

Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20270400", response="f5906785511fb60a2af8b1cd53008ead"

Host: %HOSTIP:%HTTPPORT

Accept: */*



GET /20270500 HTTP/1.1

Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20270500", response="8ef4d935fd964a46c3965c0863b52cf1"

Host: %HOSTIP:%HTTPPORT

tests/data/test2030

+24 −0
Original line number Diff line number Diff line
@@ -13,6 +13,18 @@ HTTP NTLM auth 
<!-- Alternate the order that Digest and NTLM headers appear in responses to

ensure that the order doesn't matter. -->



<!--



 Explanation for the duplicate 400 requests:



 libcurl doesn't detect that a given Digest password is wrong already on the

 first 401 response (as the data400 gives). libcurl will instead consider the

 new response just as a duplicate and it sends another and detects the auth

 problem on the second 401 response!



-->





<!-- First request has NTLM auth, wrong password -->

<data100>

HTTP/1.1 401 Need Digest or NTLM auth
@@ -186,6 +198,13 @@ Content-Length: 29 
WWW-Authenticate: NTLM

WWW-Authenticate: Digest realm="testrealm", nonce="7"



HTTP/1.1 401 Sorry wrong password (3)

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 29

WWW-Authenticate: NTLM

WWW-Authenticate: Digest realm="testrealm", nonce="7"



This is a bad password page!

HTTP/1.1 200 Things are fine in server land (2)

Server: Microsoft-IIS/5.0
@@ -259,6 +278,11 @@ Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/2 
Host: %HOSTIP:%HTTPPORT

Accept: */*



GET /20300400 HTTP/1.1

Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20300400", response="d6262e9147db08c62ff2f53b515861e8"

Host: %HOSTIP:%HTTPPORT

Accept: */*



GET /20300500 HTTP/1.1

Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20300500", response="198757e61163a779cf24ed4c49c1ad7d"

Host: %HOSTIP:%HTTPPORT