Loading CHANGES +27 −0 Original line number Diff line number Diff line Loading @@ -7,6 +7,33 @@ Changelog Daniel S (22 July 2007) - HTTP Digest bug fix by Chris Flerackers: Scenario - Perfoming a POST request with body - With authentication (only Digest) - Re-using a connection libcurl would send a HTTP POST with an Authorization header but without body. Our server would return 400 Bad Request in that case (because authentication passed, but the body was empty). Cause 1) http_digest.c -> Curl_output_digest - Updates allocptr.userpwd/allocptr.proxyuserpwd *only* if d->nonce is filled in (and no errors) - authp->done = TRUE if d->nonce is filled in 2) http.c -> Curl_http - *Always* uses allocptr.userpwd/allocptr.proxyuserpwd if not NULL 3) http.c -> Curl_http, Curl_http_output_auth So what happens is that Curl_output_digest cannot yet update the Authorization header (allocptr.userpwd) which results in authhost->done=0 -> authhost->multi=1 -> conn->bits.authneg = TRUE. The body is not added. *However*, allocptr.userpwd is still used when building the request - Added test case 354 that makes a simple FTP retrieval without password, which verifies the bug fix in #1757328. Loading RELEASE-NOTES +51 −1 Original line number Diff line number Diff line Loading @@ -47,6 +47,56 @@ advice from friends like these: Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev, Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson, Ralf S. Engelschall, James Housley Ralf S. Engelschall, James Housley, Curl and libcurl 7.16.5 Public curl release number: 101 Releases counted from the very beginning: 127 Available command line options: 118 Available curl_easy_setopt() options: 143 Number of public functions in libcurl: 55 Amount of public web site mirrors: 39 Number of known libcurl bindings: 35 Number of contributors: 572 This release includes the following changes: o This release includes the following bugfixes: o test cases 31, 46, 61, 506, 517 now work in time zones that use leap seconds o problem with closed proxy connection during HTTP CONNECT auth negotiation o transfer-encoding skipping didn't ignore the 407 response bodies properly o CURLOPT_SSL_VERIFYHOST set to 1 o CONNECT endless loop o krb5 support builds with Heimdal o added returned error string for connection refused case o re-use of dead FTP control connections o login to FTP servers that don't require (nor understand) PASS after the USER command o bad free of memory from libssh2 o the SFTP PWD command works o HTTP Digest auth on a re-used connection This release includes the following known bugs: o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html) Other curl-related news: o pycurl 7.16.4 was released http://pycurl.sf.net o TclCurl 7.16.4 was released http://personal1.iddeo.es/andresgarci/tclcurl/english/ New curl mirrors: o http://curl.freeby.pctools.cl is a new mirror in Chile This release would not have looked like this without help, code, reports and advice from friends like these: Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev, Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson, Ralf S. Engelschall, James Housley, Chris Flerackers Thanks! (and sorry if I forgot to mention someone) lib/http_digest.c +5 −2 Original line number Diff line number Diff line Loading @@ -266,6 +266,11 @@ CURLcode Curl_output_digest(struct connectdata *conn, authp = &data->state.authhost; } if (*allocuserpwd) { Curl_safefree(*allocuserpwd); *allocuserpwd = NULL; } /* not set means empty */ if(!userp) userp=(char *)""; Loading Loading @@ -388,8 +393,6 @@ CURLcode Curl_output_digest(struct connectdata *conn, nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca" */ Curl_safefree(*allocuserpwd); if (d->qop) { *allocuserpwd = aprintf( "%sAuthorization: Digest " Loading Loading
CHANGES +27 −0 Original line number Diff line number Diff line Loading @@ -7,6 +7,33 @@ Changelog Daniel S (22 July 2007) - HTTP Digest bug fix by Chris Flerackers: Scenario - Perfoming a POST request with body - With authentication (only Digest) - Re-using a connection libcurl would send a HTTP POST with an Authorization header but without body. Our server would return 400 Bad Request in that case (because authentication passed, but the body was empty). Cause 1) http_digest.c -> Curl_output_digest - Updates allocptr.userpwd/allocptr.proxyuserpwd *only* if d->nonce is filled in (and no errors) - authp->done = TRUE if d->nonce is filled in 2) http.c -> Curl_http - *Always* uses allocptr.userpwd/allocptr.proxyuserpwd if not NULL 3) http.c -> Curl_http, Curl_http_output_auth So what happens is that Curl_output_digest cannot yet update the Authorization header (allocptr.userpwd) which results in authhost->done=0 -> authhost->multi=1 -> conn->bits.authneg = TRUE. The body is not added. *However*, allocptr.userpwd is still used when building the request - Added test case 354 that makes a simple FTP retrieval without password, which verifies the bug fix in #1757328. Loading
RELEASE-NOTES +51 −1 Original line number Diff line number Diff line Loading @@ -47,6 +47,56 @@ advice from friends like these: Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev, Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson, Ralf S. Engelschall, James Housley Ralf S. Engelschall, James Housley, Curl and libcurl 7.16.5 Public curl release number: 101 Releases counted from the very beginning: 127 Available command line options: 118 Available curl_easy_setopt() options: 143 Number of public functions in libcurl: 55 Amount of public web site mirrors: 39 Number of known libcurl bindings: 35 Number of contributors: 572 This release includes the following changes: o This release includes the following bugfixes: o test cases 31, 46, 61, 506, 517 now work in time zones that use leap seconds o problem with closed proxy connection during HTTP CONNECT auth negotiation o transfer-encoding skipping didn't ignore the 407 response bodies properly o CURLOPT_SSL_VERIFYHOST set to 1 o CONNECT endless loop o krb5 support builds with Heimdal o added returned error string for connection refused case o re-use of dead FTP control connections o login to FTP servers that don't require (nor understand) PASS after the USER command o bad free of memory from libssh2 o the SFTP PWD command works o HTTP Digest auth on a re-used connection This release includes the following known bugs: o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html) Other curl-related news: o pycurl 7.16.4 was released http://pycurl.sf.net o TclCurl 7.16.4 was released http://personal1.iddeo.es/andresgarci/tclcurl/english/ New curl mirrors: o http://curl.freeby.pctools.cl is a new mirror in Chile This release would not have looked like this without help, code, reports and advice from friends like these: Dan Fandrich, Song Ma, Daniel Black, Giancarlo Formicuccia, Shmulik Regev, Daniel Cater, Colin Hogben, Jofell Gallardo, Daniel Johnson, Ralf S. Engelschall, James Housley, Chris Flerackers Thanks! (and sorry if I forgot to mention someone)
lib/http_digest.c +5 −2 Original line number Diff line number Diff line Loading @@ -266,6 +266,11 @@ CURLcode Curl_output_digest(struct connectdata *conn, authp = &data->state.authhost; } if (*allocuserpwd) { Curl_safefree(*allocuserpwd); *allocuserpwd = NULL; } /* not set means empty */ if(!userp) userp=(char *)""; Loading Loading @@ -388,8 +393,6 @@ CURLcode Curl_output_digest(struct connectdata *conn, nonce="1053604145", uri="/64", response="c55f7f30d83d774a3d2dcacf725abaca" */ Curl_safefree(*allocuserpwd); if (d->qop) { *allocuserpwd = aprintf( "%sAuthorization: Digest " Loading
