Bugs item #2203193, was opened at 2008-10-28 07:54
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2203193&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: http
Group: wrong content
Status: Open
Resolution: None
Priority: 6
Private: No
Submitted By: Yossi Nakash (yossinakash)
Assigned to: Daniel Stenberg (bagder)
Summary: NTLM authentication and POST wrong behavior

Initial Comment:
Hi,

I found a wrong behavior in CURL.
My libcurl version is 7.18.2.
My OS is Windows XP, the server I'm testing is windows 2003, and the server is IIS 6.

The wrong behavior I get:
Wnen I do POST with NTLM Authentication, I get 400 Bad request.

I used WireShark to viw the traffic and I saw the following:
1. POST is performed with "Content-Length: 214" + data.
2. Response 401.
3. POST is performed with "Content-Length: 214" with no data !!
4. Response 401.
5. POST is performed with "Content-Length: 214" + data.
6. Response 400 Bad Request.

I would expect the POST in paragraph 3 to send either "Content-Length: 0", or attach the data.

I'm not familiar with CURL too much, so I briefly did the following change to fix the issue:
I commented the following code, in http.c in line 2661:
  case HTTPREQ_POST:
/* my comment
    if(conn->bits.authneg)
      postsize = 0;
    else
*/

This fix did the trick to solve the issue.

I hope that you'll supply a better fix than that.
I don't have an open site for it, so I can't attach a link.
I work in RadView, and I had a similar issue in the past, I worked then with Daniel Stenberg.

Regards,
Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-29 22:58

Message:
But your "fix" will make libcurl send away the data in step 3 in vain
(since the server doesn't want it), and if that is a lot of data you (==
all users doing POST over NTLM) get a serious penalty. Thus it is worth
pursuing a better fix...

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-29 16:18

Message:
Hi,

I'm using CURL as client in a man-in-the-middle proxy, so I get a lot of
data, that I'm not sure was got before. (posts with data with NTLM, for
this matter).
Regarding IIS strange behavior(step 3 wrong message cause error in step
6), It's a fact that it has this issue, I didn't investigate why IIS
behaves like that, I just noticed the problem and fixed it (it works fine
now).
I just googled it now, and found the following:
http://osdir.com/ml/web.curl.library/2004-03/msg00261.html maybe it's
related.

maybe there are more issues.
Thanks,
Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-29 00:35

Message:
First, this approach has been proven to work numerous times in the past so
it's a bit strange that you get a problem with it all of a sudden. If step
3 is the bad one, why don't you get the error until after step 5?

I don't see how that code _doesn't_ send "Content-Lenth: 0" at step 3. Can
you see why/how?

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2203193&group_id=976
Received on 2008-10-29