Bugs item #2203193, was opened at 2008-10-28 07:54
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2203193&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: http
Group: wrong content
Status: Open
Resolution: None
Priority: 6
Private: No
Submitted By: Yossi Nakash (yossinakash)
Assigned to: Daniel Stenberg (bagder)
Summary: NTLM authentication and POST wrong behavior

Initial Comment:
Hi,

I found a wrong behavior in CURL.
My libcurl version is 7.18.2.
My OS is Windows XP, the server I'm testing is windows 2003, and the server is IIS 6.

The wrong behavior I get:
Wnen I do POST with NTLM Authentication, I get 400 Bad request.

I used WireShark to viw the traffic and I saw the following:
1. POST is performed with "Content-Length: 214" + data.
2. Response 401.
3. POST is performed with "Content-Length: 214" with no data !!
4. Response 401.
5. POST is performed with "Content-Length: 214" + data.
6. Response 400 Bad Request.

I would expect the POST in paragraph 3 to send either "Content-Length: 0", or attach the data.

I'm not familiar with CURL too much, so I briefly did the following change to fix the issue:
I commented the following code, in http.c in line 2661:
  case HTTPREQ_POST:
/* my comment
    if(conn->bits.authneg)
      postsize = 0;
    else
*/

This fix did the trick to solve the issue.

I hope that you'll supply a better fix than that.
I don't have an open site for it, so I can't attach a link.
I work in RadView, and I had a similar issue in the past, I worked then with Daniel Stenberg.

Regards,
Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-31 14:47

Message:
The code is _already there_ to set "Content-Length: 0" for the case where
libcurl isn't going to send anything. In the 7.19.0 code base the exact
code line is lib/http.c:2755

What fix do you consider to be the correct one?

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-31 14:40

Message:
It's a simple POST (with data) with NTLM authentication on a IIS 6 server.
I would love to help, if you could only guide me where is the best place
to set the content length to 0 on NTLM authentication, and I'll do that.
I believe the fix is correct in any case (because curl sends no data
anyways). and w edo not want to forget the PUT, and maybe more(?).

Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-31 00:37

Message:
I understand that but since I cannot reproduce the issue nor do I even
understand how it can do what you say it does, I pretty much depend on
someone (like you) to help me out.

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-30 08:26

Message:
I agree.
The best solution would be to the set the Content-Length to be 0 on step
3.
There are two ways that I am aware of to do it, but as I mentioned
earlier, I am not familiar enough with CURL, and I don't like entering
'patches' without understanding the full architecture - There might be
other issues I'm missing - such as PUT (has the same thing there), or
something else.
That's why I submitted the issue, for you experts to give a better
diagnostic and fix.

Thanks,
Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-29 22:58

Message:
But your "fix" will make libcurl send away the data in step 3 in vain
(since the server doesn't want it), and if that is a lot of data you (==
all users doing POST over NTLM) get a serious penalty. Thus it is worth
pursuing a better fix...

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-29 16:18

Message:
Hi,

I'm using CURL as client in a man-in-the-middle proxy, so I get a lot of
data, that I'm not sure was got before. (posts with data with NTLM, for
this matter).
Regarding IIS strange behavior(step 3 wrong message cause error in step
6), It's a fact that it has this issue, I didn't investigate why IIS
behaves like that, I just noticed the problem and fixed it (it works fine
now).
I just googled it now, and found the following:
http://osdir.com/ml/web.curl.library/2004-03/msg00261.html maybe it's
related.

maybe there are more issues.
Thanks,
Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-29 00:35

Message:
First, this approach has been proven to work numerous times in the past so
it's a bit strange that you get a problem with it all of a sudden. If step
3 is the bad one, why don't you get the error until after step 5?

I don't see how that code _doesn't_ send "Content-Lenth: 0" at step 3. Can
you see why/how?

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2203193&group_id=976
Received on 2008-10-31