Hi all,

I'm dealing with a server that is sending the WWW-Authenticate twice in
the same response for it's digest authentication. This is clearly out
of spec, and I don't think that libcurl should support this for the
general public. However, I would still like to use libcurl for my
project, and I'm thinking of making private modifications to get this
to work. I have no problems maintaining this patch from release to
release, so I'm not worried about that. I'm not *happy* about it, but
sometimes you gotta do silly things for users. :)

So I'm soliciting some advice on how best to modify libcurl to get
around this. Since the two headers are identical, the second header
gets bonged because Curl gets another nonce without it being marked as
stale (http_digest.c:189) Curl_input_digest returns CURLDIGEST_BAD,
this essentially ignores the header, and we don't get past the 401s.
Since this is a private fix, I'm tempted to just ignore this situation
(i.e. comment out lines 189 and 190 in http_digest.c). This is a
simple fix and it's easy to re-apply to future versions of libcurl.
However, it causes an infinite loop if the credentials are bad. Maybe
I should add a count to data->state.digest so that I can detect this
situation? Or maybe I should deal with this in transfer.c where the
headers are being parsed?

BTW, if this is something you think should be included in standard
libcurl, I can post my fixes, once I get that far.

Thanks,

-Dave
Received on 2005-10-17