cURL / Mailing Lists / curl-library / Single Mail


WWW-Authenticate parsing bug (and fix)

From: Nick Zitzmann <>
Date: Wed, 19 Oct 2011 10:32:55 -0600


RFC 2616 section 14.47 states that a single WWW-Authenticate header may contain more than one challenge in the header. Most servers put their challenges in separate headers, but the other day I ran into a server that did this:

WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle", Basic realm="Newcastle"

The server is <>. As you can see, the header specifies a proprietary authentication challenge first and basic second. But the latest Git build of libcurl only reads (and ignores) the proprietary challenge and does not notice the basic challenge.

I've attached a patch for lib/http.c that fixes the bug by reading and parsing the entire header line rather than just the first challenge. I've been testing the patch and it does not appear to break anything. HTH!

Nick Zitzmann

List admin:

Received on 2011-10-19