cURL / Mailing Lists / curl-library / Single Mail

curl-library

WWW-Authenticate parsing bug (and fix)

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Wed, 19 Oct 2011 10:32:55 -0600

Hi:

RFC 2616 section 14.47 states that a single WWW-Authenticate header may contain more than one challenge in the header. Most servers put their challenges in separate headers, but the other day I ran into a server that did this:

WWW-Authenticate: X-MobileMe-AuthToken realm="Newcastle", Basic realm="Newcastle"

The server is <https://p01-contacts.icloud.com/>. As you can see, the header specifies a proprietary authentication challenge first and basic second. But the latest Git build of libcurl only reads (and ignores) the proprietary challenge and does not notice the basic challenge.

I've attached a patch for lib/http.c that fixes the bug by reading and parsing the entire header line rather than just the first challenge. I've been testing the patch and it does not appear to break anything. HTH!

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html

application/octet-stream attachment: www-authenticate.patch

Received on 2011-10-19

This message: [ Message body ]
Next message: Dan Fandrich: "Re: ftp parse remote filesize from header"
Previous message: Steve Holme: "RE: [Bulk] RE: SMTP, data corruption and dot stuffing"
Next in thread: Daniel Stenberg: "Re: WWW-Authenticate parsing bug (and fix)"
Reply: Daniel Stenberg: "Re: WWW-Authenticate parsing bug (and fix)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]