On Wed, 30 Oct 2013, Steve Holme wrote:

> I will investigate this a little later and post my feedback. If we
> could hang fire on pushing any fixes I would apprecaite it.

Here is my take on a fix - it attempts to extract the authentication header
value, using copy_header_value() which it then passes onto
Curl_http_input_auth(). This means that Curl_http_input_auth() doesn't have
to then try and skip over the header key, as it currently does, but it also
strips off the CRLF before Curl_base64_decode() is called (similar in
principle to what I do in the email protocols) and thus keeping the job of
Curl_base64_decode() to that of decoding a base64 encoded string and not
having to worry about protocol layer characters.

The reason for using copy_header_value() is that it not only extracts the
value but copies it to a new string rather than placing an inline 0x00
terminator into the header line directly (which is currently what I do in
the email protocols - I little dangerous I know but I also know the buffer
isn't going to used again elsewhere in these protocols - and because of my
limited understanding of our HTTP implementation I can't be sure of that).

As I don't currently run the test suite locally nor have access to a HTTP
server using HTTP Authentication would someone be so kind to test the
enclosed patch?

Many thanks in advance

Kind Regards

Steve

Received on 2013-10-30