> Von: "Daniel Stenberg" <daniel_at_haxx.se>
> On Thu, 17 Jul 2014, Michael Osipov wrote:
>
> > The issue is that your server does not behave the way intended. That
> > requires a custom fix in curl.
>
> Well, we need to handle what servers do or can do, and duplicated headers is a
> very common mistake in the wild - sometimes not even by mistake.

Yes, but just to avoid misunderstanding. I was not talking about this:

WWW-Authenticate: Basic, Digest
or
WWW-Authenticate: Basic
WWW-Authenticate: Digest

but about

WWW-Authenticate: Basic ream="A"
WWW-Authenticate: Basic ream="B"

That makes no sense and is incorrect.

> > The other issue with curl is that it performs preemptive auth which is a bug
> > because the RFC say MAY. That requires an option --preemptive. Especially,
> > not all acceptors are capable of processing preemptive auth.
>
> I'm not following. If you're talking about libcurl selection a specific single
> auth method at once, that should still behave the proper way. It just means
> that the user of libcurl has specified exactly one single auth method so that
> we know which method to use.

No, see here (including information disclosure):

> $ curl --verbose http://<host> -o /dev/null
> * Rebuilt URL to: http://<host>/
> * Hostname was NOT found in DNS cache
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying <IP>...
> * Connected to <host> (<IP>) port 80 (#0)
> > GET / HTTP/1.1
> > User-Agent: curl/7.37.0
> > Host: <host>
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Date: Thu, 17 Jul 2014 11:17:18 GMT
> * Server Apache/2.2.27 (FreeBSD) PHP/5.4.30 SVN/1.8.9 mod_ssl/2.2.27 OpenSSL/1.0.1h DAV/2 is not blacklisted
> < Server: Apache/2.2.27 (FreeBSD) PHP/5.4.30 SVN/1.8.9 mod_ssl/2.2.27 OpenSSL/1.0.1h DAV/2
> < Content-Length: 332
> < Content-Type: text/html;charset=ISO-8859-1
> <
> { [data not shown]
> 100 332 100 332 0 0 53060 0 --:--:-- --:--:-- --:--:-- 55333
> * Connection #0 to host <host> left intact

> $ curl --verbose --basic -u michael-o:secret http://<host> -o /dev/null
> * Rebuilt URL to: http://<host>/
> * Hostname was NOT found in DNS cache
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
> Trying <IP>...
> * Connected to <host> (<IP>) port 80 (#0)
> * Server auth using Basic with user 'michael-o'
> > GET / HTTP/1.1
> > Authorization: Basic bWljaGFlbC1vOnNlY3JldA==
> > User-Agent: curl/7.37.0
> > Host: <host>
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Date: Thu, 17 Jul 2014 11:14:03 GMT
> * Server Apache/2.2.27 (FreeBSD) PHP/5.4.30 SVN/1.8.9 mod_ssl/2.2.27 OpenSSL/1.0.1h DAV/2 is not blacklisted
> < Server: Apache/2.2.27 (FreeBSD) PHP/5.4.30 SVN/1.8.9 mod_ssl/2.2.27 OpenSSL/1.0.1h DAV/2
> < Content-Length: 332
> < Content-Type: text/html;charset=ISO-8859-1
> <
> { [data not shown]
> 100 332 100 332 0 0 57389 0 --:--:-- --:--:-- --:--:-- 66400
> * Connection #0 to host <host> left intact

The client has never been challenged to authenticate but performs preemptive auth, thus disclosing his password.
 
> I don't see a need for --preemptive.

The above shows the need.

Michael
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-17