cURL / Mailing Lists / curl-library / Single Mail


Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

From: Michael Osipov <>
Date: Thu, 17 Jul 2014 13:53:54 +0200

> Von: "Daniel Stenberg" <>
> On Thu, 17 Jul 2014, Michael Osipov wrote:
> > WWW-Authenticate: Basic ream="A"
> > WWW-Authenticate: Basic ream="B"
> >
> > That makes no sense and is incorrect.
> Is it really? What if it has two overlapping realms and offer you to login to
> any of them to access that resource?
> I'm fully convinved you will find servers out there returning headers like
> that.

Maybe true but that is not covered in libcurl also. You cannot scope the auth.
> >> $ curl --verbose --basic -u michael-o:secret http://<host> -o /dev/null
> > The client has never been challenged to authenticate but performs preemptive
> > auth, thus disclosing his password.
> Yes, because you're asking for it!

Then I would at least require the docs to say that preempive is is performed by default.
Users should be aware that they could disclose information.

After that at least, I have found a bug in curl which ends in an endless redirect.
I will report shortly.
> >> I don't see a need for --preemptive.
> >
> > The above shows the need.
> I disagree. Use --anyauth instead of --basic and it'll probe and use whatever
> method the server and curl agree to use.
> If there's a missing option it would then rather be one that allows you to say
> "I only want to use {basic,digest,ntlm,...} but I still want to probe first" -
> which libcurl can do but that ability isn't exposed to the command line tool
> afair.

How would that go in libcurl, I mean not preemptive?

List admin:
Received on 2014-07-17