cURL / Mailing Lists / curl-library / Single Mail


Re: Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

From: Michael Osipov <>
Date: Thu, 17 Jul 2014 14:39:37 +0200

> Von: "Daniel Stenberg" <>
> On Thu, 17 Jul 2014, Michael Osipov wrote:

> >> Yes, because you're asking for it!
> >
> > Then I would at least require the docs to say that preempive is is performed
> > by default. Users should be aware that they could disclose information.
> Yes it should! But you're expressing this funnily. If if _does_ probe first,
> it will disclose the exact same information if the server asks for basic auth

Haven't noticed that I brought some fun into it. I am trying to make a point.

Doing $ 'curl --basic -u ... http://host/proctected http://host2/unprotected'
without using next will reveal. Am I wrong?

> > After that at least, I have found a bug in curl which ends in an endless
> > redirect. I will report shortly.
> Ouch!
> >> If there's a missing option it would then rather be one that allows you to
> >> say "I only want to use {basic,digest,ntlm,...} but I still want to probe
> >> first" - which libcurl can do but that ability isn't exposed to the command
> >> line tool afair.
> >
> > How would that go in libcurl, I mean not preemptive?
> Add the 'CURLAUTH_ONLY' bit. Like when asking for only basic with a probe:

So adding --auth-only and --proxy-auth-only tied to CURLAUTH_ONLY would disable preemptive
auth and perform of if challenged? E.g.,

$ curl --basic --digest -u ... --auth-only <URL>

List admin:
Received on 2014-07-17