cURL / Mailing Lists / curl-library / Single Mail


Re: Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

From: Daniel Stenberg <>
Date: Thu, 17 Jul 2014 15:06:43 +0200 (CEST)

On Thu, 17 Jul 2014, Michael Osipov wrote:

>> Yes it should! But you're expressing this funnily. If if _does_ probe
>> first, it will disclose the exact same information if the server asks for
>> basic auth
> Haven't noticed that I brought some fun into it.

"funny" in the meaning of "strange" or "peculiar".

> I am trying to make a point.
> Doing $ 'curl --basic -u ... http://host/proctected
> http://host2/unprotected'

> without using next will reveal. Am I wrong?

No, that's exactly how it works. It sends HTTP Basic credentials in both
requests immediately without probing.

> So adding --auth-only and --proxy-auth-only tied to CURLAUTH_ONLY would
> disable preemptive auth and perform of if challenged? E.g.,
> $ curl --basic --digest -u ... --auth-only <URL>

Yes - if you truly want only that particular auth method AND a "probe". But I
would argue that the options should be named differently! =)

List admin:
Received on 2014-07-18