curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Username and password in URL stopped working with proxy

From: Mike Crowe via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 14 Aug 2019 18:22:46 +0100

On Sunday 04 August 2019 at 23:35:17 +0200, Daniel Stenberg via curl-library wrote:
> On Sat, 3 Aug 2019, Mike Crowe wrote:
>
> > I've attached two logs. One from my build of master, and one from the
> > Debian Stretch version of curl (7.52.1.) It looks like v7.52.1 passes
> > the username and password on to the proxy in the URL, whereas master
> > does not:
>
> I ran
>
> cd tests && ./runtests.pl "HTTP Digest Auth"
>
> ... and it did 48 successful tests for me on master just now. I don't know
> how your case differs from all those 48.

Sorry for the delay in replying, I've been away.

> Does it make a difference if you provide the user name and password with -u
> instead of in the URL ?

It works with the current state of master. (Although it looks like
46e164069d1a5230e4e64cbd2ff46c46cce056bb did originally break this usage,
but it was fixed later.)

> Does it make a difference if you drop --fail?

No. I only added the --fail to make my bisect script easier to write.

> Does it make a difference if you use --digest instead of --anyauth?

No.

It looks like the logs I attached previously weren't as useful as they
should have been because the proxy was caching the response. I've attached
a couple of new logs that don't suffer from that problem:

curl-master.log clearly shows that when libcurl makes the second
connection, ostensibly providing authentication, it fails to send an
Authentication header. curl-f078361c0e2539689df9962f35ab22f8ea25afe9.log
shows that the corresponding libcurl version does send an Authentication
header.

I think that the fact that the GET line sent to the proxy used to contain
the user and password and no longer does provides a clue as to what might
be going wrong. I instrumented lib/url.c:parseurlandfillcon, and it seems
that the user and password have already been stripped from the URL by that
point, so curl_url_get returns NULL for both CURLUPART_USER and
CURLUPART_PASSWORD.

I'm suspicious about this code in lib/http.c:Curl_http:

    if(strcasecompare("http", data->state.up.scheme)) {
      /* when getting HTTP, we don't want the userinfo the URL */
      uc = curl_url_set(h, CURLUPART_USER, NULL, 0);
      if(uc) {
        curl_url_cleanup(h);
        return CURLE_OUT_OF_MEMORY;
      }
      uc = curl_url_set(h, CURLUPART_PASSWORD, NULL, 0);
      if(uc) {
        curl_url_cleanup(h);
        return CURLE_OUT_OF_MEMORY;
      }
    }

If I remove this code, then the Authorization header is correctly passed
and everything works.

If this doesn't help point at the problem, please can you post the full
output from when you successfully ran:

 $ ./src/curl http://daniel:hello@www.haxx.se -x localhost:80 --trace-ascii -
    -o /dev/null

Thanks.

Mike.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html

Received on 2019-08-14