cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker mailing list Archives

[ curl-Bugs-2203193 ] NTLM authentication and POST wrong behavior

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Mon, 24 Nov 2008 02:20:31 +0000

Bugs item #2203193, was opened at 2008-10-28 06:54
Message generated for change (Comment added) made by sf-robot
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2203193&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: http
Group: wrong content
>Status: Closed
Resolution: Works For Me
Priority: 6
Private: No
Submitted By: Yossi Nakash (yossinakash)
Assigned to: Daniel Stenberg (bagder)
Summary: NTLM authentication and POST wrong behavior

Initial Comment:
Hi,

I found a wrong behavior in CURL.
My libcurl version is 7.18.2.
My OS is Windows XP, the server I'm testing is windows 2003, and the server is IIS 6.

The wrong behavior I get:
Wnen I do POST with NTLM Authentication, I get 400 Bad request.

I used WireShark to viw the traffic and I saw the following:
1. POST is performed with "Content-Length: 214" + data.
2. Response 401.
3. POST is performed with "Content-Length: 214" with no data !!
4. Response 401.
5. POST is performed with "Content-Length: 214" + data.
6. Response 400 Bad Request.

I would expect the POST in paragraph 3 to send either "Content-Length: 0", or attach the data.

I'm not familiar with CURL too much, so I briefly did the following change to fix the issue:
I commented the following code, in http.c in line 2661:
  case HTTPREQ_POST:
/* my comment
    if(conn->bits.authneg)
      postsize = 0;
    else
*/

This fix did the trick to solve the issue.

I hope that you'll supply a better fix than that.
I don't have an open site for it, so I can't attach a link.
I work in RadView, and I had a similar issue in the past, I worked then with Daniel Stenberg.

Regards,
Yossi

----------------------------------------------------------------------

>Comment By: SourceForge Robot (sf-robot)
Date: 2008-11-24 02:20

Message:
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-11-03 09:38

Message:
I will recheck version 7.19 and get back to you

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-11-03 09:35

Message:
The else clause is not supposed be executed. 'conn->bits.authneg' is set
TRUE in this condition as it is in the middle of "authentication
negotiation".

The source indent is wrong in the 7.19.0 code (and earlier) so don't get
tricked into believing that the following isn't done when
"conn->bits.authneg" is TRUE. It is.

Thus, the condition on line 2747 will in your case equal TRUE and then the
condition on line 2752 will equal TRUE and then the code on line 2755
should run and it should add the correct Content-Length: 0 since 'postsize'
is at that point set to zero (done on line 2740).

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-11-03 09:27

Message:
It's too bad you cannot reproduce the issue. I looked into 7.19.

There is code that sets 'Content-Length: 0', too bad it doesn't go there.
we go into the if in line 2739, and do not enter to the 'else'.
I'll copy the lines that set 'Content=-Length: 0" to the 'if' and get back
to you.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-11-03 09:09

Message:
I don't know how I can say this in better way or more explicitly than I've
already done:

The code is _already there_ to set "Content-Length: 0" for the case where
libcurl isn't going to send anything. In the 7.19.0 code base the exact
code line is lib/http.c:2755

And yes, that's very close to the point where you suggested the original
"fix".

What else can I say? Can please tell me how I am wrong in this statement
of mine?

What value would need to be reset?

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-11-03 08:59

Message:
The current code sets the content data to 0, that's true. BUT, the
'Content-Length' header, still indicates the data (not being sent) length.
- so, the correct fix would be to set the 'Content-Length' header to 0.
On the same place I entered my fix\patch, it would be correct to set the
'Content-Length' header to 0.
I don't know efficient way to reset this value - if you could tell me
what's the preferred way, I could reset it, and check the fix here.
Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-11-02 22:38

Message:
But can you then tell me why the current code DOESN'T add that header?
What's wrong with the logic that in my eyes already does this? And the
current logic already does this for the PUT case as well.

You say the correct fix is the way I say the code already works!

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-11-02 07:28

Message:
The correct fix, in my opinion, is to set the content length to 0. but, it
is important to check where are the other places that set the content data
to 0 - I saw at least one other place - in PUT.

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-31 13:47

Message:
The code is _already there_ to set "Content-Length: 0" for the case where
libcurl isn't going to send anything. In the 7.19.0 code base the exact
code line is lib/http.c:2755

What fix do you consider to be the correct one?

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-31 13:40

Message:
It's a simple POST (with data) with NTLM authentication on a IIS 6 server.
I would love to help, if you could only guide me where is the best place
to set the content length to 0 on NTLM authentication, and I'll do that.
I believe the fix is correct in any case (because curl sends no data
anyways). and w edo not want to forget the PUT, and maybe more(?).

Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-30 23:37

Message:
I understand that but since I cannot reproduce the issue nor do I even
understand how it can do what you say it does, I pretty much depend on
someone (like you) to help me out.

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-30 07:26

Message:
I agree.
The best solution would be to the set the Content-Length to be 0 on step
3.
There are two ways that I am aware of to do it, but as I mentioned
earlier, I am not familiar enough with CURL, and I don't like entering
'patches' without understanding the full architecture - There might be
other issues I'm missing - such as PUT (has the same thing there), or
something else.
That's why I submitted the issue, for you experts to give a better
diagnostic and fix.

Thanks,
Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-29 21:58

Message:
But your "fix" will make libcurl send away the data in step 3 in vain
(since the server doesn't want it), and if that is a lot of data you (==
all users doing POST over NTLM) get a serious penalty. Thus it is worth
pursuing a better fix...

----------------------------------------------------------------------

Comment By: Yossi Nakash (yossinakash)
Date: 2008-10-29 15:18

Message:
Hi,

I'm using CURL as client in a man-in-the-middle proxy, so I get a lot of
data, that I'm not sure was got before. (posts with data with NTLM, for
this matter).
Regarding IIS strange behavior(step 3 wrong message cause error in step
6), It's a fact that it has this issue, I didn't investigate why IIS
behaves like that, I just noticed the problem and fixed it (it works fine
now).
I just googled it now, and found the following:
http://osdir.com/ml/web.curl.library/2004-03/msg00261.html maybe it's
related.

maybe there are more issues.
Thanks,
Yossi

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2008-10-28 23:35

Message:
First, this approach has been proven to work numerous times in the past so
it's a bit strange that you get a problem with it all of a sudden. If step
3 is the bad one, why don't you get the error until after step 5?

I don't see how that code _doesn't_ send "Content-Lenth: 0" at step 3. Can
you see why/how?

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=2203193&group_id=976
Received on 2008-11-24

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET