cURL cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1484 sasl_sspi does not correctly populate Domain/Realm on Windows

From: Steve Holme <captain-caveman_at_users.sf.net>
Date: Wed, 25 Feb 2015 14:39:42 +0000

Thanks for your bug report and suggested fix.

I've had a quick look at your pull request, as I haven't yet had the time to download it as a patch and apply it locally, but apart from some curl coding style fixes it seems pretty good in its current state.

My only query before merging it is:

Do you know / did you investigate to see whether the realm can be pulled out of the challenge using SSPI functions rather then pulling in our own native digest decoding routines?

Kind Regards

Steve

---
** [bugs:#1484] sasl_sspi does not correctly populate Domain/Realm on Windows**
**Status:** open
**Labels:** sasl_sspi 
**Created:** Sat Feb 21, 2015 07:04 AM UTC by Grant Pannell
**Last Updated:** Sat Feb 21, 2015 07:04 AM UTC
**Owner:** nobody
With the release of Curl 7.40.0, on Windows, SSPI handles http_digest authentication.
I've noticed that the behavior of using digest auth on most non-Microsoft based HTTP servers will return an unauthorized error. This is because the realm in the challenge response is not populated correctly. The only way to authorize access is for the user to have knowledge of the "Realm" of the challenge-message, which is not usually the case.
I've noticed the PHP Windows binaries now use 7.40.0 and compile with USE_WINDOWS_SSPI.
Some examples (user:password) formats specified with CURLOPT_USERPWD:
"User:Password" results in realm="", even though the server has specified a realm (this is NOT OK)
"Realm\User:Password" results in realm="Realm" (this is OK, maybe? Realm specified by the server may not be the same, but Microsoft HTTP servers may deal with this)
This also conflicts with users that may contain "\" and servers that don't use the MS DOMAIN\User format. Either way, the behavior significantly varies from using Curl without USE_WINDOWS_SSPI.
Instead, this patch populates the realm from the challenge message if the user does not explicitly use the DOMAIN\User format.
Example:
Domain\User ; domain=Domain, user=User
\Domain\User ; domain=server realm, user=Domain\User
User ; domain=server realm, user=User
Domain\ ; domain=Domain, user=blank
\ ; domain=server realm; user=blank
\\ ; domain=server realm; user=\
I've made a pull request on Github that solves the problem, but I am not a fantastic C/C++ coder: https://github.com/bagder/curl/pull/141
Thanks
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2015-02-25

These mail archives are generated by hypermail.