Mailing Lists

curl-tracker Archives

[curl:bugs] #1484 sasl_sspi does not correctly populate Domain/Realm on Windows

From: Daniel Stenberg <bagder_at_users.sf.net>
Date: Mon, 13 Apr 2015 14:38:58 +0000

- **status**: open --> closed
- **Comment**:

Let's deal with this over in the github pull request, closing this entry on sourceforge.

---
** [bugs:#1484] sasl_sspi does not correctly populate Domain/Realm on Windows**
**Status:** closed
**Labels:** sasl_sspi
**Created:** Sat Feb 21, 2015 07:04 AM UTC by Grant Pannell
**Last Updated:** Thu Feb 26, 2015 08:37 AM UTC
**Owner:** Steve Holme
With the release of Curl 7.40.0, on Windows, SSPI handles http_digest authentication.
I've noticed that the behavior of using digest auth on most non-Microsoft based HTTP servers will return an unauthorized error. This is because the realm in the challenge response is not populated correctly. The only way to authorize access is for the user to have knowledge of the "Realm" of the challenge-message, which is not usually the case.
I've noticed the PHP Windows binaries now use 7.40.0 and compile with USE_WINDOWS_SSPI.
Some examples (user:password) formats specified with CURLOPT_USERPWD:
"User:Password" results in realm="", even though the server has specified a realm (this is NOT OK)
"Realm\User:Password" results in realm="Realm" (this is OK, maybe? Realm specified by the server may not be the same, but Microsoft HTTP servers may deal with this)
This also conflicts with users that may contain "\" and servers that don't use the MS DOMAIN\User format. Either way, the behavior significantly varies from using Curl without USE_WINDOWS_SSPI.
Instead, this patch populates the realm from the challenge message if the user does not explicitly use the DOMAIN\User format.
Example:
Domain\User ; domain=Domain, user=User
\Domain\User ; domain=server realm, user=Domain\User
User ; domain=server realm, user=User
Domain\ ; domain=Domain, user=blank
\ ; domain=server realm; user=blank
\\ ; domain=server realm; user=\
I've made a pull request on Github that solves the problem, but I am not a fantastic C/C++ coder: https://github.com/bagder/curl/pull/141
Thanks
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.

Received on 2015-04-13

This message: [ Message body ]
Next message: Daniel Stenberg: "[curl:bugs] #1496 pointer realloc crash while doing curl_easy_perform"
Previous message: Puneet Singhal: "[curl:bugs] #1496 pointer realloc crash while doing curl_easy_perform"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

These mail archives are generated by hypermail.