Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upHTTP digest authentication with GET parameters no longer sending the right uri #3353
Comments
|
Bisected to 46e1640 diff --git a/lib/http.c b/lib/http.c
index 7be6f8b..5305691 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -702,7 +702,7 @@ output_auth_headers(struct connectdata *conn,
*
* @param conn all information about the current connection
* @param request pointer to the request keyword
- * @param path pointer to the requested path
+ * @param path pointer to the requested path; should include query part
* @param proxytunnel boolean if this is the request setting up a "proxy
* tunnel"
*
@@ -2000,9 +2000,18 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
}
/* setup the authentication headers */
- result = Curl_http_output_auth(conn, request, path, FALSE);
- if(result)
- return result;
+ {
+ char *pq = NULL;
+ if(query && *query) {
+ pq = aprintf("%s?%s", path, query);
+ if(!pq)
+ return CURLE_OUT_OF_MEMORY;
+ }
+ result = Curl_http_output_auth(conn, request, (pq ? pq : path), FALSE);
+ free(pq);
+ if(result)
+ return result;
+ }
if((data->state.authhost.multipass || data->state.authproxy.multipass) &&
(httpreq != HTTPREQ_GET) && |
|
Thanks @jay. We should extend a Digest test case for this too to make sure we'd catch a future similar regression... |
|
Woaw, I'm really impressed by your swift response, many thanks for looking into this! Looking forward to seeing the fix land in Debian testing. |
I am hosting an HTTP server with Apache2 version 2.4.37-1 from Debian with mod_digest and trying to query it with curl 7.62.0-1 and libcurl4 7.62.0-1 from Debian. With this curl version, I am getting an error 400 when querying the server on URLs that include GET parameters:
Here is the
curl -Vof this curl version:By contrast, when downgrading to libcurl3 7.52.1-5+deb9u8 and curl version 7.52.1-5+deb9u8 from Debian, doing the same thing works fine:
Here is the
curl -Vof this curl version:In the Apache2 error log, the problem with the bad curl version (using libcurl4) is reported as:
And indeed, during authentication, this is what is exchanged between Apache2 and the bad curl version, according to mod_dumpio. Note that, in the
uriparameter of theAuthorizationheader, the GET parameters do not appear, which is what Apache complains about:Compare this to what happens between Apache2 and the good curl version. Note that, in the
Authorizationheader, the uri correctly includes the GET parameter:It seems to me that Apache2 is right in rejecting authentication by recent versions of curl (using libcurl4), according to https://tools.ietf.org/html/rfc2617#section-3.2.2.5. Would you have any idea of why this was broken from libcurl3 to libcurl4?
Many thanks for your help!
(PS: as might be apparent from the URLs, I got bitten by this problem because
gitis using libcurl and accessing git repositories with HTTP Digest authentication is no longer working for me at all. For the benefit of anyone else who might be running into the issue from git, when using git the problem manifests itself as the following message when accessing the repository (e.g., when doinggit pull):fatal: unable to access '[repository URL]': The requested URL returned error: 400.)