HTTP digest authentication with GET parameters no longer sending the right uri

[a3nm]

I am hosting an HTTP server with Apache2 version 2.4.37-1 from Debian with mod_digest and trying to query it with curl 7.62.0-1 and libcurl4 7.62.0-1 from Debian. With this curl version, I am getting an error 400 when querying the server on URLs that include GET parameters:

$ curl --digest -u a3nm 'https://git.a3nm.net/enum2/info/refs?service=git-upload-pack' 
Enter host password for user 'a3nm':              
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>

Here is the curl -V of this curl version:

$ curl -V                            
curl 7.62.0 (x86_64-pc-linux-gnu) libcurl/7.62.0 OpenSSL/1.1.1a zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.34.0 librtmp/2.3
Release-Date: 2018-10-31
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 

By contrast, when downgrading to libcurl3 7.52.1-5+deb9u8 and curl version 7.52.1-5+deb9u8 from Debian, doing the same thing works fine:

$ curl --digest -u a3nm 'https://git.a3nm.net/enum2/info/refs?service=git-upload-pack'
Enter host password for user 'a3nm':
[actual response here]

Here is the curl -V of this curl version:

$ curl -V
curl 7.52.1 (x86_64-pc-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2q zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.34.0 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 

In the Apache2 error log, the problem with the bad curl version (using libcurl4) is reported as:

[Sun Dec 09 10:39:49.805530 2018] [auth_digest:error] [pid 8691:tid 281471445082528] [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] AH01786: uri mismatch - </enum2/info/refs> does not match request-uri </enum2/info/refs?service=git-upload-pack>

And indeed, during authentication, this is what is exchanged between Apache2 and the bad curl version, according to mod_dumpio. Note that, in the uri parameter of the Authorization header, the GET parameters do not appear, which is what Apache complains about:

[Sun Dec 09 10:39:49.804225 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Sun Dec 09 10:39:49.804334 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:39:49.804523 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): 55 bytes
[Sun Dec 09 10:39:49.804563 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): GET /enum2/info/refs?service=git-upload-pack HTTP/1.1\r\n
[Sun Dec 09 10:39:49.804620 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:39:49.804656 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): 20 bytes
[Sun Dec 09 10:39:49.804688 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): Host: git.a3nm.net\r\n
[Sun Dec 09 10:39:49.804722 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:39:49.804755 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): 299 bytes
[Sun Dec 09 10:39:49.804786 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): Authorization: Digest username="REDACTED", realm="a3nm.net version control", nonce="REDACTED", uri="/enum2/info/refs", cnonce="REDACTED", nc=00000001, qop=auth, response="REDACTED", algorithm="MD5"\r\n
[Sun Dec 09 10:39:49.804834 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:39:49.804867 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): 25 bytes
[Sun Dec 09 10:39:49.804898 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): User-Agent: curl/7.62.0\r\n
[Sun Dec 09 10:39:49.804935 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:39:49.804968 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): 13 bytes
[Sun Dec 09 10:39:49.804999 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): Accept: */*\r\n
[Sun Dec 09 10:39:49.805097 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:39:49.805133 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): 2 bytes
[Sun Dec 09 10:39:49.805164 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_in (data-TRANSIENT): \r\n
[Sun Dec 09 10:39:49.805530 2018] [auth_digest:error] [pid 8691:tid 281471445082528] [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] AH01786: uri mismatch - </enum2/info/refs> does not match request-uri </enum2/info/refs?service=git-upload-pack>
[Sun Dec 09 10:39:49.805660 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(164): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_out
[Sun Dec 09 10:39:49.805697 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_out (data-HEAP): 166 bytes
[Sun Dec 09 10:39:49.805729 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_out (data-HEAP): HTTP/1.1 400 Bad Request\r\nDate: Sun, 09 Dec 2018 10:39:49 GMT\r\nServer: Apache\r\nContent-Length: 226\r\nConnection: close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
[Sun Dec 09 10:39:49.805774 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(164): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_out
[Sun Dec 09 10:39:49.805804 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_out (data-HEAP): 226 bytes
[Sun Dec 09 10:39:49.805835 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_out (data-HEAP): <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1>\n<p>Your browser sent a request that this server could not understand.<br />\n</p>\n</body></html>\n
[Sun Dec 09 10:39:49.805877 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_out (metadata-EOS): 0 bytes
[Sun Dec 09 10:39:49.806142 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(164): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_out
[Sun Dec 09 10:39:49.806181 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_out (metadata-EOR): 0 bytes
[Sun Dec 09 10:39:49.806353 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(164): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio: dumpio_out
[Sun Dec 09 10:39:49.806388 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_out (metadata-FLUSH): 0 bytes
[Sun Dec 09 10:39:49.806422 2018] [dumpio:trace7] [pid 8691:tid 281471445082528] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34026] mod_dumpio:  dumpio_out (metadata-EOC): 0 bytes

Compare this to what happens between Apache2 and the good curl version. Note that, in the Authorization header, the uri correctly includes the GET parameter:

[Sun Dec 09 10:35:48.123520 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Sun Dec 09 10:35:48.123617 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:35:48.123866 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): 55 bytes
[Sun Dec 09 10:35:48.123907 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): GET /enum2/info/refs?service=git-upload-pack HTTP/1.1\r\n
[Sun Dec 09 10:35:48.123963 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:35:48.123999 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): 20 bytes
[Sun Dec 09 10:35:48.124031 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): Host: git.a3nm.net\r\n
[Sun Dec 09 10:35:48.124065 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:35:48.124097 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): 323 bytes
[Sun Dec 09 10:35:48.124129 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): Authorization: Digest username="REDACTED", realm="a3nm.net version control", nonce="REDACTED", uri="/enum2/info/refs?service=git-upload-pack", cnonce="REDACTED", nc=00000001, qop=auth, response="REDACTED", algorithm="MD5"\r\n
[Sun Dec 09 10:35:48.124178 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:35:48.124211 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): 25 bytes
[Sun Dec 09 10:35:48.124242 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): User-Agent: curl/7.52.1\r\n
[Sun Dec 09 10:35:48.124279 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:35:48.124311 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): 13 bytes
[Sun Dec 09 10:35:48.124342 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): Accept: */*\r\n
[Sun Dec 09 10:35:48.124375 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(140): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Sun Dec 09 10:35:48.124408 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): 2 bytes
[Sun Dec 09 10:35:48.124439 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_in (data-TRANSIENT): \r\n
[Sun Dec 09 10:35:48.138238 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(164): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio: dumpio_out
[Sun Dec 09 10:35:48.138440 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_out (data-HEAP): 413 bytes
[Sun Dec 09 10:35:48.138480 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_out (data-HEAP): HTTP/1.1 200 OK\r\nDate: Sun, 09 Dec 2018 10:35:48 GMT\r\nServer: Apache\r\nExpires: Fri, 01 Jan 1980 00:00:00 GMT\r\nPragma: no-cache\r\nCache-Control: no-cache, max-age=0, must-revalidate\r\nAuthentication-Info: rspauth="REDACTED", cnonce="REDACTED", nc=00000001, qop=auth\r\nTransfer-Encoding: chunked\r\nContent-Type: application/x-git-upload-pack-advertisement\r\n\r\n
[Sun Dec 09 10:35:48.138555 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(164): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio: dumpio_out
[Sun Dec 09 10:35:48.138588 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_out (data-TRANSIENT): 4 bytes
[Sun Dec 09 10:35:48.138622 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(103): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_out (data-TRANSIENT): 22\r\n
[Sun Dec 09 10:35:48.138656 2018] [dumpio:trace7] [pid 8691:tid 281471487046048] mod_dumpio.c(63): [client 2001:660:330f:cc:6600:6aff:fe7c:7854:34014] mod_dumpio:  dumpio_out (data-HEAP): 34 bytes
[...]

It seems to me that Apache2 is right in rejecting authentication by recent versions of curl (using libcurl4), according to https://tools.ietf.org/html/rfc2617#section-3.2.2.5. Would you have any idea of why this was broken from libcurl3 to libcurl4?

Many thanks for your help!

(PS: as might be apparent from the URLs, I got bitten by this problem because git is using libcurl and accessing git repositories with HTTP Digest authentication is no longer working for me at all. For the benefit of anyone else who might be running into the issue from git, when using git the problem manifests itself as the following message when accessing the repository (e.g., when doing git pull): fatal: unable to access '[repository URL]': The requested URL returned error: 400.)

[jay]

Bisected to 46e1640 url: use the URL API internally as well. We used to have path for path+query but now the URL API splits the path and query to urlpieces path and query. Only path is passed to Curl_http_output_auth, see here. The fastest way (I think...) would be create it on the fly since it's not in urlpieces. We could store path+query there but then every time the path piece or query piece needs to be changed both would need to be updated. Also Curl_http_output_auth has other calls to it that pass the URI so I'm reluctant to change it to accept the query as a separate parameter and deal with it there.

diff --git a/lib/http.c b/lib/http.c
index 7be6f8b..5305691 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -702,7 +702,7 @@ output_auth_headers(struct connectdata *conn,
  *
  * @param conn all information about the current connection
  * @param request pointer to the request keyword
- * @param path pointer to the requested path
+ * @param path pointer to the requested path; should include query part
  * @param proxytunnel boolean if this is the request setting up a "proxy
  * tunnel"
  *
@@ -2000,9 +2000,18 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
   }
 
   /* setup the authentication headers */
-  result = Curl_http_output_auth(conn, request, path, FALSE);
-  if(result)
-    return result;
+  {
+    char *pq = NULL;
+    if(query && *query) {
+      pq = aprintf("%s?%s", path, query);
+      if(!pq)
+        return CURLE_OUT_OF_MEMORY;
+    }
+    result = Curl_http_output_auth(conn, request, (pq ? pq : path), FALSE);
+    free(pq);
+    if(result)
+      return result;
+  }
 
   if((data->state.authhost.multipass || data->state.authproxy.multipass) &&
      (httpreq != HTTPREQ_GET) &&

[bagder]

Thanks @jay. We should extend a Digest test case for this too to make sure we'd catch a future similar regression...

[a3nm]

Woaw, I'm really impressed by your swift response, many thanks for looking into this! Looking forward to seeing the fix land in Debian testing.