Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--path-as-is doesn't work when authentication is required #8974

Closed
llamasoft opened this issue Jun 7, 2022 · 0 comments
Closed

--path-as-is doesn't work when authentication is required #8974

llamasoft opened this issue Jun 7, 2022 · 0 comments

Comments

@llamasoft
Copy link

@llamasoft llamasoft commented Jun 7, 2022

I did this

Used the --path-as-is flag with --anyauth --user.

I expected the following

Both the initial unauthorized request and the retried authorized request would use the same URL.

curl/libcurl version

curl 7.64.1 (x86_64-apple-darwin19.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.39.2
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets

Steps to reproduce

Save the following as auth-server.py:

import http.server
import random

class DummyAuthHandler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        if self.headers.get("Authorization") == None:
            self.send_response(401)
            self.send_header("WWW-Authenticate", f'Digest qop="auth", realm="dummy", nonce="{random.randint(1, 65535)}"')
            self.end_headers()
            self.wfile.write(b"Unauthorized")
        else:
            # We don't actually care if the auth header is correct.
            # We just need cURL to send one.
            self.send_response(200)
            self.send_header('Content-Type', 'text/html')
            self.end_headers()
            self.wfile.write(b"OK")

if __name__ == "__main__":
    server = http.server.HTTPServer(("localhost", 8080), DummyAuthHandler)
    server.serve_forever()

Run the dummy auth server with python3 auth-server.py.

Run the following command: curl -v --path-as-is --anyauth --user dummy:pass 'http://localhost:8080/../../anything'

Note that the initial request used the desired path:

> GET /../../anything HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.1
> Accept: */*

But that the authorized request doesn't:

> GET /anything HTTP/1.0
> Host: localhost:8080
> Authorization: Digest username="user", realm="dummy", nonce="32680", uri="/anything", cnonce="N2IxMDk1MzMxZDEyYjZmMDdjMTJhZTM1OGE5ZWFjNzM=", nc=00000001, qop=auth, response="108b1cdb11fefbb1ae8a2744294aaad1"
> User-Agent: curl/7.64.1
> Accept: */*
@bagder bagder self-assigned this Jun 7, 2022
bagder added a commit that referenced this issue Jun 7, 2022
@bagder bagder linked a pull request Jun 7, 2022 that will close this issue
@bagder bagder closed this as completed in 07058f6 Jun 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants