--path-as-is doesn't work when authentication is required #8974
Description
I did this
Used the --path-as-is flag with --anyauth --user.
I expected the following
Both the initial unauthorized request and the retried authorized request would use the same URL.
curl/libcurl version
curl 7.64.1 (x86_64-apple-darwin19.0) libcurl/7.64.1 (SecureTransport) LibreSSL/2.8.3 zlib/1.2.11 nghttp2/1.39.2
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL UnixSockets
Steps to reproduce
Save the following as auth-server.py:
import http.server
import random
class DummyAuthHandler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
if self.headers.get("Authorization") == None:
self.send_response(401)
self.send_header("WWW-Authenticate", f'Digest qop="auth", realm="dummy", nonce="{random.randint(1, 65535)}"')
self.end_headers()
self.wfile.write(b"Unauthorized")
else:
# We don't actually care if the auth header is correct.
# We just need cURL to send one.
self.send_response(200)
self.send_header('Content-Type', 'text/html')
self.end_headers()
self.wfile.write(b"OK")
if __name__ == "__main__":
server = http.server.HTTPServer(("localhost", 8080), DummyAuthHandler)
server.serve_forever()
Run the dummy auth server with python3 auth-server.py.
Run the following command: curl -v --path-as-is --anyauth --user dummy:pass 'http://localhost:8080/../../anything'
Note that the initial request used the desired path:
> GET /../../anything HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.64.1
> Accept: */*
But that the authorized request doesn't:
> GET /anything HTTP/1.0
> Host: localhost:8080
> Authorization: Digest username="user", realm="dummy", nonce="32680", uri="/anything", cnonce="N2IxMDk1MzMxZDEyYjZmMDdjMTJhZTM1OGE5ZWFjNzM=", nc=00000001, qop=auth, response="108b1cdb11fefbb1ae8a2744294aaad1"
> User-Agent: curl/7.64.1
> Accept: */*