On Wed, 29 Jun 2011, Christian Hägele wrote:
I found a regression in Curl-7.21.7 (We used 7.21.2 before):
It's not really a regression as the HTTP negotiate path was not done using SSPI back in 7.21.2, as that feature was introduced in 7.21.4... Still the bug is real and I can see it in the code.
When the Http-Server responds with the following header: HTTP/1.1 407 Proxy Authentication RequiredIt seems that this always happens when a server returns Http-code 407 for some reason. In that case curl assumes that there is a proxy involved which might be wrong.
It is a fun server response though, as 407 is meant for proxies. I suggest this patch as a fix:
From 2e2e5f247abeabc1965350f66503d35e9c07fe07 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]> Date: Wed, 29 Jun 2011 12:26:23 +0200 Subject: [PATCH] get_gss_name: proxy auth without proxy set equals error Previously it would access a NULL pointer and die. Bug: http://curl.haxx.se/mail/lib-2011-06/0170.html Reported by: Christian Hagele --- lib/http_negotiate_sspi.c | 13 ++++++++----- 1 files changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c index 8098701..0f40bb5 100644 --- a/lib/http_negotiate_sspi.c +++ b/lib/http_negotiate_sspi.c @@ -45,13 +45,16 @@ #include "memdebug.h" static int -get_gss_name(struct connectdata *conn, bool proxy, char *server) +get_gss_name(struct connectdata *conn, bool proxy, + struct negotiatedata *neg_ctx) { - struct negotiatedata *neg_ctx = proxy?&conn->data->state.proxyneg: - &conn->data->state.negotiate; const char* service; size_t length; + if(proxy && !conn->proxy.name) + /* proxy auth requested but no given proxy name, error out! */ + return -1; + /* GSSAPI implementation by Globus (known as GSI) requires the name to be of form "<service>/<fqdn>" instead of <service>@<fqdn> (ie. slash instead of at-sign). Also GSI servers are often identified as 'host' not 'khttp'. @@ -71,7 +74,7 @@ get_gss_name(struct connectdata *conn, bool proxy, char *server) if(length + 1 > sizeof(neg_ctx->server_name)) return EMSGSIZE; - snprintf(server, sizeof(neg_ctx->server_name), "%s/%s", + snprintf(neg_ctx->server_name, sizeof(neg_ctx->server_name), "%s/%s", service, proxy ? conn->proxy.name : conn->host.name); return 0; @@ -130,7 +133,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, } if(strlen(neg_ctx->server_name) == 0 && - (ret = get_gss_name(conn, proxy, neg_ctx->server_name))) + (ret = get_gss_name(conn, proxy, neg_ctx))) return ret; if(!neg_ctx->output_token) { -- 1.7.5.4 -- / daniel.haxx.se
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
