[curl/f16] fix a failure when using digest auth and have multiple auth options (#799557)
Kamil Dudka
kdudka at fedoraproject.org
Tue Mar 13 14:29:50 UTC 2012
commit aee00761651c27d4e2c4d241e9ef0128c766959d
Author: Kamil Dudka <kdudka at redhat.com>
Date: Tue Mar 13 15:19:27 2012 +0100
fix a failure when using digest auth and have multiple auth options (#799557)
0008-curl-7.21.7-4851daf.patch | 83 ++++++++++++++++++++++++++++++++++++++++
curl.spec | 9 ++++-
2 files changed, 91 insertions(+), 1 deletions(-)
---
diff --git a/0008-curl-7.21.7-4851daf.patch b/0008-curl-7.21.7-4851daf.patch
new file mode 100644
index 0000000..971814b
--- /dev/null
+++ b/0008-curl-7.21.7-4851daf.patch
@@ -0,0 +1,83 @@
+From 246bb945620f205118c163ffc5128e1e965c7da2 Mon Sep 17 00:00:00 2001
+From: Rene Bernhardt <rene.bernhardt at pcvisit.de>
+Date: Thu, 3 Nov 2011 23:25:17 +0100
+Subject: [PATCH] HTTP auth: fix proxy Negotiate bug [upstream commit 4851daf]
+
+If a proxy offers several Authentication schemes where NTLM and
+Negotiate are offered by the proxy and you tell libcurl not to use the
+Negotiate scheme then the request never returns when the proxy answers
+with its HTTP 407 reply.
+
+It is reproducible by the following steps:
+
+- Use a proxy that offers NTLM and Negotiate ( CURLOPT_PROXY and
+CURLOPT_PROXYPORT )
+
+- Tell libcurl NOT to use Negotiate CURL_EASY_SETOPT(CURLOPT_PROXYAUTH,
+CURLAUTH_BASIC | CURLAUTH_DIGEST | CURLAUTH_NTLM )
+
+- Start the request
+
+The call to CURL_EASY_PERFORM never returns. If you switch on debug
+logging you can see that libcurl issues a new request As soon as it
+received the 407 reply. Instead it should return and set the response
+code to 407.
+
+Bug: http://curl.haxx.se/mail/lib-2011-10/0323.html
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/http.c | 35 ++++++++++++++++++-----------------
+ 1 files changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 56d263b..b1bf876 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -737,25 +737,26 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
+ *availp |= CURLAUTH_GSSNEGOTIATE;
+ authp->avail |= CURLAUTH_GSSNEGOTIATE;
+
+- if(data->state.negotiate.state == GSS_AUTHSENT) {
+- /* if we sent GSS authentication in the outgoing request and we get this
+- back, we're in trouble */
+- infof(data, "Authentication problem. Ignoring this.\n");
+- data->state.authproblem = TRUE;
+- }
+- else {
+- neg = Curl_input_negotiate(conn, (bool)(httpcode == 407), start);
+- if(neg == 0) {
+- DEBUGASSERT(!data->req.newurl);
+- data->req.newurl = strdup(data->change.url);
+- if(!data->req.newurl)
+- return CURLE_OUT_OF_MEMORY;
+- data->state.authproblem = FALSE;
+- /* we received GSS auth info and we dealt with it fine */
+- data->state.negotiate.state = GSS_AUTHRECV;
++ if(authp->picked == CURLAUTH_GSSNEGOTIATE) {
++ if(data->state.negotiate.state == GSS_AUTHSENT) {
++ /* if we sent GSS authentication in the outgoing request and we get this
++ back, we're in trouble */
++ infof(data, "Authentication problem. Ignoring this.\n");
++ data->state.authproblem = TRUE;
+ }
+ else {
+- data->state.authproblem = TRUE;
++ neg = Curl_input_negotiate(conn, (bool)(httpcode == 407), start);
++ if(neg == 0) {
++ DEBUGASSERT(!data->req.newurl);
++ data->req.newurl = strdup(data->change.url);
++ if(!data->req.newurl)
++ return CURLE_OUT_OF_MEMORY;
++ data->state.authproblem = FALSE;
++ /* we received GSS auth info and we dealt with it fine */
++ data->state.negotiate.state = GSS_AUTHRECV;
++ }
++ else
++ data->state.authproblem = TRUE;
+ }
+ }
+ }
+--
+1.7.1
+
diff --git a/curl.spec b/curl.spec
index c72e273..d030c4f 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.21.7
-Release: 6%{?dist}
+Release: 7%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -27,6 +27,9 @@ Patch6: 0006-curl-7.21.7-3445fa2.patch
# reject URLs containing bad data (CVE-2012-0036)
Patch7: 0007-curl-7.21.7-75ca568.patch
+# fix a failure when using digest auth and have multiple auth options (#799557)
+Patch8: 0008-curl-7.21.7-4851daf.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.21.1-multilib.patch
@@ -133,6 +136,7 @@ done
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
# Fedora patches
%patch101 -p1
@@ -246,6 +250,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
+* Tue Mar 13 2012 Kamil Dudka <kdudka at redhat.com> 7.21.7-7
+- fix a failure when using digest auth and have multiple auth options (#799557)
+
* Tue Jan 24 2012 Kamil Dudka <kdudka at redhat.com> 7.21.7-6
- reject URLs containing bad data (CVE-2012-0036)
More information about the scm-commits
mailing list