[curl/f16] fix a failure when using digest auth and have multiple auth options (#799557)

Kamil Dudka kdudka at fedoraproject.org
Tue Mar 13 14:29:50 UTC 2012 

commit aee00761651c27d4e2c4d241e9ef0128c766959d
Author: Kamil Dudka <kdudka at redhat.com>
Date:   Tue Mar 13 15:19:27 2012 +0100

    fix a failure when using digest auth and have multiple auth options (#799557)

 0008-curl-7.21.7-4851daf.patch |   83 ++++++++++++++++++++++++++++++++++++++++
 curl.spec                      |    9 ++++-
 2 files changed, 91 insertions(+), 1 deletions(-)
---
diff --git a/0008-curl-7.21.7-4851daf.patch b/0008-curl-7.21.7-4851daf.patch
new file mode 100644
index 0000000..971814b
--- /dev/null
+++ b/0008-curl-7.21.7-4851daf.patch
@@ -0,0 +1,83 @@
+From 246bb945620f205118c163ffc5128e1e965c7da2 Mon Sep 17 00:00:00 2001
+From: Rene Bernhardt <rene.bernhardt at pcvisit.de>
+Date: Thu, 3 Nov 2011 23:25:17 +0100
+Subject: [PATCH] HTTP auth: fix proxy Negotiate bug [upstream commit 4851daf]
+
+If a proxy offers several Authentication schemes where NTLM and
+Negotiate are offered by the proxy and you tell libcurl not to use the
+Negotiate scheme then the request never returns when the proxy answers
+with its HTTP 407 reply.
+
+It is reproducible by the following steps:
+
+- Use a proxy that offers NTLM and Negotiate ( CURLOPT_PROXY and
+CURLOPT_PROXYPORT )
+
+- Tell libcurl NOT to use Negotiate CURL_EASY_SETOPT(CURLOPT_PROXYAUTH,
+CURLAUTH_BASIC | CURLAUTH_DIGEST | CURLAUTH_NTLM )
+
+- Start the request
+
+The call to CURL_EASY_PERFORM never returns. If you switch on debug
+logging you can see that libcurl issues a new request As soon as it
+received the 407 reply. Instead it should return and set the response
+code to 407.
+
+Bug: http://curl.haxx.se/mail/lib-2011-10/0323.html
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/http.c |   35 ++++++++++++++++++-----------------
+ 1 files changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 56d263b..b1bf876 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -737,25 +737,26 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
+     *availp |= CURLAUTH_GSSNEGOTIATE;
+     authp->avail |= CURLAUTH_GSSNEGOTIATE;
+ 
+-    if(data->state.negotiate.state == GSS_AUTHSENT) {
+-      /* if we sent GSS authentication in the outgoing request and we get this
+-         back, we're in trouble */
+-      infof(data, "Authentication problem. Ignoring this.\n");
+-      data->state.authproblem = TRUE;
+-    }
+-    else {
+-      neg = Curl_input_negotiate(conn, (bool)(httpcode == 407), start);
+-      if(neg == 0) {
+-        DEBUGASSERT(!data->req.newurl);
+-        data->req.newurl = strdup(data->change.url);
+-        if(!data->req.newurl)
+-          return CURLE_OUT_OF_MEMORY;
+-        data->state.authproblem = FALSE;
+-        /* we received GSS auth info and we dealt with it fine */
+-        data->state.negotiate.state = GSS_AUTHRECV;
++    if(authp->picked == CURLAUTH_GSSNEGOTIATE) {
++      if(data->state.negotiate.state == GSS_AUTHSENT) {
++        /* if we sent GSS authentication in the outgoing request and we get this
++           back, we're in trouble */
++        infof(data, "Authentication problem. Ignoring this.\n");
++        data->state.authproblem = TRUE;
+       }
+       else {
+-        data->state.authproblem = TRUE;
++        neg = Curl_input_negotiate(conn, (bool)(httpcode == 407), start);
++        if(neg == 0) {
++          DEBUGASSERT(!data->req.newurl);
++          data->req.newurl = strdup(data->change.url);
++          if(!data->req.newurl)
++            return CURLE_OUT_OF_MEMORY;
++          data->state.authproblem = FALSE;
++          /* we received GSS auth info and we dealt with it fine */
++          data->state.negotiate.state = GSS_AUTHRECV;
++        }
++        else
++          data->state.authproblem = TRUE;
+       }
+     }
+   }
+-- 
+1.7.1
+
diff --git a/curl.spec b/curl.spec
index c72e273..d030c4f 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.21.7
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -27,6 +27,9 @@ Patch6: 0006-curl-7.21.7-3445fa2.patch
 # reject URLs containing bad data (CVE-2012-0036)
 Patch7: 0007-curl-7.21.7-75ca568.patch
 
+# fix a failure when using digest auth and have multiple auth options (#799557)
+Patch8: 0008-curl-7.21.7-4851daf.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.21.1-multilib.patch
 
@@ -133,6 +136,7 @@ done
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -246,6 +250,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Tue Mar 13 2012 Kamil Dudka <kdudka at redhat.com> 7.21.7-7
+- fix a failure when using digest auth and have multiple auth options (#799557)
+
 * Tue Jan 24 2012 Kamil Dudka <kdudka at redhat.com> 7.21.7-6
 - reject URLs containing bad data (CVE-2012-0036)

More information about the scm-commits mailing list