Ralph Mitchell reported a flaw when you used a proxy with auth, and you

requested data from a host and then followed a redirect to another
host. libcurl then didn't use the proxy-auth properly in the second request,
due to the host-only check for original host name wrongly being extended to
the proxy auth as well. Added test case 233 to verify the flaw and that the
fix removed the problem.

CHANGES

@@ -6,6 +6,15 @@
 
                                   Changelog
 
+
+Daniel (19 February 2005)
+- Ralph Mitchell reported a flaw when you used a proxy with auth, and you
+  requested data from a host and then followed a redirect to another
+  host. libcurl then didn't use the proxy-auth properly in the second request,
+  due to the host-only check for original host name wrongly being extended to
+  the proxy auth as well. Added test case 233 to verify the flaw and that the
+  fix removed the problem.
+
 Daniel (18 February 2005)
 - Mike Dobbs reported a mingw build failure due to the lack of
   BUILDING_LIBCURL being defined when libcurl is built. Now this is defined by

RELEASE-NOTES

@@ -16,6 +16,7 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o proxy auth bug when following redirects to another host
  o socket leak when local bind failed
  o HTTP POST with --anyauth picking NTLM
  o SSL problems when downloading exactly 16KB data
@@ -34,6 +35,6 @@ This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
  Gisle Vanem, David Byron, Marty Kuhrt, Maruko, Eric Vergnaud, Christopher
- R. Palmer, Mike Dobbs, David in bug report #1124588
+ R. Palmer, Mike Dobbs, David in bug report #1124588, Ralph Mitchell
 
         Thanks! (and sorry if I forgot to mention someone)

lib/http.c

@@ -403,24 +403,17 @@ Curl_http_output_auth(struct connectdata *conn,
        and if this is one single bit it'll be used instantly. */
     authproxy->picked = authproxy->want;
 
-  /* To prevent the user+password to get sent to other than the original
-     host due to a location-follow, we do some weirdo checks here */
-  if(!data->state.this_is_a_follow ||
-     !data->state.first_host ||
-     curl_strequal(data->state.first_host, conn->host.name) ||
-     data->set.http_disable_hostname_check_before_authentication) {
-
-    /* Send proxy authentication header if needed */
-    if (conn->bits.httpproxy &&
-        (conn->bits.tunnel_proxy == proxytunnel)) {
+  /* Send proxy authentication header if needed */
+  if (conn->bits.httpproxy &&
+      (conn->bits.tunnel_proxy == proxytunnel)) {
 #ifdef USE_SSLEAY
-      if(authproxy->want == CURLAUTH_NTLM) {
-        auth=(char *)"NTLM";
-        result = Curl_output_ntlm(conn, TRUE);
-        if(result)
-          return result;
-      }
-      else
+    if(authproxy->want == CURLAUTH_NTLM) {
+      auth=(char *)"NTLM";
+      result = Curl_output_ntlm(conn, TRUE);
+      if(result)
+        return result;
+    }
+    else
 #endif
       if(authproxy->want == CURLAUTH_BASIC) {
         /* Basic */
@@ -454,10 +447,17 @@ Curl_http_output_auth(struct connectdata *conn,
       else
         authproxy->multi = FALSE;
     }
-    else
-      /* we have no proxy so let's pretend we're done authenticating
-         with it */
-      authproxy->done = TRUE;
+  else
+    /* we have no proxy so let's pretend we're done authenticating
+       with it */
+    authproxy->done = TRUE;
+
+  /* To prevent the user+password to get sent to other than the original
+     host due to a location-follow, we do some weirdo checks here */
+  if(!data->state.this_is_a_follow ||
+     !data->state.first_host ||
+     curl_strequal(data->state.first_host, conn->host.name) ||
+     data->set.http_disable_hostname_check_before_authentication) {
 
     /* Send web authentication header if needed */
     {

tests/data/Makefile.am

@@ -32,7 +32,7 @@ EXTRA_DIST = test1 test108 test117 test127 test20 test27 test34 test46	\
  test223 test224 test206 test207 test208 test209 test213 test240	\
  test241 test242 test519 test214 test215 test216 test217 test218	\
  test199 test225 test226 test227 test230 test231 test232 test228	\
- test229
+ test229 test233
 
 # The following tests have been removed from the dist since they no longer
 # work. We need to fix the test suite's FTPS server first, then bring them

tests/data/test233

@@ -0,0 +1,81 @@
+#
+# Server-side
+<reply>
+<data>
+HTTP/1.1 302 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+Location: http://goto.second.host.now/2330002
+Content-Length: 8
+Connection: close
+
+contents
+</data>
+<data2>
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+
+contents
+</data2>
+
+<datacheck>
+HTTP/1.1 302 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+Location: http://goto.second.host.now/2330002
+Content-Length: 8
+Connection: close
+
+HTTP/1.1 200 OK
+Date: Thu, 09 Nov 2010 14:49:00 GMT
+Server: test-server/fake swsclose
+Content-Type: text/html
+Funny-head: yesyes
+
+contents
+</datacheck>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+HTTP, proxy, site+proxy auth and Location: to new host
+ </name>
+ <command>
+http://first.host.it.is/we/want/that/page/233 -x %HOSTIP:%HTTPPORT --user iam:myself --proxy-user testing:this --location
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET http://first.host.it.is/we/want/that/page/233 HTTP/1.1
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
+Authorization: Basic aWFtOm15c2VsZg==
+Host: first.host.it.is
+Pragma: no-cache
+Accept: */*
+
+GET http://goto.second.host.now/2330002 HTTP/1.1
+Proxy-Authorization: Basic dGVzdGluZzp0aGlz
+Host: goto.second.host.now
+Pragma: no-cache
+Accept: */*
+
+</protocol>
+</verify>