generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

proxy: make ConnectionExists() check credential of proxyconnections too

Browse Source 
Previously it only compared credentials if the requested needle
connection wasn't using a proxy. This caused NTLM authentication
failures when using proxies as the authentication code wasn't send on
the connection where the challenge arrived.

Added test 1215 to verify: NTLM server authentication through a proxy
(This is a modified copy of test 67)
This commit is contained in:
Fabian Keil 2013-03-31 13:26:54 +02:00 committed by Daniel Stenberg
parent 9141c75bfb
commit 638c6da9db
3 changed files with 117 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
lib/url.c
View File

@ -2974,6 +2974,18 @@ ConnectionExists(struct SessionHandle *data,
continue; continue;
} }
if((needle->handler->protocol & CURLPROTO_FTP) ||
((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) {
/* This is FTP or HTTP+NTLM, verify that we're using the same name
and password as well */
if(!strequal(needle->user, check->user) ||
!strequal(needle->passwd, check->passwd)) {
/* one of them was different */
continue;
}
credentialsMatch = TRUE;
}
if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL || if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
(needle->bits.httpproxy && check->bits.httpproxy && (needle->bits.httpproxy && check->bits.httpproxy &&
needle->bits.tunnel_proxy && check->bits.tunnel_proxy && needle->bits.tunnel_proxy && check->bits.tunnel_proxy &&
@ -3007,17 +3019,6 @@ ConnectionExists(struct SessionHandle *data,
continue; continue;
} }
} }
if((needle->handler->protocol & CURLPROTO_FTP) ||
((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) {
/* This is FTP or HTTP+NTLM, verify that we're using the same name
and password as well */
if(!strequal(needle->user, check->user) ||
!strequal(needle->passwd, check->passwd)) {
/* one of them was different */
continue;
}
credentialsMatch = TRUE;
}
match = TRUE; match = TRUE;
} }
} }

2
tests/data/Makefile.am
View File

@ -88,7 +88,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
test1128 test1129 test1130 test1131 test1132 test1133 \ test1128 test1129 test1130 test1131 test1132 test1133 \
\ \
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
test1208 test1209 test1210 test1211 test1212 test1213 test1214 \ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
\ \
test1220 test1221 test1222 test1223 \ test1220 test1221 test1222 test1223 \
\ \

104
tests/data/test1215 Normal file
View File

@ -0,0 +1,104 @@
<testcase>
<info>
# This test is a copy of test 67, modified to use a HTTP proxy.
<keywords>
HTTP
HTTP GET
HTTP NTLM auth
HTTP proxy
</keywords>
</info>
# Server-side
<reply>
<!-- no <data> in this test since we have NTLM from the start
This is supposed to be returned when the server gets a first
Authorization: NTLM line passed-in from the client -->
<data1001>
HTTP/1.1 401 Now gimme that second request of crap
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 34
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAgACADAAAAAGgoEAc51AYVDgyNcAAAAAAAAAAG4AbgAyAAAAQ0MCAAQAQwBDAAEAEgBFAEwASQBTAEEAQgBFAFQASAAEABgAYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAwAsAGUAbABpAHMAYQBiAGUAdABoAC4AYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAAAAAA==
This is not the real page either!
</data1001>
# This is supposed to be returned when the server gets the second
# Authorization: NTLM line passed-in from the client
<data1002>
HTTP/1.1 200 Things are fine in server land swsclose
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 32
Finally, this is the real page!
</data1002>
<datacheck>
HTTP/1.1 401 Now gimme that second request of crap
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 34
WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAgACADAAAAAGgoEAc51AYVDgyNcAAAAAAAAAAG4AbgAyAAAAQ0MCAAQAQwBDAAEAEgBFAEwASQBTAEEAQgBFAFQASAAEABgAYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAwAsAGUAbABpAHMAYQBiAGUAdABoAC4AYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAAAAAA==
HTTP/1.1 200 Things are fine in server land swsclose
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 32
Finally, this is the real page!
</datacheck>
</reply>
# Client-side
<client>
<features>
NTLM
</features>
<server>
http
</server>
<name>
HTTP with server NTLM authorization using a proxy
</name>
<setenv>
# we force our own host name, in order to make the test machine independent
CURL_GETHOSTNAME=curlhost
# we try to use the LD_PRELOAD hack, if not a debug build
LD_PRELOAD=%PWD/libtest/.libs/libhostname.so
</setenv>
<command>
http://%HOSTIP:%HTTPPORT/1215 -u testuser:testpass --ntlm --proxy http://%HOSTIP:%HTTPPORT
</command>
<precheck>
chkhostname curlhost
</precheck>
</client>
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET http://%HOSTIP:%HTTPPORT/1215 HTTP/1.1
Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
User-Agent: curl/7.30.0-DEV
Host: %HOSTIP:%HTTPPORT
Accept: */*
Proxy-Connection: Keep-Alive
GET http://%HOSTIP:%HTTPPORT/1215 HTTP/1.1
Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACAAIAHAAAAAIAAgAeAAAAAAAAAAAAAAABoKBAFpkQwKRCZFMhjj0tw47wEjKHRHlvzfxQamFcheMuv8v+xeqphEO5V41xRd7R9deOXRlc3R1c2VyY3VybGhvc3Q=
User-Agent: curl/7.30.0-DEV
Host: %HOSTIP:%HTTPPORT
Accept: */*
Proxy-Connection: Keep-Alive
</protocol>
</verify>
</testcase>