Re: Username and password in URL stopped working with proxy

Wed, 14 Aug 2019 10:30:14 -0700 

On Sunday 04 August 2019 at 23:35:17 +0200, Daniel Stenberg via curl-library 
wrote:
> On Sat, 3 Aug 2019, Mike Crowe wrote:
> 
> > I've attached two logs. One from my build of master, and one from the
> > Debian Stretch version of curl (7.52.1.) It looks like v7.52.1 passes
> > the username and password on to the proxy in the URL, whereas master
> > does not:
> 
> I ran
> 
>   cd tests && ./runtests.pl "HTTP Digest Auth"
> 
> ... and it did 48 successful tests for me on master just now. I don't know
> how your case differs from all those 48.

Sorry for the delay in replying, I've been away.

> Does it make a difference if you provide the user name and password with -u
> instead of in the URL ?

It works with the current state of master. (Although it looks like
46e164069d1a5230e4e64cbd2ff46c46cce056bb did originally break this usage,
but it was fixed later.)

> Does it make a difference if you drop --fail?

No. I only added the --fail to make my bisect script easier to write.

> Does it make a difference if you use --digest instead of --anyauth?

No.

It looks like the logs I attached previously weren't as useful as they
should have been because the proxy was caching the response. I've attached
a couple of new logs that don't suffer from that problem:

curl-master.log clearly shows that when libcurl makes the second
connection, ostensibly providing authentication, it fails to send an
Authentication header. curl-f078361c0e2539689df9962f35ab22f8ea25afe9.log
shows that the corresponding libcurl version does send an Authentication
header.

I think that the fact that the GET line sent to the proxy used to contain
the user and password and no longer does provides a clue as to what might
be going wrong. I instrumented lib/url.c:parseurlandfillcon, and it seems
that the user and password have already been stripped from the URL by that
point, so curl_url_get returns NULL for both CURLUPART_USER and
CURLUPART_PASSWORD.

I'm suspicious about this code in lib/http.c:Curl_http:

    if(strcasecompare("http", data->state.up.scheme)) {
      /* when getting HTTP, we don't want the userinfo the URL */
      uc = curl_url_set(h, CURLUPART_USER, NULL, 0);
      if(uc) {
        curl_url_cleanup(h);
        return CURLE_OUT_OF_MEMORY;
      }
      uc = curl_url_set(h, CURLUPART_PASSWORD, NULL, 0);
      if(uc) {
        curl_url_cleanup(h);
        return CURLE_OUT_OF_MEMORY;
      }
    }

If I remove this code, then the Authorization header is correctly passed
and everything works.

If this doesn't help point at the problem, please can you post the full
output from when you successfully ran:

 $ ./src/curl http://daniel:he...@www.haxx.se -x localhost:80 --trace-ascii -
    -o /dev/null

Thanks.

Mike.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* 
  Trying fd44:d8b8:cab5:cb01::1:3128...
* TCP_NODELAY set
* Connected to elite (fd44:d8b8:cab5:cb01::1) port 3128 (#0)
* Server auth using Digest with user 'unittest'
> GET 
> http://cam-unittest-fixture.brightsign/~unittest/cgi-bin/auth-digest/make-large2.rb?maxage=0&bytes=311&unique=D
>  HTTP/1.1
> Host: cam-unittest-fixture.brightsign
> User-Agent: curl/7.66.0-DEV
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Wed, 14 Aug 2019 17:05:24 GMT
< Server: Apache/2.4.25 (Debian)
< WWW-Authenticate: Digest realm="Unit test realm", 
nonce="hYpPwxaQBQA=899f94923734c73bcb5bfaab69af2c3ef603ab06", algorithm=MD5, 
qop="auth"
< Content-Length: 478
< Content-Type: text/html; charset=iso-8859-1
< X-Cache: MISS from elite
< X-Cache-Lookup: MISS from elite:3128
< Via: 1.1 elite (squid/3.5.23)
< Connection: keep-alive
< 
* Ignoring the response-body
{ [478 bytes data]

100   478  100   478    0     0  95600      0 --:--:-- --:--:-- --:--:--  116k
* Connection #0 to host elite left intact
* Issue another request to this URL: 
'http://cam-unittest-fixture.brightsign/~unittest/cgi-bin/auth-digest/make-large2.rb?maxage=0&bytes=311&unique=D'
* Found bundle for host elite: 0x55b8c38aef00 [serially]
* Re-using existing connection! (#0) with proxy elite
* Connected to elite (fd44:d8b8:cab5:cb01::1) port 3128 (#0)
> GET 
> http://cam-unittest-fixture.brightsign/~unittest/cgi-bin/auth-digest/make-large2.rb?maxage=0&bytes=311&unique=D
>  HTTP/1.1
> Host: cam-unittest-fixture.brightsign
> User-Agent: curl/7.66.0-DEV
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Wed, 14 Aug 2019 17:05:24 GMT
< Server: Apache/2.4.25 (Debian)
* Authentication problem. Ignoring this.
< WWW-Authenticate: Digest realm="Unit test realm", 
nonce="ZJFPwxaQBQA=d9379d91f7e2b4248787f03bdf8a55c01a70eac7", algorithm=MD5, 
qop="auth"
< Content-Length: 478
< Content-Type: text/html; charset=iso-8859-1
< X-Cache: MISS from elite
< X-Cache-Lookup: MISS from elite:3128
< Via: 1.1 elite (squid/3.5.23)
< Connection: keep-alive
< 
{ [478 bytes data]

100   478  100   478    0     0  79666      0 --:--:-- --:--:-- --:--:-- 79666
* Connection #0 to host elite left intact
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.25 (Debian) Server at cam-unittest-fixture.brightsign Port 
80</address>
</body></html>

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* 
  Trying fd44:d8b8:cab5:cb01::1...
* TCP_NODELAY set
* Connected to elite (fd44:d8b8:cab5:cb01::1) port 3128 (#0)
* Server auth using Digest with user 'unittest'
> GET 
> http://unittest:password@cam-unittest-fixture.brightsign/~unittest/cgi-bin/auth-digest/make-large2.rb?maxage=0&bytes=311&unique=D
>  HTTP/1.1
> Host: cam-unittest-fixture.brightsign
> User-Agent: curl/7.62.0-DEV
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 14 Aug 2019 17:05:55 GMT
< Server: Apache/2.4.25 (Debian)
< WWW-Authenticate: Digest realm="Unit test realm", 
nonce="640pxRaQBQA=8a215879d5825d0ac4d4fffefc80d440473885d5", algorithm=MD5, 
qop="auth"
< Content-Length: 478
< Content-Type: text/html; charset=iso-8859-1
< X-Cache: MISS from elite
< X-Cache-Lookup: HIT from elite:3128
< Via: 1.1 elite (squid/3.5.23)
< Connection: keep-alive
< 
* Ignoring the response-body
{ [478 bytes data]

100   478  100   478    0     0   116k      0 --:--:-- --:--:-- --:--:--  116k
* Connection #0 to host elite left intact
* Issue another request to this URL: 
'http://unittest:password@cam-unittest-fixture.brightsign/~unittest/cgi-bin/auth-digest/make-large2.rb?maxage=0&bytes=311&unique=D'
* Found bundle for host cam-unittest-fixture.brightsign: 0x56341f8cab20 [can 
pipeline]
* Re-using existing connection! (#0) with proxy elite
* Connected to elite (fd44:d8b8:cab5:cb01::1) port 3128 (#0)
* Server auth using Digest with user 'unittest'
> GET 
> http://unittest:password@cam-unittest-fixture.brightsign/~unittest/cgi-bin/auth-digest/make-large2.rb?maxage=0&bytes=311&unique=D
>  HTTP/1.1
> Host: cam-unittest-fixture.brightsign
> Authorization: Digest username="unittest", realm="Unit test realm", 
> nonce="640pxRaQBQA=8a215879d5825d0ac4d4fffefc80d440473885d5", 
> uri="/~unittest/cgi-bin/auth-digest/make-large2.rb?maxage=0&bytes=311&unique=D",
>  cnonce="YjMwYmQ0OTlkZGE0MmE1YWQ0NDBkODUwZmZhODI3OWU=", nc=00000001, 
> qop=auth, response="d56cf793b71d953476e4950763913574", algorithm="MD5"
> User-Agent: curl/7.62.0-DEV
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Date: Wed, 14 Aug 2019 17:05:55 GMT
< Server: Apache/2.4.25 (Debian)
< Accept-Ranges: bytes
< Cache-Control: no-cache
< Rendered: 2019-08-14 18:05:55 +0100
< Authentication-Info: rspauth="d1b2c15e88138afd2769c2a5b9feab7a", 
cnonce="YjMwYmQ0OTlkZGE0MmE1YWQ0NDBkODUwZmZhODI3OWU=", nc=00000001, qop=auth
< Content-Length: 311
< Content-Type: text/test
< X-Cache: MISS from elite
< X-Cache-Lookup: HIT from elite:3128
< Via: 1.1 elite (squid/3.5.23)
< Connection: keep-alive
< 
{ [311 bytes data]

100   311  100   311    0     0   3417      0 --:--:-- --:--:-- --:--:--  3417
* Connection #0 to host elite left intact
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Reply via email to