Re: Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

2014-07-18 Thread Daniel Stenberg
On Thu, 17 Jul 2014, Michael Osipov wrote: Yes it should! But you're expressing this funnily. If if _does_ probe first, it will disclose the exact same information if the server asks for basic auth Haven't noticed that I brought some fun into it. "funny" in the meaning of "strange" or "pecu

Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

2014-07-18 Thread Michael Osipov
> Von: "Daniel Stenberg" > On Thu, 17 Jul 2014, Michael Osipov wrote: > > > The issue is that your server does not behave the way intended. That > > requires a custom fix in curl. > > Well, we need to handle what servers do or can do, and duplicated headers is > a > very common mistake in the

Re: Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

2014-07-17 Thread Michael Osipov
> Von: "Daniel Stenberg" > On Thu, 17 Jul 2014, Michael Osipov wrote: > >> Yes, because you're asking for it! > > > > Then I would at least require the docs to say that preempive is is > > performed > > by default. Users should be aware that they could disclose information. > > Yes it should!

Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

2014-07-17 Thread Daniel Stenberg
On Thu, 17 Jul 2014, Michael Osipov wrote: I'm fully convinved you will find servers out there returning headers like that. Maybe true but that is not covered in libcurl also. You cannot scope the auth. Right, but that's a separate limitation. It has been worked on in the past but it was n

Re: Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

2014-07-17 Thread Michael Osipov
> Von: "Daniel Stenberg" > On Thu, 17 Jul 2014, Michael Osipov wrote: > > > WWW-Authenticate: Basic ream="A" > > WWW-Authenticate: Basic ream="B" > > > > That makes no sense and is incorrect. > > Is it really? What if it has two overlapping realms and offer you to login to > any of them to acce

Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

2014-07-17 Thread Daniel Stenberg
On Thu, 17 Jul 2014, Michael Osipov wrote: WWW-Authenticate: Basic ream="A" WWW-Authenticate: Basic ream="B" That makes no sense and is incorrect. Is it really? What if it has two overlapping realms and offer you to login to any of them to access that resource? I'm fully convinved you will

Re: Re: [PATCH] http: avoid auth failure on a duplicated header

2014-07-17 Thread Daniel Stenberg
On Thu, 17 Jul 2014, Michael Osipov wrote: The issue is that your server does not behave the way intended. That requires a custom fix in curl. Well, we need to handle what servers do or can do, and duplicated headers is a very common mistake in the wild - sometimes not even by mistake. The

Re: Re: [PATCH] http: avoid auth failure on a duplicated header

2014-07-17 Thread Michael Osipov
Hi David, > Gesendet: Donnerstag, 17. Juli 2014 um 11:41 Uhr > Von: "David Woodhouse" > An: "Kamil Dudka" > Cc: curl-library@cool.haxx.se, "Daniel Stenberg" > Betreff: Re: [PATCH] http: avoid auth failure on a duplicated header > > On Fri, 2014-05-09 at 13:46 +0200, Kamil Dudka wrote: > > On Fr