From fa0b9227616e17b7949ed0063d16bc7398474671 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 11 Nov 2022 08:47:12 +0100 Subject: [PATCH] http: mark it 'this_is_a_follow' in the Location: logic To make regular auth "reloads" to not count as redirects. Verified by test 3101 Fixes #9885 Closes #9887 --- lib/http.c | 16 +++---- lib/transfer.c | 6 +-- tests/data/Makefile.inc | 2 +- tests/data/test3101 | 88 ++++++++++++++++++++++++++++++++++++++ tests/libtest/Makefile.inc | 7 ++- tests/libtest/lib3101.c | 64 +++++++++++++++++++++++++++ 6 files changed, 165 insertions(+), 18 deletions(-) create mode 100644 tests/data/test3101 create mode 100644 tests/libtest/lib3101.c diff --git a/lib/http.c b/lib/http.c index 13fdfa6690..41a3a62b8d 100644 --- a/lib/http.c +++ b/lib/http.c @@ -689,15 +689,6 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data) data->req.newurl = strdup(data->state.url); /* clone URL */ if(!data->req.newurl) return CURLE_OUT_OF_MEMORY; -#ifndef CURL_DISABLE_RTSP - /* - * Authentication is treated as a redirect in Curl_follow(), so if this is - * done using RTSP we make it allow these "redirects" to RTSP (only). A - * safe assumption as no other redirects should happen from RTSP. - */ - if(conn->handler->protocol & CURLPROTO_RTSP) - data->set.redir_protocols = CURLPROTO_RTSP; -#endif } else if((data->req.httpcode < 300) && (!data->state.authhost.done) && @@ -2876,8 +2867,8 @@ CURLcode Curl_http_resume(struct Curl_easy *data, data->state.resume_from = 0; } - if(data->state.resume_from && !data->state.this_is_a_follow) { - /* do we still game? */ + if(data->state.resume_from && !data->state.followlocation) { + /* only act on the first request */ /* Now, let's read off the proper amount of bytes from the input. */ @@ -3659,6 +3650,9 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, result = http_perhapsrewind(data, conn); if(result) return result; + + /* mark the next request as a followed location: */ + data->state.this_is_a_follow = TRUE; } } } diff --git a/lib/transfer.c b/lib/transfer.c index 5ced156982..34f837c904 100644 --- a/lib/transfer.c +++ b/lib/transfer.c @@ -1607,10 +1607,8 @@ CURLcode Curl_follow(struct Curl_easy *data, to URL */ } else { - /* mark the next request as a followed location: */ - data->state.this_is_a_follow = TRUE; - - data->state.followlocation++; /* count location-followers */ + data->state.followlocation++; /* count redirect-followings, including + auth reloads */ if(data->set.http_auto_referer) { CURLU *u; diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 9e585d602d..a142c1ac12 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -249,4 +249,4 @@ test3008 test3009 test3010 test3011 test3012 test3013 test3014 test3015 \ test3016 test3017 test3018 test3019 test3020 test3021 test3022 test3023 \ test3024 test3025 test3026 test3027 test3028 \ \ -test3100 +test3100 test3101 diff --git a/tests/data/test3101 b/tests/data/test3101 new file mode 100644 index 0000000000..8e3d41f3a6 --- /dev/null +++ b/tests/data/test3101 @@ -0,0 +1,88 @@ + + + +HTTP +HTTP Basic auth + + + +# Server-side + + +HTTP/1.1 401 Authorization Required swsbounce +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +WWW-Authenticate: Blackmagic realm="gimme all yer s3cr3ts" +WWW-Authenticate: Basic realm="gimme all yer s3cr3ts" +Content-Length: 26 +Content-Type: text/html; charset=iso-8859-1 + +This is not the real page + + +# This is supposed to be returned when the server gets a +# Authorization: Digest line passed-in from the client + +HTTP/1.1 200 OK +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 23 +Connection: close + +This IS the real page! + + + +HTTP/1.1 401 Authorization Required swsbounce +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +WWW-Authenticate: Blackmagic realm="gimme all yer s3cr3ts" +WWW-Authenticate: Basic realm="gimme all yer s3cr3ts" +Content-Length: 26 +Content-Type: text/html; charset=iso-8859-1 + +HTTP/1.1 200 OK +Server: Apache/1.3.27 (Darwin) PHP/4.1.2 +Content-Type: text/html; charset=iso-8859-1 +Content-Length: 23 +Connection: close + +This IS the real page! + + + +# Client-Side + +# require https because the code sets that as an acceptable redirect proto + +https + + +http + + +lib%TESTNUMBER + + + +HTTP auth without redirection protocols + + +http://%HOSTIP:%HTTPPORT/%TESTNUMBER + + + +# Verify data after the test has been "shot" + + +GET /%TESTNUMBER HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Accept: */* + +GET /%TESTNUMBER HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +Authorization: Basic dXNlcjpwYXNzd29yZA== +Accept: */* + + + + + diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc index 6ad9ebe2c8..c1d57ef3b3 100644 --- a/tests/libtest/Makefile.inc +++ b/tests/libtest/Makefile.inc @@ -68,7 +68,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ lib1945 lib1946 lib1947 lib1948 lib1955 \ lib2301 lib2302 \ lib3010 lib3025 lib3026 lib3027 \ - lib3100 + lib3100 lib3101 chkdecimalpoint_SOURCES = chkdecimalpoint.c ../../lib/mprintf.c \ ../../lib/dynbuf.c ../../lib/strdup.c @@ -791,4 +791,7 @@ lib3027_CPPFLAGS = $(AM_CPPFLAGS) lib3100_SOURCES = lib3100.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) lib3100_LDADD = $(TESTUTIL_LIBS) -lib3100_CPPFLAGS = $(AM_CPPFLAGS) + +lib3101_SOURCES = lib3101.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) +lib3101_LDADD = $(TESTUTIL_LIBS) + diff --git a/tests/libtest/lib3101.c b/tests/libtest/lib3101.c new file mode 100644 index 0000000000..1f022bd818 --- /dev/null +++ b/tests/libtest/lib3101.c @@ -0,0 +1,64 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ +#include "test.h" +#include "memdebug.h" + +int test(char *URL) +{ + int res; + CURL *curl; + + if(curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) { + fprintf(stderr, "curl_global_init() failed\n"); + return TEST_ERR_MAJOR_BAD; + } + + curl = curl_easy_init(); + if(!curl) { + fprintf(stderr, "curl_easy_init() failed\n"); + curl_global_cleanup(); + return TEST_ERR_MAJOR_BAD; + } + + test_setopt(curl, CURLOPT_HEADERDATA, stdout); + test_setopt(curl, CURLOPT_WRITEDATA, stdout); + test_setopt(curl, CURLOPT_VERBOSE, 1L); + test_setopt(curl, CURLOPT_URL, URL); + test_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_ANY); + test_setopt(curl, CURLOPT_USERNAME, "user"); + test_setopt(curl, CURLOPT_PASSWORD, "password"); + test_setopt(curl, CURLOPT_REDIR_PROTOCOLS_STR, "https"); + + res = curl_easy_perform(curl); + if(res != (int)CURLE_OK) { + res = TEST_ERR_MAJOR_BAD; + goto test_cleanup; + } + +test_cleanup: + curl_easy_cleanup(curl); + curl_global_cleanup(); + + return res; +}