curl/tests/data/test2027
Daniel Stenberg 8d97bed806 test 2027/2030: take duplicate Digest requests into account
With the reversion of ce8311c7e4 and the new clear logic, this flaw
is present and we allow it.
2012-11-06 22:23:56 +01:00

245 lines
6.1 KiB
Plaintext

<testcase>
<info>
<keywords>
HTTP
HTTP GET
HTTP Digest auth
</keywords>
</info>
# Server-side
<reply>
<!--
Explanation for the duplicate 400 requests:
libcurl doesn't detect that a given Digest password is wrong already on the
first 401 response (as the data400 gives). libcurl will instead consider the
new response just as a duplicate and it sends another and detects the auth
problem on the second 401 response!
-->
<!-- First request has Digest auth, wrong password -->
<data100>
HTTP/1.1 401 Need Digest auth
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27
WWW-Authenticate: Digest realm="testrealm", nonce="1"
This is not the real page!
</data100>
<data1100>
HTTP/1.1 401 Sorry wrong password
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29
WWW-Authenticate: Digest realm="testrealm", nonce="2"
This is a bad password page!
</data1100>
<!-- Second request has Digest auth, right password -->
<data200>
HTTP/1.1 401 Need Digest auth (2)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27
WWW-Authenticate: Digest realm="testrealm", nonce="3"
This is not the real page!
</data200>
<data1200>
HTTP/1.1 200 Things are fine in server land
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 32
Finally, this is the real page!
</data1200>
<!-- Third request has Digest auth, wrong password -->
<data300>
HTTP/1.1 401 Need Digest auth (3)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27
WWW-Authenticate: Digest realm="testrealm", nonce="4"
This is not the real page!
</data300>
<data1300>
HTTP/1.1 401 Sorry wrong password (2)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29
WWW-Authenticate: Digest realm="testrealm", nonce="5"
This is a bad password page!
</data1300>
<!-- Fourth request has Digest auth, wrong password -->
<data400>
HTTP/1.1 401 Need Digest auth (4)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27
WWW-Authenticate: Digest realm="testrealm", nonce="6"
This is not the real page!
</data400>
<data1400>
HTTP/1.1 401 Sorry wrong password (3)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29
WWW-Authenticate: Digest realm="testrealm", nonce="7"
This is a bad password page!
</data1400>
<!-- Fifth request has Digest auth, right password -->
<data1500>
HTTP/1.1 200 Things are fine in server land (2)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 32
Finally, this is the real page!
</data1500>
<datacheck>
HTTP/1.1 401 Need Digest auth
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27
WWW-Authenticate: Digest realm="testrealm", nonce="1"
HTTP/1.1 401 Sorry wrong password
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29
WWW-Authenticate: Digest realm="testrealm", nonce="2"
This is a bad password page!
HTTP/1.1 200 Things are fine in server land
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 32
Finally, this is the real page!
HTTP/1.1 401 Need Digest auth (3)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 27
WWW-Authenticate: Digest realm="testrealm", nonce="4"
HTTP/1.1 401 Sorry wrong password (2)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29
WWW-Authenticate: Digest realm="testrealm", nonce="5"
This is a bad password page!
HTTP/1.1 401 Sorry wrong password (3)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29
WWW-Authenticate: Digest realm="testrealm", nonce="7"
HTTP/1.1 401 Sorry wrong password (3)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 29
WWW-Authenticate: Digest realm="testrealm", nonce="7"
This is a bad password page!
HTTP/1.1 200 Things are fine in server land (2)
Server: Microsoft-IIS/5.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 32
Finally, this is the real page!
</datacheck>
</reply>
# Client-side
<client>
<server>
http
</server>
<tool>
libauthretry
</tool>
<name>
HTTP authorization retry (Digest)
</name>
<setenv>
# we force our own host name, in order to make the test machine independent
CURL_GETHOSTNAME=curlhost
# we try to use the LD_PRELOAD hack, if not a debug build
LD_PRELOAD=%PWD/libtest/.libs/libhostname.so
</setenv>
<command>
http://%HOSTIP:%HTTPPORT/2027 digest digest
</command>
<precheck>
chkhostname curlhost
</precheck>
</client>
# Verify data after the test has been "shot"
<verify>
<strip>
^User-Agent:.*
</strip>
<protocol>
GET /20270100 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /20270100 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="1", uri="/20270100", response="f7fd60eefaff5225971bf9b3d80d6ba6"
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /20270200 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="2", uri="/20270200", response="785ca3ef511999f7e9c178195f5b388c"
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /20270300 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /20270300 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="4", uri="/20270300", response="4c735d2360fd6848e7cb32a11ae3612b"
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /20270400 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20270400", response="f5906785511fb60a2af8b1cd53008ead"
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /20270400 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="5", uri="/20270400", response="f5906785511fb60a2af8b1cd53008ead"
Host: %HOSTIP:%HTTPPORT
Accept: */*
GET /20270500 HTTP/1.1
Authorization: Digest username="testuser", realm="testrealm", nonce="7", uri="/20270500", response="8ef4d935fd964a46c3965c0863b52cf1"
Host: %HOSTIP:%HTTPPORT
Accept: */*
</protocol>
</verify>
</testcase>