sasl_sspi: Populate the domain from the realm in the challenge message i...#141
Closed
DigitalDJ wants to merge 1 commit intocurl:masterfrom
Closed
sasl_sspi: Populate the domain from the realm in the challenge message i...#141DigitalDJ wants to merge 1 commit intocurl:masterfrom
DigitalDJ wants to merge 1 commit intocurl:masterfrom
Conversation
…e if the user does not specify DOMAIN\User format
Member
|
Thanks, landed in 59f3f92 |
jsonn
pushed a commit
to jsonn/pkgsrc
that referenced
this pull request
Jun 30, 2015
Curl and libcurl 7.43.0 Public curl releases: 147 Command line options: 176 curl_easy_setopt() options: 219 Public functions in libcurl: 58 Contributors: 1291 This release includes the following changes: o Added CURLOPT_PROXY_SERVICE_NAME[11] o Added CURLOPT_SERVICE_NAME[12] o New curl option: --proxy-service-name[13] o Mew curl option: --service-name [14] o New curl option: --data-raw [5] o Added CURLOPT_PIPEWAIT [15] o Added support for multiplexing transfers using HTTP/2, enable this with the new CURLPIPE_MULTIPLEX bit for CURLMOPT_PIPELINING [16] o HTTP/2: requires nghttp2 1.0.0 or later o scripts: add zsh.pl for generating zsh completion o curl.h: add CURL_HTTP_VERSION_2 This release includes the following bugfixes: o CVE-2015-3236: lingering HTTP credentials in connection re-use [30] o CVE-2015-3237: SMB send off unrelated memory contents [31] o nss: fix compilation failure with old versions of NSS [1] o curl_easy_getinfo.3: document 'internals' in CURLINFO_TLS_SESSION o schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error o Curl_ossl_init: load builtin modules [2] o configure: follow-up fix for krb5-config [3] o sasl_sspi: Populate domain from the realm in the challenge [4] o netrc: support 'default' token o README: convert to UTF-8 o cyassl: Implement public key pinning o nss: implement public key pinning for NSS backend o mingw build: add arch -m32/-m64 to LDFLAGS o schannel: Fix out of bounds array [6] o configure: remove autogenerated files by autoconf o configure: remove --automake from libtoolize call o acinclude.m4: fix shell test for default CA cert bundle/path o schannel: fix regression in schannel_recv [7] o openssl: skip trace outputs for ssl_ver == 0 [8] o gnutls: properly retrieve certificate status o netrc: Read in text mode when cygwin [9] o winbuild: Document the option used to statically link the CRT [10] o FTP: Make EPSV use the control IP address rather than the original host o FTP: fix dangling conn->ip_addr dereference on verbose EPSV o conncache: keep bundles on host+port bases, not only host names o runtests.pl: use 'h2c' now, no -14 anymore o curlver: introducing new version number (checking) macros o openssl: boringssl build brekage, use SSL_CTX_set_msg_callback [17] o CURLOPT_POSTFIELDS.3: correct variable names [18] o curl_easy_unescape.3: update RFC reference [19] o gnutls: don't fail on non-fatal alerts during handshake o testcurl.pl: allow source to be in an arbitrary directory o CURLOPT_HTTPPROXYTUNNEL.3: only works with a HTTP proxy o SSPI-error: Change SEC_E_ILLEGAL_MESSAGE description [20] o parse_proxy: switch off tunneling if non-HTTP proxy [21] o share_init: fix OOM crash o perl: remove subdir, not touched in 9 years o CURLOPT_COOKIELIST.3: Add example o CURLOPT_COOKIE.3: Explain that the cookies won't be modified [22] o CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain [23] o FAQ: How do I port libcurl to my OS? o openssl: Use TLS_client_method for OpenSSL 1.1.0+ o HTTP-NTLM: fail auth on connection close instead of looping [24] o curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXT [25] o curl_getdate.3: update RFC reference o curl_multi_info_read.3: added example o curl_multi_perform.3: added example o curl_multi_timeout.3: added example o cookie: Stop exporting any-domain cookies [26] o openssl: remove dummy callback use from SSL_CTX_set_verify() o openssl: remove SSL_get_session()-using code o openssl: removed USERDATA_IN_PWD_CALLBACK kludge o openssl: removed error string #ifdef o openssl: Fix verification of server-sent legacy intermediates [27] o docs: man page indentation and syntax fixes o docs: Spelling fixes o fopen.c: fix a few compiler warnings o CURLOPT_OPENSOCKETFUNCTION: return error at once [28] o schannel: Add support for optional client certificates o build: Properly detect OpenSSL 1.0.2 when using configure o urldata: store POST size in state.infilesize too [29] o security:choose_mech remove dead code o rtsp_do: remove dead code o docs: many HTTP URIs changed to HTTPS o schannel: schannel_recv overhaul [32] This release includes the following known bugs: o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html) This release would not have looked like this without help, code, reports and advice from friends like these: Alessandro Ghedini, Alexander Dyagilev, Anders Bakken, Anthony Avina, Ashish Shukla, Bert Huijben, Brian Chrisman, Brian Prodoehl, Chris Araman, Dagobert Michelsen, Dan Fandrich, Daniel Melani, Daniel Stenberg, Dmitry Eremin-Solenikov, Drake Arconis, Egon Eckert, Frank Meier, Fred Stluka, Gisle Vanem, Grant Pannell, Isaac Boukris, Jens Rantil, Joel Depooter, Kamil Dudka, Linus Nielsen Feltzing, Linus Nielsen Feltzing Feltzing, Liviu Chircu, Marc Hoersken, Michael Osipov, Oren Souroujon, Orgad Shaneh, Patrick Monnerat, Patrick Rapin, Paul Howarth, Paul Oliver, Rafayel Mkrtchyan, Ray Satiro, Sean Boudreau, Tatsuhiro Tsujikawa, Tomas Tomecek, Viktor Szakáts, Ville Skyttä, Yehezkel Horowitz, (43 contributors) Thanks! (and sorry if I forgot to mention someone) References to bug reports and discussions on issues: [1] = http://curl.haxx.se/mail/lib-2015-04/0095.html [2] = curl/curl#206 [3] = curl/curl@5b66860#commitcomment-10473445 [4] = curl/curl#141 [5] = curl/curl#198 [6] = http://curl.haxx.se/mail/lib-2015-04/0199.html [7] = curl/curl#244 [8] = curl/curl#219 [9] = curl/curl#258 [10] = curl/curl#254 [11] = http://curl.haxx.se/libcurl/c/CURLOPT_PROXY_SERVICE_NAME.html [12] = http://curl.haxx.se/libcurl/c/CURLOPT_SERVICE_NAME.html [13] = http://curl.haxx.se/docs/manpage.html#--proxy-service-name [14] = http://curl.haxx.se/docs/manpage.html#--service-name [15] = http://curl.haxx.se/libcurl/c/CURLOPT_PIPEWAIT.html [16] = http://curl.haxx.se/libcurl/c/CURLMOPT_PIPELINING.html [17] = curl/curl#275 [18] = curl/curl#281 [19] = curl/curl#282 [20] = curl/curl#267 [21] = http://curl.haxx.se/mail/lib-2015-05/0056.html [22] = http://curl.haxx.se/mail/lib-2015-05/0115.html [23] = http://curl.haxx.se/mail/lib-2015-05/0137.html [24] = curl/curl#256 [25] = curl/curl#258 (comment) [26] = curl/curl#292 [27] = https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest [28] = http://curl.haxx.se/mail/lib-2015-06/0047.html [29] = http://curl.haxx.se/mail/lib-2015-06/0019.html [30] = http://curl.haxx.se/docs/adv_20150617A.html [31] = http://curl.haxx.se/docs/adv_20150617B.html [32] = curl/curl#244
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
...f the user does not specify DOMAIN\User format
With the release of Curl 7.40.0, on Windows, SSPI handles http_digest authentication.
I've noticed that the behavior of using digest auth on most non-Microsoft based HTTP servers will return an unauthorized error. This is because the realm in the challenge response is not populated correctly. The only way to authorize access is for the user to have knowledge of the "Realm" of the challenge-message, which is not usually the case.
I've noticed the PHP Windows binaries now use 7.40.0 and compile with USE_WINDOWS_SSPI.
Some examples (user:password) formats specified with CURLOPT_USERPWD:
"User:Password" results in realm="", even though the server has specified a realm (this is NOT OK)
"Realm\User:Password" results in realm="Realm" (this is OK, maybe? Realm specified by the server may not be the same, but Microsoft HTTP servers may deal with this)
This also conflicts with users that may contain "" and servers that don't use the MS DOMAIN\User format. Either way, the behavior significantly varies from using Curl without USE_WINDOWS_SSPI.
Instead, this patch populates the realm from the challenge message if the user does not explicitly use the DOMAIN\User format.
Example:
Domain\User ; domain=Domain, user=User
\Domain\User ; domain=server realm, user=Domain\User
User ; domain=server realm, user=User
Domain\ ; domain=Domain, user=blank
\ ; domain=server realm; user=blank
\ ; domain=server realm; user=\