diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2021-02-12 10:27:42 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-02-13 22:36:15 +0100 |
| commit | 46620b97431e19c53ce82e55055c85830f088cf4 (patch) | |
| tree | 672f1b6b90b0dc5dc2693df105ab010def1cd35a /lib/http.c | |
| parent | e992770e8d16e4be2a3da8aa2cef5cfc12e22372 (diff) | |
| download | curl-46620b97431e19c53ce82e55055c85830f088cf4.tar.gz | |
http: use credentials from transfer, not connection
HTTP auth "accidentally" worked before this cleanup since the code would
always overwrite the connection credentials with the credentials from
the most recent transfer and since HTTP auth is typically done first
thing, this has not been an issue. It was still wrong and subject to
possible race conditions or future breakage if the sequence of functions
would change.
The data.set.str[] strings MUST remain unmodified exactly as set by the
user, and the credentials to use internally are instead set/updated in
state.aptr.*
Added test 675 to verify different credentials used in two requests done
over a reused HTTP connection, which previously behaved wrongly.
Fixes #6542
Closes #6545
Diffstat (limited to 'lib/http.c')
| -rw-r--r-- | lib/http.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/lib/http.c b/lib/http.c index d6eceb7d5..33e4c62e5 100644 --- a/lib/http.c +++ b/lib/http.c @@ -298,26 +298,27 @@ static CURLcode http_output_basic(struct Curl_easy *data, bool proxy) { size_t size = 0; char *authorization = NULL; - struct connectdata *conn = data->conn; char **userp; const char *user; const char *pwd; CURLcode result; char *out; + /* credentials are unique per transfer for HTTP, do not use the ones for the + connection */ if(proxy) { #ifndef CURL_DISABLE_PROXY userp = &data->state.aptr.proxyuserpwd; - user = conn->http_proxy.user; - pwd = conn->http_proxy.passwd; + user = data->state.aptr.proxyuser; + pwd = data->state.aptr.proxypasswd; #else return CURLE_NOT_BUILT_IN; #endif } else { userp = &data->state.aptr.userpwd; - user = conn->user; - pwd = conn->passwd; + user = data->state.aptr.user; + pwd = data->state.aptr.passwd; } out = aprintf("%s:%s", user, pwd ? pwd : ""); @@ -709,7 +710,6 @@ output_auth_headers(struct Curl_easy *data, if(authstatus->picked == CURLAUTH_DIGEST) { auth = "Digest"; result = Curl_output_digest(data, - conn, proxy, (const unsigned char *)request, (const unsigned char *)path); @@ -756,11 +756,14 @@ output_auth_headers(struct Curl_easy *data, #ifndef CURL_DISABLE_PROXY infof(data, "%s auth using %s with user '%s'\n", proxy ? "Proxy" : "Server", auth, - proxy ? (conn->http_proxy.user ? conn->http_proxy.user : "") : - (conn->user ? conn->user : "")); + proxy ? (data->state.aptr.proxyuser ? + data->state.aptr.proxyuser : "") : + (data->state.aptr.user ? + data->state.aptr.user : "")); #else infof(data, "Server auth using %s with user '%s'\n", - auth, conn->user ? conn->user : ""); + auth, data->state.aptr.user ? + data->state.aptr.user : ""); #endif authstatus->multipass = (!authstatus->done) ? TRUE : FALSE; } |