From 78e74de238479c2cc316cf6f888c53ddd087b51b Mon Sep 17 00:00:00 2001
From: Dan Winship <danw@gnome.org>
Date: Thu, 5 Mar 2015 12:22:22 -0500
Subject: soup-auth-ntlm: always close connection after NTLM failure

SoupAuthNTLM can't recover from receiving a 401 on a previously
authenticated connection. It was assuming that any such 401 would
result in the connection being closed, but that's apparently sometimes
not the case. Force it to get closed anyway in those cases.

https://bugzilla.redhat.com/show_bug.cgi?id=1196765
https://bugzilla.gnome.org/show_bug.cgi?id=735197
---
 libsoup/soup-auth-ntlm.c | 11 +++++++----
 tests/ntlm-test.c        |  8 ++++----
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
index ddb6b2ed..926fd4a8 100644
--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
@@ -303,12 +303,15 @@ soup_auth_ntlm_update_connection (SoupConnectionAuth *auth, SoupMessage *msg,
 	if (conn->state > SOUP_NTLM_SENT_REQUEST) {
 		if (priv->password_state == SOUP_NTLM_PASSWORD_ACCEPTED) {
 			/* We know our password is correct, so a 401
-			 * means "permission denied". Since the conn
-			 * state is now FAILED, the auth is no longer
-			 * is_ready() for this message, so this will
-			 * cause a "retrying" authenticate signal.
+			 * means "permission denied". The code can't deal
+			 * with re-authenticating correctly, so make sure
+			 * we don't try.
 			 */
 			conn->state = SOUP_NTLM_FAILED;
+			if (soup_message_is_keepalive (msg)) {
+				soup_message_headers_append (msg->response_headers,
+							     "Connection", "close");
+			}
 			return TRUE;
 		}
 
diff --git a/tests/ntlm-test.c b/tests/ntlm-test.c
index a0e02ab4..11d40c3a 100644
--- a/tests/ntlm-test.c
+++ b/tests/ntlm-test.c
@@ -456,12 +456,12 @@ do_ntlm_round (SoupURI *base_uri, gboolean use_ntlm,
 		    SOUP_STATUS_UNAUTHORIZED);
 
 	/* 8. Server accepts Basic or NTLM from either user.
-	 * Alice-via-NTLM is still authenticated at this point from #6,
-	 * and Bob-via-NTLM is authenticated from #7, so neither
-	 * of them will do anything.
+	 * NTLM users will try NTLM without getting a prompt (their
+	 * previous NTLM connections will have been closed by the 401
+	 * from /basic). Non-NTLM users will be prompted for either.
 	 */
 	do_message (session, base_uri, "/either",
-		    !use_ntlm, FALSE,
+		    !use_ntlm, use_ntlm,
 		    !use_ntlm, !use_ntlm && user != NULL,
 		    user != NULL ? SOUP_STATUS_OK :
 		    SOUP_STATUS_UNAUTHORIZED);
-- 
cgit v1.2.1