#1161 libcurl fails to POST > 2000 bytes to a proxy using NTLM

closed-fixed
libcurl (356)
5
2014-08-16
2012-10-31
No

We're seeing problems with libcurl using an NTLM proxy when the request to be proxied has more that 2000 bytes of POST data. This has been seen with both Forefront and Squid. The problem appears to stem from an incomplete conditional contained in function http_perhapsrewind() of lib file http.c.

The conditional in question accounts for the state of conn->ntlm, but does not contain the same check for conn->proxyntlm. Adding the missing check allows authentication to complete for any POST data greater than 2,000 bytes (as this is also part of the conditional).

Please let us know if we missed anywhere else in the code that may also pose a problem or if there are any other corrections. Again, the patch appears to have fixed this issue which did not present itself for POST sizes less than 2,000 bytes i.e. posting data less than this amount resulted in no problem, while posting data greater than this amount resulted in a 407 error with a closed connection.

I am including test output below this message from before and after the patch was applied to http.c.

Thanks

BEFORE PATCH:
* About to connect() to proxy 172.26.21.103 port 8080 (#0)
* Trying 172.26.21.103...
* connected
* Connected to 172.26.21.103 (172.26.21.103) port 8080 (#0)
* Establish HTTP proxy tunnel to 172.26.21.145:443
* Proxy auth using NTLM with user 'Administrator'
> CONNECT 172.26.21.145:443 HTTP/1.1
Host: 172.26.21.145:443
Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
User-Agent: XXX (20121023946)
Proxy-Connection: Keep-Alive

< HTTP/1.0 407 Proxy Authentication Required
< Server: squid/2.6.STABLE21
< Date: Wed, 31 Oct 2012 XX:XX:XX GMT
< Content-Type: text/html
< Content-Length: 1279
< Expires: Wed, 31 Oct 2012 XX:XX:XX GMT
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADAAAAAGgokApWQfl33BmzYAAAAAAAAAAEgASAA2AAAAVEFSR0VUAgAMAFQAQQBSAEcARQBUAAEAFABVAFQASQBMADMAUwBRAFUASQBEAAQAAAADABQAVQB0AGkAbAAzAFMAcQB1AGkAZAAAAAAA
< X-Cache: MISS from squid_cent5
< X-Cache-Lookup: NONE from squid_cent5:3128
< Via: 1.0 squid_cent5:3128 (squid/2.6.STABLE21)
< Proxy-Connection: keep-alive
<
* Ignore 1279 bytes of response-body
* NTLM send, close instead of sending 2040 bytes
* Received HTTP code 407 from proxy after CONNECT
* About to connect() to proxy 172.26.21.103 port 8080 (#0)
* Trying 172.26.21.103...
* connected
* Connected to 172.26.21.103 (172.26.21.103) port 8080 (#0)
* Establish HTTP proxy tunnel to 172.26.21.145:443
* Proxy auth using NTLM with user 'Administrator'
> CONNECT 172.26.21.145:443 HTTP/1.1
Host: 172.26.21.145:443
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAADQANAHAAAAAIAAgAfQAAAAAAAAAAAAAABoKJANoYYwiU1dgNAAAAAAAAAAAAAAAAAAAAAOrKosCGT3wm8kB/EeKlL9wgHjwPHveMDUFkbWluaXN0cmF0b3JKb2huLURldg==
User-Agent: XXX (20121023946)
Proxy-Connection: Keep-Alive

< HTTP/1.0 407 Proxy Authentication Required
< Server: squid/2.6.STABLE21
< Date: Wed, 31 Oct 2012 XX:XX:XX GMT
< Content-Type: text/html
< Content-Length: 1279
< Expires: Wed, 31 Oct 2012 XX:XX:XX GMT
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Proxy-Authenticate: NTLM
* NTLM handshake rejected
* Authentication problem. Ignoring this.
< Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
< X-Cache: MISS from squid_cent5
< X-Cache-Lookup: NONE from squid_cent5:3128
< Via: 1.0 squid_cent5:3128 (squid/2.6.STABLE21)
< Proxy-Connection: close
<
* Received HTTP code 407 from proxy after CONNECT
* Closing connection #0

AFTER PATCH:
* About to connect() to proxy 172.26.21.103 port 8080 (#0)
* Trying 172.26.21.103...
* connected
* Connected to 172.26.21.103 (172.26.21.103) port 8080 (#0)
* Establish HTTP proxy tunnel to 172.26.21.145:443
* Proxy auth using NTLM with user 'Administrator'
> CONNECT 172.26.21.145:443 HTTP/1.1
Host: 172.26.21.145:443
Proxy-Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=
User-Agent: XXX (20121023946)
Proxy-Connection: Keep-Alive

< HTTP/1.0 407 Proxy Authentication Required
< Server: squid/2.6.STABLE21
< Date: Wed, 31 Oct 2012 XX:XX:XX GMT
< Content-Type: text/html
< Content-Length: 1279
< Expires: Wed, 31 Oct 2012 XX:XX:XX GMT
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Proxy-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADAAAAAGgokAFdWVabT3i1kAAAAAAAAAAEgASAA2AAAAVEFSR0VUAgAMAFQAQQBSAEcARQBUAAEAFABVAFQASQBMADMAUwBRAFUASQBEAAQAAAADABQAVQB0AGkAbAAzAFMAcQB1AGkAZAAAAAAA
< X-Cache: MISS from squid_cent5
< X-Cache-Lookup: NONE from squid_cent5:3128
< Via: 1.0 squid_cent5:3128 (squid/2.6.STABLE21)
< Proxy-Connection: keep-alive
<
* Ignore 1279 bytes of response-body
* Rewind stream after send
* TUNNEL_STATE switched to: 0
* Establish HTTP proxy tunnel to 172.26.21.145:443
* Proxy auth using NTLM with user 'Administrator'
> CONNECT 172.26.21.145:443 HTTP/1.1
Host: 172.26.21.145:443
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAADQANAHAAAAAIAAgAfQAAAAAAAAAAAAAABoKJAN05cMlfHwrQAAAAAAAAAAAAAAAAAAAAALiG7+OdEgBp7bsaaMgLyVKfKEFjYhhX4EFkbWluaXN0cmF0b3JKb2huLURldg==
User-Agent: XXX (20121023946)
Proxy-Connection: Keep-Alive

< HTTP/1.0 200 Connection established
<
* Proxy replied OK to CONNECT request
...
> POST /policy/add HTTP/1.1
User-Agent: XXX (20121023946)
Host: 172.26.21.145
Accept: */*
Content-Length: 2040
Content-Type: application/x-www-form-urlencoded
Expect: 100-continue

* Done waiting for 100-continue
< HTTP/1.1 200 OK
< Date: Wed, 31 Oct 2012 XX:XX:XX GMT
< Server: XXX
< Connection: close
< Expires: Wed, 31 Oct 2012 XX:XX:XX GMT
< Content-Length: 91108
< Content-Type: text/xml
< X-Frame-Options: DENY
< Cache-Control:
< Expires: 0
< Pragma :
<
* Closing connection #0

--
John Suprock
Software Engineer
Tenable Network Security, Inc.

Discussion

  • John Suprock

    John Suprock - 2012-11-02

    NTLM proxy fix for http.c

     
  • Daniel Stenberg

    Daniel Stenberg - 2012-11-07
    • status: open --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks