BUG/MEDIUM: http-ana: Handle NTLM messages correctly.

When checking www-authenticate headers, we don't want to just accept
"NTLM" as value, because the server may send "HTLM <base64 value>". Instead,
just check that it starts with NTLM.

This should be backported to 2.1, 2.0, 1.9 and 1.8.

diff --git a/src/http_ana.c b/src/http_ana.c
index dd513e99461322494fc1cea58288e4ea1d4798b7..e0fe67e248e8ebcd1e0e9e0e03ef36e38cd56941 100644 (file)
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -1824,7 +1824,7 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
                ctx.blk = NULL;
                while (http_find_header(htx, hdr, &ctx, 0)) {
                        if ((ctx.value.len >= 9 && word_match(ctx.value.ptr, ctx.value.len, "Negotiate", 9)) ||
-                           (ctx.value.len >= 4 && word_match(ctx.value.ptr, ctx.value.len, "NTLM", 4))) {
+                           (ctx.value.len >= 4 && !memcmp(ctx.value.ptr, "NTLM", 4))) {
                                sess->flags |= SESS_FL_PREFER_LAST;
                                srv_conn->flags |= CO_FL_PRIVATE;
                        }