From: Pierre LALET <pierre.lalet@cea.fr>
Date: Wed, 20 Jul 2011 11:01:24 +0000 (+1200)
Subject: Bug 3248: login=NEGOTIATE sends wrong auth header to origin peers
X-Git-Tag: take08~55^2~54
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=63f03f790981f8411a7a5ffd6c91ff3c5f988ea8;p=thirdparty%2Fsquid.git

Bug 3248: login=NEGOTIATE sends wrong auth header to origin peers
---

diff --git a/src/cf.data.pre b/src/cf.data.pre
index a938475c69..fe406af88f 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2244,6 +2244,10 @@ DOC_START
 			The first principal from the default keytab or defined by
 			the environment variable KRB5_KTNAME will be used. 
 	
+			WARNING: The connection may transmit requests from multiple
+			clients. Negotiate often assumes end-to-end authentication
+			and a single-client. Which is not strictly true here.
+	
 	login=NEGOTIATE:principal_name
 			If this is a personal/workgroup proxy and your parent
 			requires a secure proxy authentication. 
@@ -2251,6 +2255,10 @@ DOC_START
 			defined by the environment variable KRB5_KTNAME will be
 			used.
 	
+			WARNING: The connection may transmit requests from multiple
+			clients. Negotiate often assumes end-to-end authentication
+			and a single-client. Which is not strictly true here.
+	
 	connection-auth=on|off
 			Tell Squid that this peer does or not support Microsoft
 			connection oriented authentication, and any such
diff --git a/src/http.cc b/src/http.cc
index d1b587733b..eb52abcfba 100644
--- a/src/http.cc
+++ b/src/http.cc
@@ -1603,7 +1603,7 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
         }
         Token = peer_proxy_negotiate_auth(PrincipalName, request->peer_host);
         if (Token) {
-            httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Negotiate %s",Token);
+            httpHeaderPutStrf(hdr_out, header, "Negotiate %s",Token);
         }
         return;
     }