Changelog
+Daniel (10 September 2004)
+- Bug report #1025986. When following a Location: with a custom Host: header
+ replacement, curl only replaced the Host: header on the initial request
+ and didn't replace it on the following ones. This resulted in requests with
+ two Host: headers.
+
+ Now, curl checks if the location is on the same host as the initial request
+ and then continues to replace the Host: header. And when it moves to another
+ host, it doesn't replace the Host: header but it also doesn't make the
+ second Host: header get used in the request.
+
+ This change is verified by the two new test cases 184 and 185.
+
Daniel (31 August 2004)
- David Tarendash fount out that curl_multi_add_handle() returned
CURLM_CALL_MULTI_PERFORM instead of CURLM_OK.
/* To prevent the user+password to get sent to other than the original
host due to a location-follow, we do some weirdo checks here */
if(!data->state.this_is_a_follow ||
- !data->state.auth_host ||
- curl_strequal(data->state.auth_host, conn->host.name) ||
+ !data->state.first_host ||
+ curl_strequal(data->state.first_host, conn->host.name) ||
data->set.http_disable_hostname_check_before_authentication) {
/* Send proxy authentication header if needed */
return result;
}
- if(conn->bits.user_passwd && !data->state.this_is_a_follow) {
- /* Authorization: is requested, this is not a followed location, get the
- original host name */
- if (data->state.auth_host)
+ if(!data->state.this_is_a_follow) {
+ /* this is not a followed location, get the original host name */
+ if (data->state.first_host)
/* Free to avoid leaking memory on multiple requests*/
- free(data->state.auth_host);
+ free(data->state.first_host);
- data->state.auth_host = strdup(conn->host.name);
+ data->state.first_host = strdup(conn->host.name);
}
return CURLE_OK;
Curl_safefree(conn->allocptr.host);
ptr = checkheaders(data, "Host:");
- if(ptr && !data->state.this_is_a_follow) {
+ if(ptr && (!data->state.this_is_a_follow ||
+ curl_strequal(data->state.first_host, conn->host.name))) {
/* If we have a given custom Host: header, we extract the host name in
order to possibly use it for cookie reasons later on. We only allow the
custom Host: header if this is NOT a redirect, as setting Host: in the
- redirected request is being out on thin ice. */
+ redirected request is being out on thin ice. Except if the host name
+ is the same as the first one! */
char *start = ptr+strlen("Host:");
while(*start && isspace((int)*start ))
start++;
if(ptr != start) {
size_t len=ptr-start;
+ Curl_safefree(conn->allocptr.cookiehost);
conn->allocptr.cookiehost = malloc(len+1);
if(!conn->allocptr.cookiehost)
return CURLE_OUT_OF_MEMORY;
if(*ptr) {
/* only send this if the contents was non-blank */
- result = add_bufferf(req_buffer, "%s\r\n", headers->data);
- if(result)
- return result;
+ if(conn->allocptr.host &&
+ /* a Host: header was sent already, don't pass on any custom Host:
+ header as that will produce *two* in the same request! */
+ curl_strnequal("Host:", headers->data, 5))
+ ;
+ else {
+
+ result = add_bufferf(req_buffer, "%s\r\n", headers->data);
+ if(result)
+ return result;
+ }
}
}
headers = headers->next;
if(data->change.cookielist) /* clean up list if any */
curl_slist_free_all(data->change.cookielist);
- Curl_safefree(data->state.auth_host);
+ Curl_safefree(data->state.first_host);
Curl_safefree(data->state.scratch);
if(data->change.proxy_alloc)
bytes / second */
bool this_is_a_follow; /* this is a followed Location: request */
- char *auth_host; /* if set, this should be the host name that we will
- sent authorization to, no else. Used to make Location:
- following not keep sending user+password... This is
- strdup() data.
+ char *first_host; /* if set, this should be the host name that we will
+ sent authorization to, no else. Used to make Location:
+ following not keep sending user+password... This is
+ strdup() data.
*/
struct curl_ssl_session *session; /* array of 'numsessions' size */
test158 test159 test511 test160 test161 test162 test163 test164 \
test512 test165 test166 test167 test168 test169 test170 test171 \
test172 test204 test205 test173 test174 test175 test176 test177 \
- test513 test514 test178 test179 test180 test181 test182 test183
+ test513 test514 test178 test179 test180 test181 test182 test183 \
+ test184 test185
# The following tests have been removed from the dist since they no longer
# work. We need to fix the test suite's FTPS server first, then bring them
--- /dev/null
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 OK swsbounce\r
+Date: Thu, 09 Nov 2010 14:49:00 GMT\r
+Content-Length: 4\r
+Location: http://yet.another.host/184
+\r
+moo
+</data>
+<data1>
+HTTP/1.1 200 OK\r
+Date: Thu, 09 Nov 2010 14:49:00 GMT\r
+Content-Length: 4\r
+\r
+moo
+</data1>
+<datacheck>
+HTTP/1.1 301 OK swsbounce\r
+Date: Thu, 09 Nov 2010 14:49:00 GMT\r
+Content-Length: 4\r
+Location: http://yet.another.host/184
+\r
+HTTP/1.1 200 OK\r
+Date: Thu, 09 Nov 2010 14:49:00 GMT\r
+Content-Length: 4\r
+\r
+moo
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<features>
+SSL
+</features>
+ <name>
+HTTP replace Host: when following Location: to new host
+ </name>
+ <command>
+http://deathstar.another.galaxy/184 -L -H "Host: another.visitor.stay.a.while.stay.foreeeeeever" --proxy http://%HOSTIP:%HTTPPORT
+</command>
+</test>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent: curl/.*
+</strip>
+<protocol>
+GET http://deathstar.another.galaxy/184 HTTP/1.1\r
+User-Agent: curl/7.12.2-CVS (i686-pc-linux-gnu) libcurl/7.12.2-CVS OpenSSL/0.9.6b zlib/1.1.4 libidn/0.4.6\r
+Pragma: no-cache\r
+Accept: */*\r
+Host: another.visitor.stay.a.while.stay.foreeeeeever\r
+\r
+GET http://yet.another.host/184 HTTP/1.1\r
+Host: yet.another.host\r
+Pragma: no-cache\r
+Accept: */*\r
+\r
+</protocol>
+
+</verify>
--- /dev/null
+# Server-side
+<reply>
+<data>
+HTTP/1.1 301 OK swsbounce\r
+Date: Thu, 09 Nov 2010 14:49:00 GMT\r
+Content-Length: 4\r
+Location: go/west/185\r
+\r
+moo
+</data>
+<data1>
+HTTP/1.1 200 OK\r
+Date: Thu, 09 Nov 2010 14:49:00 GMT\r
+Content-Length: 4\r
+\r
+moo
+</data1>
+<datacheck>
+HTTP/1.1 301 OK swsbounce\r
+Date: Thu, 09 Nov 2010 14:49:00 GMT\r
+Content-Length: 4\r
+Location: go/west/185\r
+\r
+HTTP/1.1 200 OK\r
+Date: Thu, 09 Nov 2010 14:49:00 GMT\r
+Content-Length: 4\r
+\r
+moo
+</datacheck>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<features>
+SSL
+</features>
+ <name>
+HTTP replace Host: when following Location: on the same host
+ </name>
+ <command>
+http://deathstar.another.galaxy/185 -L -H "Host: another.visitor.stay.a.while.stay.foreeeeeever" --proxy http://%HOSTIP:%HTTPPORT
+</command>
+</test>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent: curl/.*
+</strip>
+<protocol>
+GET http://deathstar.another.galaxy/185 HTTP/1.1\r
+User-Agent: curl/7.12.2-CVS (i686-pc-linux-gnu) libcurl/7.12.2-CVS OpenSSL/0.9.6b zlib/1.1.4 libidn/0.4.6\r
+Pragma: no-cache\r
+Accept: */*\r
+Host: another.visitor.stay.a.while.stay.foreeeeeever\r
+\r
+GET http://deathstar.another.galaxy/go/west/185 HTTP/1.1\r
+Pragma: no-cache\r
+Accept: */*\r
+Host: another.visitor.stay.a.while.stay.foreeeeeever\r
+\r
+</protocol>
+
+</verify>
projects / thirdparty / curl.git / commitdiff
