php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #58835 Proxy-Auth. and WWW-Auth. credentials mixed after connection reuse
Submitted: 2009-08-27 10:24 UTC Modified: 2012-02-21 13:31 UTC
From: michal dot kocarek at brainbox dot cz Assigned: mike (profile)
Status: No Feedback Package: pecl_http (PECL)
PHP Version: 5_3 CVS-2009-08-27 (dev) OS: Windows XP Pro SP3 (x86 VC9)
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2009-08-27 10:24 UTC] michal dot kocarek at brainbox dot cz
Description:
------------
HTTP extension or cURL library uses bad authentication credentials while reusing connection.

Requested behavior:
1) Request page from local NTLM-authenticated website
2) Then request page from internet over NTLM-authenticated proxy

Actually, second request fails. Instead of sending ?Proxy-Authorization: NTLM ?? header, library sends out ?Authorization: NTLM ?? header and ?Proxy-Authorization: Basic ?? header.

This is quite bad, because PHP tries to authenticate using Basic authorization to the proxy using passed credentials in step (2) and also tries to authenticate on target server using same credentials and NTLM method.

Reproduce code:
---------------
<?

// Configuration for first request
$r1_url = 'http://site.with.ntlm.authentication.com/';
$r1_meth = HttpRequest::METH_GET;
$r1_opts = array(
	'httpauth' => 'DOMAIN\\user:pass',
	'httpauthtype' => HTTP_AUTH_NTLM,
);

// Configuration for second request
$r2_url = 'http://www.php.net/';
$r2_meth = HttpRequest::METH_GET;
$r2_opts = array(
	'proxytype' => HTTP_PROXY_HTTP,
	'proxyhost' => 'proxyserver.with.ntlm.authentication',
	'proxyport' => 80,
	'proxyauth' => 'DOMAIN\\user:pass',
	'proxyauthtype' => HTTP_AUTH_NTLM,
);

// Send request 1 to server with NTLM authentication
$r1 = new HttpRequest($r1_url, $r1_meth, $r1_opts);
try {
	$r1->send();
} catch (HttpException $e) {}

// Expect to echo "200"
echo $r1->getResponseCode()."\r\n";

// Send request 2 to server over proxy with PROXY NTLM authentication
$r2 = new HttpRequest($r2_url, $r2_meth, $r2_opts);
try {
	$r2->send();
} catch (HttpException $e) {}

// Expect to echo "200"
echo $r2->getResponseCode()."\r\n";

?>

Expected result:
----------------
// I expect to see two times successfull HTTP result

200
200

// Expected HTTP communication (authorization headers) for the requests
(1) C&#8594;S: GET / HTTP/1.1
         Authorization: NTLM ? (first auth. header)
         ?
    S&#8594;C: HTTP/1.1 401 Unauthorized
         WWW-Authenticate: NTLM ? (second auth. header)
         ?

    C&#8594;S: GET / HTTP/1.1
         Authorization: NTLM ? (final auth. header)
    S&#8594;C: HTTP/1.1 200 OK
         ?

(2) C&#8594;S: GET http://www.php.net/ HTTP/1.1
         Proxy-Authorization: NTLM ? (first auth. header)
         ?
    S&#8594;C: HTTP/1.1 401 Unauthorized
         Proxy-Authenticate: NTLM ? (second auth. header)
         ?

    C&#8594;S: GET http://www.php.net/ HTTP/1.1
         Proxy-Authorization: NTLM ? (final auth. header)
    S&#8594;C: HTTP/1.1 200 OK
         ?

Actual result:
--------------
// However, second connection fails telling
// 407 Proxy Authentication Required

200
407

// Actual HTTP communication (authorization headers) for the requests
(1) C&#8594;S: GET / HTTP/1.1
         Authorization: NTLM ? (first auth. header)
         ?
    S&#8594;C: HTTP/1.1 401 Unauthorized
         WWW-Authenticate: NTLM ? (second auth. header)
         ?

    C&#8594;S: GET / HTTP/1.1
         Authorization: NTLM ? (final auth. header)
    S&#8594;C: HTTP/1.1 200 OK
         ?

(2) C&#8594;S: GET http://www.php.net/ HTTP/1.1
         Proxy-Authorization: Basic ? (BAD BAD BAD!)
         Authorization: NTLM ? (BAD BAD BAD!)
         ?
    S&#8594;C: HTTP/1.1 407 Proxy Authentication Required
         Proxy-Authenticate: NTLM

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-08-27 10:26 UTC] michal dot kocarek at brainbox dot cz
I have forgotten. I have found a work-around:

Call http_persistent_handles_clean() between the requests.
 [2009-08-31 04:41 UTC] mike@php.net
Please provide version numbers for pecl_http and libcurl.
 [2009-08-31 08:55 UTC] michal dot kocarek at brainbox dot cz
HTTP extension: 1.6.5
libcurl: 7.19.4

PS: I think I tested it on 1.7.0-dev (CVS revision from last week) as well, but cannot guarantee for 100%
 [2009-09-02 08:07 UTC] mike@php.net
This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.


 [2009-09-04 05:43 UTC] michal dot kocarek at brainbox dot cz
Request still fails on latest SVN version of the library. (http 1.7.0-dev, libcurl 7.19.4)

Steps to reproduce:
1) Request on local webserver, without any credentials
2) Request on local webserver, with credentials
3) Request on internet over proxy with NTLM credentials

Steps must be exactly in order 1 -> 2 -> 3. Other order works perfectly. 

During step 2, it is not important if authentication is successfull, in both cases (response 200 or 401) step 3 fails on 407.

Reproduce code:
---------------

<?

function request($url, $method, $options) {
	// Send request 1 to server with NTLM authentication
	$r = new HttpRequest($url, $method, $options);
	try {
		$r->send();
	} catch (HttpException $e) {}
	
	// Expect to echo "200"
	echo $r->getResponseCode()."\r\n";
}

// Local request without any credentials
request('http://localhost/', HttpRequest::METH_GET, array());

// Local request with NTLM login credentials
request('http://prague.intranet.cliffordchance.com/homepage/', HttpRequest::METH_GET, array(
	'httpauth' => 'UK\\908077:kocourek',
	'httpauthtype' => HTTP_AUTH_NTLM,
));

// Request over proxy with NTLM proxy credentials
request('http://www.php.net/', HttpRequest::METH_POST, array(
	'proxytype' => HTTP_PROXY_HTTP,
	'proxyhost' => 'w2karray',
	'proxyport' => 80,
	'proxyauth' => 'UK\\908077:kocourek',
	'proxyauthtype' => HTTP_AUTH_NTLM,
));

?>

Expected result:
----------------
200
200
200

Actual result:
--------------
200
200
407
 [2009-12-10 08:40 UTC] mike@php.net
I'm sorry, I don't have a NTLM server at hand to test your issue.
 [2011-12-02 09:02 UTC] mike@php.net
Is this still an issue?
 [2011-12-02 09:02 UTC] mike@php.net
-Status: Suspended +Status: Feedback
 [2012-02-21 13:31 UTC] mike@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


 [2012-02-21 13:31 UTC] mike@php.net
-Status: Feedback +Status: No Feedback
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 01:01:25 2019 UTC