PHP :: Bug #58835 :: Proxy-Auth. and WWW-Auth. credentials mixed after connection reuse

Bug #58835	Proxy-Auth. and WWW-Auth. credentials mixed after connection reuse
Submitted:	2009-08-27 10:24 UTC	Modified:	2012-02-21 13:31 UTC
From:	michal dot kocarek at brainbox dot cz	Assigned:	mike (profile)
Status:	No Feedback	Package:	pecl_http (PECL)
PHP Version:	5_3 CVS-2009-08-27 (dev)	OS:	Windows XP Pro SP3 (x86 VC9)
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	michal dot kocarek at brainbox dot cz
New email:
PHP Version:		OS:

New Comment:

[2009-08-27 10:24 UTC] michal dot kocarek at brainbox dot cz

Description:
------------
HTTP extension or cURL library uses bad authentication credentials while reusing connection.

Requested behavior:
1) Request page from local NTLM-authenticated website
2) Then request page from internet over NTLM-authenticated proxy

Actually, second request fails. Instead of sending ?Proxy-Authorization: NTLM ?? header, library sends out ?Authorization: NTLM ?? header and ?Proxy-Authorization: Basic ?? header.

This is quite bad, because PHP tries to authenticate using Basic authorization to the proxy using passed credentials in step (2) and also tries to authenticate on target server using same credentials and NTLM method.

Reproduce code:
---------------
<?

// Configuration for first request
$r1_url = 'http://site.with.ntlm.authentication.com/';
$r1_meth = HttpRequest::METH_GET;
$r1_opts = array(
	'httpauth' => 'DOMAIN\\user:pass',
	'httpauthtype' => HTTP_AUTH_NTLM,
);

// Configuration for second request
$r2_url = 'http://www.php.net/';
$r2_meth = HttpRequest::METH_GET;
$r2_opts = array(
	'proxytype' => HTTP_PROXY_HTTP,
	'proxyhost' => 'proxyserver.with.ntlm.authentication',
	'proxyport' => 80,
	'proxyauth' => 'DOMAIN\\user:pass',
	'proxyauthtype' => HTTP_AUTH_NTLM,
);

// Send request 1 to server with NTLM authentication
$r1 = new HttpRequest($r1_url, $r1_meth, $r1_opts);
try {
	$r1->send();
} catch (HttpException $e) {}

// Expect to echo "200"
echo $r1->getResponseCode()."\r\n";

// Send request 2 to server over proxy with PROXY NTLM authentication
$r2 = new HttpRequest($r2_url, $r2_meth, $r2_opts);
try {
	$r2->send();
} catch (HttpException $e) {}

// Expect to echo "200"
echo $r2->getResponseCode()."\r\n";

?>

Expected result:
----------------
// I expect to see two times successfull HTTP result

200
200

// Expected HTTP communication (authorization headers) for the requests
(1) C&#8594;S: GET / HTTP/1.1
         Authorization: NTLM ? (first auth. header)
         ?
    S&#8594;C: HTTP/1.1 401 Unauthorized
         WWW-Authenticate: NTLM ? (second auth. header)
         ?

    C&#8594;S: GET / HTTP/1.1
         Authorization: NTLM ? (final auth. header)
    S&#8594;C: HTTP/1.1 200 OK
         ?

(2) C&#8594;S: GET http://www.php.net/ HTTP/1.1
         Proxy-Authorization: NTLM ? (first auth. header)
         ?
    S&#8594;C: HTTP/1.1 401 Unauthorized
         Proxy-Authenticate: NTLM ? (second auth. header)
         ?

    C&#8594;S: GET http://www.php.net/ HTTP/1.1
         Proxy-Authorization: NTLM ? (final auth. header)
    S&#8594;C: HTTP/1.1 200 OK
         ?

Actual result:
--------------
// However, second connection fails telling
// 407 Proxy Authentication Required

200
407

// Actual HTTP communication (authorization headers) for the requests
(1) C&#8594;S: GET / HTTP/1.1
         Authorization: NTLM ? (first auth. header)
         ?
    S&#8594;C: HTTP/1.1 401 Unauthorized
         WWW-Authenticate: NTLM ? (second auth. header)
         ?

    C&#8594;S: GET / HTTP/1.1
         Authorization: NTLM ? (final auth. header)
    S&#8594;C: HTTP/1.1 200 OK
         ?

(2) C&#8594;S: GET http://www.php.net/ HTTP/1.1
         Proxy-Authorization: Basic ? (BAD BAD BAD!)
         Authorization: NTLM ? (BAD BAD BAD!)
         ?
    S&#8594;C: HTTP/1.1 407 Proxy Authentication Required
         Proxy-Authenticate: NTLM

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-08-27 10:26 UTC] michal dot kocarek at brainbox dot cz

I have forgotten. I have found a work-around:

Call http_persistent_handles_clean() between the requests.

[2009-08-31 04:41 UTC] mike@php.net

Please provide version numbers for pecl_http and libcurl.

[2009-08-31 08:55 UTC] michal dot kocarek at brainbox dot cz

HTTP extension: 1.6.5
libcurl: 7.19.4

PS: I think I tested it on 1.7.0-dev (CVS revision from last week) as well, but cannot guarantee for 100%

[2009-09-02 08:07 UTC] mike@php.net

This bug has been fixed in CVS.

In case this was a documentation problem, the fix will show up at the
end of next Sunday (CET) on pecl.php.net.

In case this was a pecl.php.net website problem, the change will show
up on the website in short time.
 
Thank you for the report, and for helping us make PECL better.

[2009-09-04 05:43 UTC] michal dot kocarek at brainbox dot cz

Request still fails on latest SVN version of the library. (http 1.7.0-dev, libcurl 7.19.4)

Steps to reproduce:
1) Request on local webserver, without any credentials
2) Request on local webserver, with credentials
3) Request on internet over proxy with NTLM credentials

Steps must be exactly in order 1 -> 2 -> 3. Other order works perfectly. 

During step 2, it is not important if authentication is successfull, in both cases (response 200 or 401) step 3 fails on 407.

Reproduce code:
---------------

<?

function request($url, $method, $options) {
	// Send request 1 to server with NTLM authentication
	$r = new HttpRequest($url, $method, $options);
	try {
		$r->send();
	} catch (HttpException $e) {}
	
	// Expect to echo "200"
	echo $r->getResponseCode()."\r\n";
}

// Local request without any credentials
request('http://localhost/', HttpRequest::METH_GET, array());

// Local request with NTLM login credentials
request('http://prague.intranet.cliffordchance.com/homepage/', HttpRequest::METH_GET, array(
	'httpauth' => 'UK\\908077:kocourek',
	'httpauthtype' => HTTP_AUTH_NTLM,
));

// Request over proxy with NTLM proxy credentials
request('http://www.php.net/', HttpRequest::METH_POST, array(
	'proxytype' => HTTP_PROXY_HTTP,
	'proxyhost' => 'w2karray',
	'proxyport' => 80,
	'proxyauth' => 'UK\\908077:kocourek',
	'proxyauthtype' => HTTP_AUTH_NTLM,
));

?>

Expected result:
----------------
200
200
200

Actual result:
--------------
200
200
407

[2009-12-10 08:40 UTC] mike@php.net

I'm sorry, I don't have a NTLM server at hand to test your issue.

[2011-12-02 09:02 UTC] mike@php.net

Is this still an issue?

[2011-12-02 09:02 UTC] mike@php.net

-Status: Suspended +Status: Feedback

[2012-02-21 13:31 UTC] mike@php.net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

[2012-02-21 13:31 UTC] mike@php.net

-Status: Feedback +Status: No Feedback

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 23:01:28 2024 UTC