Skip Menu |
 

This queue is for tickets about the libwww-perl CPAN distribution.

Report information
The Basics
Id: 111692
Status: resolved
Priority: 0/
Queue: libwww-perl

People
Owner: Nobody in particular
Requestors: A.Guertin [...] F5.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: LWP::Authen::Ntlm does not correctly support HTTP 407
Date: Wed, 3 Feb 2016 00:39:57 +0000
To: "bug-libwww-perl [...] rt.cpan.org" <bug-libwww-perl [...] rt.cpan.org>
From: Alec Guertin <A.Guertin [...] F5.com>
The source code seems to indicate that this library is expected to work for both 401 and 407 since it checks whether it needs to use the “Proxy-Authorization” header or the “Authorization” header in this line: my $auth_header = $proxy ? "Proxy-Authorization" : "Authorization”; but does not correctly parse the HTTP response from the server. When scanning the response, the authenticate subroutine only checks for “WWW-Authenticate” headers and not “Proxy-Authenticate” headers. As specified by the HTTP Authentication RFC (RFC 7235), HTTP 407 responses should use the “Proxy-Authenticate” header and not the “WWW-Authenticate” header (see https://tools.ietf.org/html/rfc7235#section-3.2). I have not tested this, but I also believe that it would be safer for the decision to use the “Proxy-Authorization” header to be based on the HTTP response code (“Authorization” to respond to a HTTP 401, “Proxy-Authorization” to response to a HTTP 407). If a proxy forwards a 401 to the client, this library will incorrectly use the “Proxy-Authorization” header.
Subject: Re: [rt.cpan.org #111692] AutoReply: LWP::Authen::Ntlm does not correctly support HTTP 407
Date: Wed, 3 Feb 2016 01:28:43 +0000
To: "bug-libwww-perl [...] rt.cpan.org" <bug-libwww-perl [...] rt.cpan.org>
From: Alec Guertin <A.Guertin [...] F5.com>
Download (untitled) / with headers
text/plain 2.3k
I believe I was mistaken about how to choose the authorization header. It seems that the variable $proxy in the line: my $auth_header = $proxy ? "Proxy-Authorization" : "Authorization”; Is set by checking the value of the response code in UserAgent.pm: my $proxy = ($code == &HTTP::Status::RC_PROXY_AUTHENTICATION_REQUIRED); So my last comment in the bug can be disregarded. On 2/2/16, 4:40 PM, "Bugs in libwww-perl via RT" <bug-libwww-perl@rt.cpan.org> wrote: Show quoted text
> >Greetings, > >This message has been automatically generated in response to the >creation of a trouble ticket regarding: > "LWP::Authen::Ntlm does not correctly support HTTP 407", >a summary of which appears below. > >There is no need to reply to this message right now. Your ticket has been >assigned an ID of [rt.cpan.org #111692]. Your ticket is accessible >on the web at: > > https://rt.cpan.org/Ticket/Display.html?id=111692 > >Please include the string: > > [rt.cpan.org #111692] > >in the subject line of all future correspondence about this issue. To do so, >you may reply to this message. > > Thank you, > bug-libwww-perl@rt.cpan.org > >------------------------------------------------------------------------- >The source code seems to indicate that this library is expected to work for both 401 and 407 since it checks whether it needs to use the “Proxy-Authorization” header or the “Authorization” header in this line: > > > >my $auth_header = $proxy ? "Proxy-Authorization" : "Authorization”; > > > >but does not correctly parse the HTTP response from the server. When scanning the response, the authenticate subroutine only checks for “WWW-Authenticate” headers and not “Proxy-Authenticate” headers. As specified by the HTTP Authentication RFC (RFC 7235), HTTP 407 responses should use the “Proxy-Authenticate” header and not the “WWW-Authenticate” header (see https://tools.ietf.org/html/rfc7235#section-3.2). > > > >I have not tested this, but I also believe that it would be safer for the decision to use the “Proxy-Authorization” header to be based on the HTTP response code (“Authorization” to respond to a HTTP 401, “Proxy-Authorization” to response to a HTTP 407). If a proxy forwards a 401 to the client, this library will incorrectly use the “Proxy-Authorization” header.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.