Bug #111692 for libwww-perl: LWP::Authen::Ntlm does not correctly support HTTP 407

> >Greetings, > >This message has been automatically generated in response to the >creation of a trouble ticket regarding: > "LWP::Authen::Ntlm does not correctly support HTTP 407", >a summary of which appears below. > >There is no need to reply to this message right now. Your ticket has been >assigned an ID of [rt.cpan.org #111692]. Your ticket is accessible >on the web at: > > https://rt.cpan.org/Ticket/Display.html?id=111692 > >Please include the string: > > [rt.cpan.org #111692] > >in the subject line of all future correspondence about this issue. To do so, >you may reply to this message. > > Thank you, > bug-libwww-perl@rt.cpan.org > >------------------------------------------------------------------------- >The source code seems to indicate that this library is expected to work for both 401 and 407 since it checks whether it needs to use the “Proxy-Authorization” header or the “Authorization” header in this line: > > > >my $auth_header = $proxy ? "Proxy-Authorization" : "Authorization”; > > > >but does not correctly parse the HTTP response from the server. When scanning the response, the authenticate subroutine only checks for “WWW-Authenticate” headers and not “Proxy-Authenticate” headers. As specified by the HTTP Authentication RFC (RFC 7235), HTTP 407 responses should use the “Proxy-Authenticate” header and not the “WWW-Authenticate” header (see https://tools.ietf.org/html/rfc7235#section-3.2). > > > >I have not tested this, but I also believe that it would be safer for the decision to use the “Proxy-Authorization” header to be based on the HTTP response code (“Authorization” to respond to a HTTP 401, “Proxy-Authorization” to response to a HTTP 407). If a proxy forwards a 401 to the client, this library will incorrectly use the “Proxy-Authorization” header.