Skip Menu |

This queue is for tickets about the LWP-Authen-Negotiate CPAN distribution.

Report information
The Basics
Id: 68444
Status: open
Priority: 0/
Queue: LWP-Authen-Negotiate
People
Owner: Nobody in particular
Requestors: steven.singer [...] csr.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue May 24 12:19:46 2011 steven.singer [...] csr.com - Ticket created
Subject: Negotiate proxy authentication doesn't work - wrong host used
Date: Tue, 24 May 2011 17:19:33 +0100
To: bug-LWP-Authen-Negotiate [...] rt.cpan.org
From: Steven Singer <steven.singer [...] csr.com>
If you attempt to access a web site and get bounced by your proxy with error code 407 (proxy authentication required) and if the proxy says it supports Negotiate authentication then LWP::Authen::Negotiate doesn't handle it properly. It's a simple error. The module attempts to look up credentials based on the host of the URI you're trying to connect to instead of the host of the URI of the proxy. That is, suppose you're trying to get to http://www.google.com/ via the proxy http://myproxy.mysite:8080/ and get a 407 error then the module looks up credentials for www.google.com instead of myproxy.mysite. Unsurprisingly, it fails to find any credentials for www.google.com and so doesn't complete the authentication. The fix is simple (diff -u output relative to version 0.08): --- original/LWP/Authen/Negotiate.pm 2009-10-29 20:56:35.000000000 +0000 +++ modified/LWP/Authen/Negotiate.pm 2011-05-24 16:49:29.671089000 +0100 @@ -40,7 +40,7 @@ my ($class,$ua,$proxy,$auth_param,$response,$request,$arg,$size) = @_; my $uri = URI->new($request->uri); - my $targethost = $request->uri()->host(); + my $targethost = $proxy ? $request->{proxy}->host() : $request->uri()->host(); my $otoken; my $status; This fix reaches into the HTTP::Request object but then LWP::Authen::Basic does the same thing. This suggests either that HTTP::Request should get a documented API to retrieve the proxy and/or LWP::UserAgent should be doing this manipulation before calling LWP::Authen::<whatever>. In any event, with the fix I've given, for 407 errors the module looks up credentials for myproxy.mysite and everything works. The module still handles 401 errors correctly. Version details: Perl 5.8.8 LWP::Authen::Negotiate 0.08 LWP::UserAgent 6.02 Linux 2.6.18 -- Steven Singer Software Engineer Cambridge Silicon Radio Ltd. Tel: +44 (0)1223 692000 Fax: +44 (0)1223 692001 Churchill House, Cambridge Business Park, Cowley Road, Cambridge CB4 0WZ, UK Member of the CSR plc group of companies. CSR plc registered in England and Wales, registered number 4187346, registered office Churchill House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom
  Tue May 24 14:40:48 2011 achim [...] grolmsnet.de - Correspondence added
Subject: Re: [rt.cpan.org #68444] Negotiate proxy authentication doesn't work - wrong host used
Date: Tue, 24 May 2011 20:40:31 +0200
To: bug-LWP-Authen-Negotiate [...] rt.cpan.org
From: Achim Grolms <achim [...] grolmsnet.de>
Hi Steven, thanks for the patch, I will add it to the next release of LWP::Authen::Negotiate. Best Regards, Achim On Tuesday 24 May 2011, Steven Singer via RT wrote: Show quoted text
> Tue May 24 12:19:46 2011: Request 68444 was acted upon. > Transaction: Ticket created by steven.singer@csr.com > Queue: LWP-Authen-Negotiate > Subject: Negotiate proxy authentication doesn't work - wrong host used > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: steven.singer@csr.com > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=68444 > > > > If you attempt to access a web site and get bounced by your proxy > with error code 407 (proxy authentication required) and if the proxy > says it supports Negotiate authentication then LWP::Authen::Negotiate > doesn't handle it properly. > > It's a simple error. The module attempts to look up credentials based on > the host of the URI you're trying to connect to instead of the host of > the URI of the proxy. > > That is, suppose you're trying to get to http://www.google.com/ via > the proxy http://myproxy.mysite:8080/ and get a 407 error then the > module looks up credentials for www.google.com instead of > myproxy.mysite. Unsurprisingly, it fails to find any credentials for > www.google.com and so doesn't complete the authentication. > > The fix is simple (diff -u output relative to version 0.08): > > --- original/LWP/Authen/Negotiate.pm 2009-10-29 20:56:35.000000000 +0000 > +++ modified/LWP/Authen/Negotiate.pm 2011-05-24 16:49:29.671089000 +0100 > @@ -40,7 +40,7 @@ > my ($class,$ua,$proxy,$auth_param,$response,$request,$arg,$size) = @_; > > my $uri = URI->new($request->uri); > - my $targethost = $request->uri()->host(); > + my $targethost = $proxy ? $request->{proxy}->host() : > $request->uri()->host(); > > my $otoken; > my $status; > > This fix reaches into the HTTP::Request object but then > LWP::Authen::Basic does the same thing. This suggests either that > HTTP::Request should get a documented API to retrieve the proxy and/or > LWP::UserAgent should be doing this manipulation before calling > LWP::Authen::<whatever>. > > In any event, with the fix I've given, for 407 errors the module looks > up credentials for myproxy.mysite and everything works. The module > still handles 401 errors correctly. > > Version details: > > Perl 5.8.8 > LWP::Authen::Negotiate 0.08 > LWP::UserAgent 6.02 > Linux 2.6.18
  Tue May 24 14:40:49 2011 The RT System itself - Status changed from 'new' to 'open'