On Friday, March 7, 2003, at 11:39 AM, Bruno David Rodrigues wrote:
Citando Stipe Tolj <[EMAIL PROTECTED]>:
Hi Bruno,
I see from http://www.kannel.org/cgi- bin/viewcvs.cgi/gateway/gwlib/http.c?annotate=1.184 that you added the following block to gwlib/http.c:
... 1158 davi 1.154 for(i = at2 + 1; i < at ; i++) 1159 octstr_set_char(url, i, '*'); ...
which does clear the HTTP basic auth password with stars ('*'). This breaks the HTTP basic auth function, see smsbox.log:
Then, url was not used because you won't need it anymore, except for logging,
and that's why I've hidden the password.
Hiding the password like this does make sense, in case it gets logged or something.
Is the code now trying to reuse url variable? I guess that's where the bug is.
Yep. parse_url gets called twice. The first time it correctly returns the password and get_connection stuffs it in HTTPServer *trans's password member. Later on, in send_request, it calls parse_url again, nuking the password ;)
Without fully understanding the flow of the code, it appears to me that it is not necessary to call parse_url in send_request again as the 'trans' structure is already filled out by get_connection so it already contains the correct password (and other info extracted from the url). So if these lines:
if (parse_url(trans->url, &trans->host, &trans->port, &path, &trans->ssl,
&trans->username, &trans->password) == -1)
goto error;
are removed from send_request, things should be ok. Of course, I'm assuming 'trans' is not cleared/overwritten by some other code that gets executed in the mean time. Also, there are two places from which send_request is called, not sure if it's ok to remove the above lines in both cases.
Regards,
Bas.
