all patches are against wget 1.10. please cc me on all responses as i am not subscribed to this list.
FIRST BUG
there is a bug in http.c.
when connecting by way of proxy & https, if digest authentication is
necessary, then the first connection attempt fails and we go to
retry_with_auth. that much is as expected. upon our second attempt,
unlike the first attempt, we don't set conn = proxy (as conn was most
recently set to u), so instead we try to connect directly to the host,
which fails (because the proxy must be used).
just as with the first attempt, we must set conn = proxy so that our
first connection is made to the proxy and not directly to the host. but
setting conn = proxy occurs before retry_with_auth, so during our second
attempt conn = u because that is what it was last set to. and as such
we try to connect to directly to the host, not the proxy as we should.
i believe the alternative (and more proper approach) is to delete these
lines:
/* SOCK is now *really* connected to u->host, so update CONN
to reflect this. That way register_persistent will
register SOCK as being connected to u->host:u->port. */
conn = u;
as we will never register a connection through a proxy (because we will
never request for it to be kept alive as per inhibit_keep_alive). but i
just noticed this alternative and haven't had a chance to develop a
patch and test it.
SECOND BUG
there is another "bug" in http.c. it is not "secure by default" as we
initially send all user names and passwords as basic authentication,
though digest authentication may be desired/needed. i realize that
should basic authentication be all that is needed, removing the basic
authentication by default doubles the number of requests (first attempt
to learn we need basic authentication, second attempt to send basic
authentication), but i believe that is the necessary trade-off for
security. should a user desire to use basic authentication by default,
i think an option should be added to allow it, but the default behavior
of wget should not unnecessarily compromise a user's name & password.
the second patch rectifies the problem, but a more complete patch would
include adding a command-line switch to always send basic authentication
by default.
THANKS
thanks to the people that maintain the mingw build configuration as it
was refreshing to be able to build my patched wget on windows using a
free software tool chain. (having to build free software using a
non-free toolchain defeats the purpose.)
corey
--
[EMAIL PROTECTED]
proxy_after_auth_failure.patch
Description: Binary data
no_default_basic_auth.patch
Description: Binary data
