mirror of
https://github.com/curl/curl.git
synced 2026-04-13 12:41:42 +08:00
f4e23950c7
The issues found fell into these categories, with the applied fixes:
- const was accidentally stripped.
Adjust code to not cast or cast with const.
- const/volatile missing from arguments, local variables.
Constify arguments or variables, adjust/delete casts. Small code
changes in a few places.
- const must be stripped because an API dependency requires it.
Strip `const` with `CURL_UNCONST()` macro to silence the warning out
of our control. These happen at API boundaries. Sometimes they depend
on dependency version, which this patch handles as necessary. Also
enable const support for the zlib API, using `ZLIB_CONST`. Supported
by zlib 1.2.5.2 and newer.
- const must be stripped because a curl API requires it.
Strip `const` with `CURL_UNCONST()` macro to silence the warning out
of our immediate control. For example we promise to send a non-const
argument to a callback, though the data is const internally.
- other cases where we may avoid const stripping by code changes.
Also silenced with `CURL_UNCONST()`.
- there are 3 places where `CURL_UNCONST()` is cast again to const.
To silence this type of warning:
```
lib/vquic/curl_osslq.c:1015:29: error: to be safe all intermediate
pointers in cast from 'unsigned char **' to 'const unsigned char **'
must be 'const' qualified [-Werror=cast-qual]
lib/cf-socket.c:734:32: error: to be safe all intermediate pointers in
cast from 'char **' to 'const char **' must be 'const' qualified
[-Werror=cast-qual]
```
There may be a better solution, but I couldn't find it.
These cases are handled in separate subcommits, but without further
markup.
If you see a `-Wcast-qual` warning in curl, we appreciate your report
about it.
Closes #16142
186 lines
5.2 KiB
C
186 lines
5.2 KiB
C
/***************************************************************************
|
|
* _ _ ____ _
|
|
* Project ___| | | | _ \| |
|
|
* / __| | | | |_) | |
|
|
* | (__| |_| | _ <| |___
|
|
* \___|\___/|_| \_\_____|
|
|
*
|
|
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
*
|
|
* This software is licensed as described in the file COPYING, which
|
|
* you should have received as part of this distribution. The terms
|
|
* are also available at https://curl.se/docs/copyright.html.
|
|
*
|
|
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
* copies of the Software, and permit persons to whom the Software is
|
|
* furnished to do so, under the terms of the COPYING file.
|
|
*
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
* KIND, either express or implied.
|
|
*
|
|
* SPDX-License-Identifier: curl
|
|
*
|
|
***************************************************************************/
|
|
|
|
#include "curl_setup.h"
|
|
|
|
#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
|
|
|
|
#include "urldata.h"
|
|
#include "strcase.h"
|
|
#include "vauth/vauth.h"
|
|
#include "http_digest.h"
|
|
#include "strparse.h"
|
|
|
|
/* The last 3 #include files should be in this order */
|
|
#include "curl_printf.h"
|
|
#include "curl_memory.h"
|
|
#include "memdebug.h"
|
|
|
|
/* Test example headers:
|
|
|
|
WWW-Authenticate: Digest realm="testrealm", nonce="1053604598"
|
|
Proxy-Authenticate: Digest realm="testrealm", nonce="1053604598"
|
|
|
|
*/
|
|
|
|
CURLcode Curl_input_digest(struct Curl_easy *data,
|
|
bool proxy,
|
|
const char *header) /* rest of the *-authenticate:
|
|
header */
|
|
{
|
|
/* Point to the correct struct with this */
|
|
struct digestdata *digest;
|
|
|
|
if(proxy) {
|
|
digest = &data->state.proxydigest;
|
|
}
|
|
else {
|
|
digest = &data->state.digest;
|
|
}
|
|
|
|
if(!checkprefix("Digest", header) || !ISBLANK(header[6]))
|
|
return CURLE_BAD_CONTENT_ENCODING;
|
|
|
|
header += strlen("Digest");
|
|
Curl_str_passblanks(&header);
|
|
|
|
return Curl_auth_decode_digest_http_message(header, digest);
|
|
}
|
|
|
|
CURLcode Curl_output_digest(struct Curl_easy *data,
|
|
bool proxy,
|
|
const unsigned char *request,
|
|
const unsigned char *uripath)
|
|
{
|
|
CURLcode result;
|
|
unsigned char *path = NULL;
|
|
char *tmp = NULL;
|
|
char *response;
|
|
size_t len;
|
|
bool have_chlg;
|
|
|
|
/* Point to the address of the pointer that holds the string to send to the
|
|
server, which is for a plain host or for an HTTP proxy */
|
|
char **allocuserpwd;
|
|
|
|
/* Point to the name and password for this */
|
|
const char *userp;
|
|
const char *passwdp;
|
|
|
|
/* Point to the correct struct with this */
|
|
struct digestdata *digest;
|
|
struct auth *authp;
|
|
|
|
if(proxy) {
|
|
#ifdef CURL_DISABLE_PROXY
|
|
return CURLE_NOT_BUILT_IN;
|
|
#else
|
|
digest = &data->state.proxydigest;
|
|
allocuserpwd = &data->state.aptr.proxyuserpwd;
|
|
userp = data->state.aptr.proxyuser;
|
|
passwdp = data->state.aptr.proxypasswd;
|
|
authp = &data->state.authproxy;
|
|
#endif
|
|
}
|
|
else {
|
|
digest = &data->state.digest;
|
|
allocuserpwd = &data->state.aptr.userpwd;
|
|
userp = data->state.aptr.user;
|
|
passwdp = data->state.aptr.passwd;
|
|
authp = &data->state.authhost;
|
|
}
|
|
|
|
Curl_safefree(*allocuserpwd);
|
|
|
|
/* not set means empty */
|
|
if(!userp)
|
|
userp = "";
|
|
|
|
if(!passwdp)
|
|
passwdp = "";
|
|
|
|
#if defined(USE_WINDOWS_SSPI)
|
|
have_chlg = !!digest->input_token;
|
|
#else
|
|
have_chlg = !!digest->nonce;
|
|
#endif
|
|
|
|
if(!have_chlg) {
|
|
authp->done = FALSE;
|
|
return CURLE_OK;
|
|
}
|
|
|
|
/* So IE browsers < v7 cut off the URI part at the query part when they
|
|
evaluate the MD5 and some (IIS?) servers work with them so we may need to
|
|
do the Digest IE-style. Note that the different ways cause different MD5
|
|
sums to get sent.
|
|
|
|
Apache servers can be set to do the Digest IE-style automatically using
|
|
the BrowserMatch feature:
|
|
https://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html#msie
|
|
|
|
Further details on Digest implementation differences:
|
|
http://www.fngtps.com/2006/09/http-authentication
|
|
*/
|
|
|
|
if(authp->iestyle) {
|
|
tmp = strchr((const char *)uripath, '?');
|
|
if(tmp) {
|
|
size_t urilen = tmp - (const char *)uripath;
|
|
/* typecast is fine here since the value is always less than 32 bits */
|
|
path = (unsigned char *) aprintf("%.*s", (int)urilen, uripath);
|
|
}
|
|
}
|
|
if(!tmp)
|
|
path = (unsigned char *) strdup((const char *) uripath);
|
|
|
|
if(!path)
|
|
return CURLE_OUT_OF_MEMORY;
|
|
|
|
result = Curl_auth_create_digest_http_message(data, userp, passwdp, request,
|
|
path, digest, &response, &len);
|
|
free(path);
|
|
if(result)
|
|
return result;
|
|
|
|
*allocuserpwd = aprintf("%sAuthorization: Digest %s\r\n",
|
|
proxy ? "Proxy-" : "",
|
|
response);
|
|
free(response);
|
|
if(!*allocuserpwd)
|
|
return CURLE_OUT_OF_MEMORY;
|
|
|
|
authp->done = TRUE;
|
|
|
|
return CURLE_OK;
|
|
}
|
|
|
|
void Curl_http_auth_cleanup_digest(struct Curl_easy *data)
|
|
{
|
|
Curl_auth_digest_cleanup(&data->state.digest);
|
|
Curl_auth_digest_cleanup(&data->state.proxydigest);
|
|
}
|
|
|
|
#endif
|