From nobody@FreeBSD.org  Wed Jun 23 11:01:47 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D7A9C1065672
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Jun 2010 11:01:47 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id ACE528FC1B
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Jun 2010 11:01:47 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o5NB1l5p077458
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Jun 2010 11:01:47 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o5NB1lSH077457;
	Wed, 23 Jun 2010 11:01:47 GMT
	(envelope-from nobody)
Message-Id: <201006231101.o5NB1lSH077457@www.freebsd.org>
Date: Wed, 23 Jun 2010 11:01:47 GMT
From: Tom Evans <tevans.uk@googlemail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Fetch doesn't supply proxy auth credentials with the '-A' flag
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         148087
>Category:       kern
>Synopsis:       [libfetch] [patch] Fetch doesn't supply proxy auth credentials with the '-A' flag
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 23 11:10:05 UTC 2010
>Closed-Date:    Fri May 13 06:52:55 UTC 2011
>Last-Modified:  Fri May 13 06:52:55 UTC 2011
>Originator:     Tom Evans
>Release:        RELENG_7
>Organization:
Mintel International
>Environment:
FreeBSD strangepork.mintel.co.uk 7.3-STABLE FreeBSD 7.3-STABLE #3: Fri May 14 18:27:38 BST 2010     root@strangepork.mintel.co.uk:/usr/FreeBSD/RELENG_7/obj/usr/FreeBSD/RELENG_7/src/sys/STRANGEPORK  i386
>Description:
libfetch/http.c tries to download files in a loop, so that each failure leads to the download being re-attempted, up to the number of retries specified.

When going through a proxy, it first requests the file without proxy auth, adding credentials if the response to the first request demands it.

When libfetch is passed the 'A' flag, it is supposed to not follow 302 temporary redirects. The actual effect is to limit the number of iterations in the download loop to only 1 and no attempt is made to attempt to fetch with the credentials supplied. 

Encountered on RELENG_7, same code exists in HEAD AFAICT.
>How-To-Repeat:
Configure a proxy to require basic authentication.
Set HTTP_PROXY and HTTP_PROXY_AUTH such that fetch will use the proxy.
Run fetch both with and without the -A flags (example mimics default ports fetch args)

> # /usr/bin/fetch -ApRr -v -S 37867 http://googlecl.googlecode.com/files/googlecl-0.9.5.tar.gz
looking up proxy
connecting to proxy:3128
requesting http://googlecl.googlecode.com/files/googlecl-0.9.5.tar.gz
proxy requires authorization
fetch: http://googlecl.googlecode.com/files/googlecl-0.9.5.tar.gz:
Proxy Authentication Required
root@strangepork '12:13:28' '/usr/ports/net/googlecl'

Without -A, it works as expected

> # /usr/bin/fetch -pRr -v -S 37867 http://googlecl.googlecode.com/files/googlecl-0.9.5.tar.gz
looking up proxy
connecting to proxy:3128
requesting http://googlecl.googlecode.com/files/googlecl-0.9.5.tar.gz
proxy requires authorization
looking up proxy
connecting to proxy:3128
requesting http://googlecl.googlecode.com/files/googlecl-0.9.5.tar.gz
local size / mtime: 37867 / 1276839258
remote size / mtime: 37867 / 1276839258

>Fix:
Apply supplied patch.

Patch attached with submission follows:

Index: /usr/src/lib/libfetch/http.c
===================================================================
RCS file: /home/ncvs/src/lib/libfetch/http.c,v
retrieving revision 1.78.2.5
diff -u -r1.78.2.5 http.c
--- /usr/src/lib/libfetch/http.c	27 Jan 2010 14:54:48 -0000	1.78.2.5
+++ /usr/src/lib/libfetch/http.c	21 Jun 2010 11:30:32 -0000
@@ -1710,6 +1710,7 @@
 				goto ouch;
 			}
 			/* try again, but send the password this time */
+			++n;
 			if (verbose)
 				fetch_info("proxy requires authorization");
 			break;


>Release-Note:
>Audit-Trail:

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/148087: commit references a PR
Date: Thu,  1 Jul 2010 17:46:25 +0000 (UTC)

 Author: des
 Date: Thu Jul  1 17:44:33 2010
 New Revision: 209632
 URL: http://svn.freebsd.org/changeset/base/209632
 
 Log:
   If the A flag is supplied, http_request() will attempt the request only
   once, even if authentication is required, instead of retrying with the
   proper credentials.  Fix this by bumping the countdown if the origin or
   proxy server requests authentication so that the initial unauthenticated
   request does not count as an attempt.
   
   PR:		148087
   Submitted by:	Tom Evans <tevans.uk@googlemail.com>
   MFC after:	2 weeks
 
 Modified:
   head/lib/libfetch/http.c
 
 Modified: head/lib/libfetch/http.c
 ==============================================================================
 --- head/lib/libfetch/http.c	Thu Jul  1 15:23:29 2010	(r209631)
 +++ head/lib/libfetch/http.c	Thu Jul  1 17:44:33 2010	(r209632)
 @@ -1786,12 +1786,14 @@ http_request(struct url *URL, const char
  			case hdr_www_authenticate:
  				if (conn->err != HTTP_NEED_AUTH)
  					break;
 -				http_parse_authenticate(p, &server_challenges);
 +				if (http_parse_authenticate(p, &server_challenges))
 +					++n;
  				break;
  			case hdr_proxy_authenticate:
  				if (conn->err != HTTP_NEED_PROXY_AUTH)
  					break;
 -				http_parse_authenticate(p, &proxy_challenges);
 +				if (http_parse_authenticate(p, &proxy_challenges) == 0);
 +					++n;
  				break;
  			case hdr_end:
  				/* fall through */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: vwe 
State-Changed-When: Sun Aug 15 23:01:31 UTC 2010 
State-Changed-Why:  
committed to head but not MFC'ed, yet 


Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: vwe 
Responsible-Changed-When: Sun Aug 15 23:01:31 UTC 2010 
Responsible-Changed-Why:  
DES, care to MFC? thx! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148087 
State-Changed-From-To: patched->closed 
State-Changed-By: des 
State-Changed-When: Fri May 13 06:52:54 UTC 2011 
State-Changed-Why:  
fixed in head, 8 and 7 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148087 
>Unformatted:
