search

versat / cntlm

Cntlm is an NTLM / NTLM Session Response / NTLMv2 authenticating HTTP proxy intended to help you break free from the chains of Microsoft proprietary world. More info on http://cntlm.sourceforge.net/ website. This version also supports: SSPI (on Windows, NTLM authentication only), Kerberos authentication, IPv6, proxy PAC files.
GNU General Public License v2.0
118 stars 41 forks source link

do not attempt authentication to target server when request has a body #78

Closed fralken closed 1 year ago

fralken commented 1 year ago

This is a fix for issue #77. Cntlm advertises to be able to authenticate with NTLM against web servers. This works unless the request that needs authentication has a body (e.g. a POST request). In this case the body should be cached so that it could be sent again when the authentication sequence is completed, but Cntlm doesn't cache it, it simply reads data from the client socket and writes it to the server socket.

This use case is probably very rare nowadays, since usually connections use SSL (i.e. https) and Cntlm simply tunnels them. So adding the logic to deal with plain http connections that require ntlm authentication and have a body in the request (that is, cache the body of the first request) isn't worth the effort.

Instead of removing the feature completely it is very easy to add a check that the incoming request does not have a body (typically a GET) and avoid the authentication attempt in case the body is not empty.

sonarcloud[bot] commented 1 year ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

0.0% 0.0% Coverage
0.0% 0.0% Duplication