Bug 446949
Summary: | wget doesn't send Authentication header | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ignacio Nin <ignacio.nin> |
Component: | wget | Assignee: | Karsten Hopp <karsten> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 9 | CC: | maligree, micah |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-12 19:07:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ignacio Nin
2008-05-16 18:44:22 UTC
This is not a bug. Clients should never send authentication headers before receiving a challenge from the server. Among other reasons, this means sending the password in cleartext, easily snooped by anyone between you and the server (unless you're on an SSL connection; but even then it's inappropriate to assume what authentication mechanism the server wants before it asks). The server might well request Digest auth or some other, much more secure authentication mechanism. This fix was introduced in 1.11. However, there are some rare cases where the old behavior is still desirable (for instance, servers that don't issue challenges because they normally use form authentication, but support Basic auth as an alternative way to authenticate). If this is you, then see the --auth-no-challenge, which was introduced in 1.11.1, and restores the previous broken behavior from 1.10.2. See also RFC 2617 (with which Wget still doesn't properly comply, but at least it's a step closer). |