MantisBT - NetSurf
View Issue Details
0002707NetSurfCore-specificpublic2019-10-07 20:382019-10-21 09:05
ReporterGreg Cook 
Assigned ToDaniel Silverstone 
PrioritynormalSeverityminorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSRISC OSOS Version5.19
Product Version3.9 
Target Version3.10Fixed in Version3.10 
Fixed in CI build #4874
Reported in CI build #4862
URL of problem page
Summary0002707: Times out if server requires login and does not accept second connection
DescriptionNetSurf times out and does not retrieve a page if an HTTP server asks for a login (WWW-Authenticate: Basic), and the user provides one, but the server does not accept a second connection from NetSurf. To cause this the server must:
  - return 401 Unauthorized unless authentication is given;
  - be single-threaded;
  - serve keep-alive connections.

Note: this is a likely configuration for Web interfaces in embedded devices.

Reproducible: Always. Persists until NetSurf has taken the user's credentials and either (a) it has successfully displayed a page or (b) the first connection has been broken.
Steps To Reproduce1. Set up an HTTP server as described. (Perl code based on the perlipc(1) manual page is included in the log file, tested in Linux and under MinGW in Windows.)

2. Open a NetSurf browser and enter the following in the URL bar:
   http://<host>:<port>/

   where <host> and <port> are replaced by the server host address and TCP port, respectively.

3. NetSurf displays an "Authentication Requested" page. Enter an appropriate login in the input boxes, then click "Login".

Actual result:
The cursor-with-hourglass appears and the throbber animates. After 3 minutes, a dialog box appears:
   Warning from NetSurf: Unknown

Expected result:
NetSurf should reuse the idle connection and display the requested page.
Additional InformationWorkarounds:
(a)
1. Attempt to log in, then wait until NetSurf times out.
2. Break the connection to the server.
3. Reconnect to the server.
4. Subsequent requests are displayed as normal.

(b)
1. Run a temporary multi-threading or connection-closing HTTP server on the same host and port, requiring authentication.
2. Open NetSurf and log in to the temporary server.
3. Stop the temporary server and run the offending server.
4. Subsequent requests are displayed as normal.

At the bottom of the log file is sample Perl code for a server that exercises the bug.

Can also be demonstrated by:

perl -T httpdir.pl -k -u foo -x bar

TagsNo tags attached.
Attached Filestxt Log.txt (41,026) 2019-10-07 20:38
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=624&type=bug

Notes
(0002105)
Daniel Silverstone   
2019-10-16 21:28   
I *think* this is a bug in cURL because we're using cURL's connection caching capabilities.

I've filed an upstream bug at: https://github.com/curl/curl/issues/4499
(0002107)
Daniel Silverstone   
2019-10-21 09:05   
The issue is in how curl reuses connections and how that is interfered with by the *possibility* of NTLM authentication on a channel. I've added a mitigation until curl upstream can resolve the problem.

Issue History
2019-10-07 20:38Greg CookNew Issue
2019-10-07 20:38Greg CookFile Added: Log.txt
2019-10-15 12:47Vincent SandersStatusnew => confirmed
2019-10-15 12:47Vincent SandersCategoryGeneral => Core-specific
2019-10-16 21:28Daniel SilverstoneNote Added: 0002105
2019-10-21 09:05Daniel SilverstoneAssigned To => Daniel Silverstone
2019-10-21 09:05Daniel SilverstoneStatusconfirmed => resolved
2019-10-21 09:05Daniel SilverstoneResolutionopen => fixed
2019-10-21 09:05Daniel SilverstoneFixed in Version => 3.10
2019-10-21 09:05Daniel SilverstoneTarget Version => 3.10
2019-10-21 09:05Daniel SilverstoneFixed in CI build # => 4874
2019-10-21 09:05Daniel SilverstoneNote Added: 0002107