Pending Review
Last Updated: 13 Jan 2021 00:12 by Eric
Eric
Created on: 12 Jan 2021 23:53
Type: Bug Report
0
Fiddler incorrectly strips Authorization header if it happens to contain the letters NTLM

https://twitter.com/ozziepeeps/status/1349126308454830082

 

Basically, the problem here is that if we're AutoAuthenticating when reissuing a request, we try to strip any default Auth header.

 

There's code that looks like

 

   if (theFlags.ContainsKey("x-AutoAuth") && newSession.requestHeaders["Authorization"].OICContains("NTLM") 

//... strip the header

The problem is that we should only be looking at the very first token of the Authorization header (e.g. before the first space). We should not search the whole header, because if the header is

 

    Authorization: Bearer BlahblahblahNtLMblahblah

 

we think it's an NTLM header and strip it. 

 

1 comment
Eric
Posted on: 13 Jan 2021 00:12

The fix is pretty simple, just use the TrimAfter method:

  string sAuthMethod = Utilities.TrimAfter(newSession.requestHeaders["Authorization"], ' ');