Unplanned
Last Updated: 18 Jan 2021 07:32 by ADMIN
Eric
Created on: 12 Jan 2021 23:53
Type: Bug Report
0
Fiddler incorrectly strips Authorization header if it happens to contain the letters NTLM

https://twitter.com/ozziepeeps/status/1349126308454830082

 

Basically, the problem here is that if we're AutoAuthenticating when reissuing a request, we try to strip any default Auth header.

 

There's code that looks like

 

   if (theFlags.ContainsKey("x-AutoAuth") && newSession.requestHeaders["Authorization"].OICContains("NTLM") 

//... strip the header

The problem is that we should only be looking at the very first token of the Authorization header (e.g. before the first space). We should not search the whole header, because if the header is

 

    Authorization: Bearer BlahblahblahNtLMblahblah

 

we think it's an NTLM header and strip it. 

 

2 comments
ADMIN
Nick Iliev
Posted on: 18 Jan 2021 07:32

Hi Eric,

 

Thanks for the update on that one! Marking this one as a bug to be fixed in a future release.

 

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Eric
Posted on: 13 Jan 2021 00:12

The fix is pretty simple, just use the TrimAfter method:

  string sAuthMethod = Utilities.TrimAfter(newSession.requestHeaders["Authorization"], ' ');