[cups.bugs] [HIGH] STR #3325: Incorrect handling of kerberos negotiation

[Christer Bernérus]

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

This is also Apple Bug ID 7190317 which details this a bit further, and
there are at least two problems who only manifests themselves when trying
to use Kerberos authentication.

The symptom, which showed up in Mac OS X 10.6 and was not present under
10.5, is that 
lpr -H <hostname> -P <printer> filename always returned
lpr: Unauthorized

regardless of having correct credentials or not.
Most likely, some or all other modes of sending jobs to a kerberized
server also fails.

There are four problems in the code I have found so far:

A) When the Create-Job is restarted after being denied the first time, the
input buffer
from the first request is not flushed, leaving a number lines containing
HTML data in the buffer,
which are subsequently, after the restarted authenticated request to the
server, interpreted as erratic HTTP headers. This eventually causes a
large number of identical job requests be sent to the server, as the input
buffer isn't cleared, no waiting for the server to answer these requests is
performed either.

B) When the input buffer *is* flushed, the http->used variable isn't
cleared which it must be to make httpWait to actually wait for the server.

C) In cupsStartDocument, cupsSendRequest is called once, and does not
retry when authentication is called for by the server.

D) The code that uses the GSSAPI *may* have a problem, I constantly get
the following
debug messages: 
10:17:01.346 cupsDoAuthentication: GSS service name set via environment
variable
10:17:01.356 cupsDoAuthentication: Continuation needed!: The routine must
be called again to complete its function, Unknown error
I looked into the code but there seems to be no support for calling the
GSSAPI again here.

Link: http://www.cups.org/str.php?L3325
Version: 1.4.0