[PATCH] httpd: send HTTP_UNAUTHORIZED on auth failure
Denys Vlasenko
vda.linux at googlemail.com
Fri Jun 13 13:20:04 UTC 2008
On Friday 13 June 2008 13:35, Peter Korsgaard wrote:
> From: Peter Korsgaard <jacmet at sunsite.dk>
>
> r22315 is wrong - We should send HTTP_UNAUTHORIZED both if there wasn't
> an Authorization: header,
Why? Vast majority of http requests indeed does not have
"Authorization:" header just because they request non-protected pages.
> #if ENABLE_FEATURE_HTTPD_BASIC_AUTH
> - /* Case: no "Authorization:" was seen, but page does require passwd.
> - * Check that with dummy user:pass */
> - if ((authorized < 0) && check_user_passwd(urlcopy, ":") == 0) {
> + /* invalid user:pass or no "Authorization:" was seen, but page
> + * does require passwd. Check that with dummy user:pass */
> + if ((authorized <= 0) && check_user_passwd(urlcopy, ":") == 0) {
My point is that "authorized <= 0" is true if there was no "Authorization:"
AND if it was seen, checked, and found to contain wrong user/passwd.
But those are different situations! In second case, we should not check
dummy credentials ":", we already know that user shall not get the page.
My fix though was valid too. Now I allow failed auth :(
This should be ok:
if (authorized < 0)
authorized = check_user_passwd(urlcopy, ":");
if (!authorized)
send_headers_and_exit(HTTP_UNAUTHORIZED);
Does it look right to you?
--
vda
More information about the busybox
mailing list