[PATCH] httpd: send HTTP_UNAUTHORIZED on auth failure

Peter Korsgaard jacmet at uclibc.org
Fri Jun 13 13:42:44 UTC 2008


>>>>> "Denys" == Denys Vlasenko <vda.linux at googlemail.com> writes:

Hi,

 Denys> On Friday 13 June 2008 13:35, Peter Korsgaard wrote:
 >> From: Peter Korsgaard <jacmet at sunsite.dk>
 >> 
 >> r22315 is wrong - We should send HTTP_UNAUTHORIZED both if there wasn't
 >> an Authorization: header,

 Denys> Why? Vast majority of http requests indeed does not have
 Denys> "Authorization:" header just because they request
 Denys> non-protected pages.

True. You misunderstand the comment - Without that fix you never sent
HTTP_UNAUTHORIZED if the Authorization header was sent, no matter if
it was valid or not.

 >> #if ENABLE_FEATURE_HTTPD_BASIC_AUTH
 >> -	/* Case: no "Authorization:" was seen, but page does require passwd.
 >> -	 * Check that with dummy user:pass */
 >> -	if ((authorized < 0) && check_user_passwd(urlcopy, ":") == 0) {
 >> +	/* invalid user:pass or no "Authorization:" was seen, but page
 >> +	 * does require passwd.  Check that with dummy user:pass */
 >> +	if ((authorized <= 0) && check_user_passwd(urlcopy, ":") == 0) {

 Denys> My point is that "authorized <= 0" is true if there was no
 Denys> "Authorization:" AND if it was seen, checked, and found to
 Denys> contain wrong user/passwd.

 Denys> But those are different situations! In second case, we should
 Denys> not check dummy credentials ":", we already know that user
 Denys> shall not get the page.

True, it's more effecient to not do the double check.

 Denys> My fix though was valid too. Now I allow failed auth :(

I guess you mean invalid.

 Denys> This should be ok:

 Denys>         if (authorized < 0)
 Denys> 		authorized = check_user_passwd(urlcopy, ":");
 Denys>         if (!authorized)
 Denys>                 send_headers_and_exit(HTTP_UNAUTHORIZED);

 Denys> Does it look right to you?

Yes, it works here - Thanks!

Maybe add to the 1.10.3 fixes?

-- 
Bye, Peter Korsgaard



More information about the busybox mailing list