[PATCH] httpd: send HTTP_UNAUTHORIZED on auth failure
Peter Korsgaard
jacmet at uclibc.org
Fri Jun 13 13:42:44 UTC 2008
>>>>> "Denys" == Denys Vlasenko <vda.linux at googlemail.com> writes:
Hi,
Denys> On Friday 13 June 2008 13:35, Peter Korsgaard wrote:
>> From: Peter Korsgaard <jacmet at sunsite.dk>
>>
>> r22315 is wrong - We should send HTTP_UNAUTHORIZED both if there wasn't
>> an Authorization: header,
Denys> Why? Vast majority of http requests indeed does not have
Denys> "Authorization:" header just because they request
Denys> non-protected pages.
True. You misunderstand the comment - Without that fix you never sent
HTTP_UNAUTHORIZED if the Authorization header was sent, no matter if
it was valid or not.
>> #if ENABLE_FEATURE_HTTPD_BASIC_AUTH
>> - /* Case: no "Authorization:" was seen, but page does require passwd.
>> - * Check that with dummy user:pass */
>> - if ((authorized < 0) && check_user_passwd(urlcopy, ":") == 0) {
>> + /* invalid user:pass or no "Authorization:" was seen, but page
>> + * does require passwd. Check that with dummy user:pass */
>> + if ((authorized <= 0) && check_user_passwd(urlcopy, ":") == 0) {
Denys> My point is that "authorized <= 0" is true if there was no
Denys> "Authorization:" AND if it was seen, checked, and found to
Denys> contain wrong user/passwd.
Denys> But those are different situations! In second case, we should
Denys> not check dummy credentials ":", we already know that user
Denys> shall not get the page.
True, it's more effecient to not do the double check.
Denys> My fix though was valid too. Now I allow failed auth :(
I guess you mean invalid.
Denys> This should be ok:
Denys> if (authorized < 0)
Denys> authorized = check_user_passwd(urlcopy, ":");
Denys> if (!authorized)
Denys> send_headers_and_exit(HTTP_UNAUTHORIZED);
Denys> Does it look right to you?
Yes, it works here - Thanks!
Maybe add to the 1.10.3 fixes?
--
Bye, Peter Korsgaard
More information about the busybox
mailing list