[PATCH] httpd: send HTTP_UNAUTHORIZED on auth failure
Denys Vlasenko
vda.linux at googlemail.com
Fri Jun 13 16:30:11 UTC 2008
On Friday 13 June 2008 15:42, Peter Korsgaard wrote:
> >> #if ENABLE_FEATURE_HTTPD_BASIC_AUTH
> >> - /* Case: no "Authorization:" was seen, but page does require passwd.
> >> - * Check that with dummy user:pass */
> >> - if ((authorized < 0) && check_user_passwd(urlcopy, ":") == 0) {
> >> + /* invalid user:pass or no "Authorization:" was seen, but page
> >> + * does require passwd. Check that with dummy user:pass */
> >> + if ((authorized <= 0) && check_user_passwd(urlcopy, ":") == 0) {
>
> Denys> My point is that "authorized <= 0" is true if there was no
> Denys> "Authorization:" AND if it was seen, checked, and found to
> Denys> contain wrong user/passwd.
>
> Denys> But those are different situations! In second case, we should
> Denys> not check dummy credentials ":", we already know that user
> Denys> shall not get the page.
>
> True, it's more effecient to not do the double check.
It's not an efficiency question. check_user_passwd(urlcopy, ":")
might SUCCEED, and thus user who supplied wrong user:password
pair will be granted access.
--
vda
More information about the busybox
mailing list