fix usage of stathost in combination with basic auth

http protocol requires different treatment of proxy auth vs server auth.

fixes #246
This commit is contained in:
rofl0r 2019-06-14 01:18:17 +01:00
parent e666e4a35b
commit 734ba1d970
2 changed files with 19 additions and 3 deletions

View File

@ -164,13 +164,17 @@ int send_http_headers (struct conn_s *connptr, int code, const char *message)
"%s" "%s"
"Connection: close\r\n" "\r\n"; "Connection: close\r\n" "\r\n";
const char auth_str[] = const char p_auth_str[] =
"Proxy-Authenticate: Basic realm=\"" "Proxy-Authenticate: Basic realm=\""
PACKAGE_NAME "\"\r\n"; PACKAGE_NAME "\"\r\n";
const char w_auth_str[] =
"WWW-Authenticate: Basic realm=\""
PACKAGE_NAME "\"\r\n";
/* according to rfc7235, the 407 error must be accompanied by /* according to rfc7235, the 407 error must be accompanied by
a Proxy-Authenticate header field. */ a Proxy-Authenticate header field. */
const char *add = code == 407 ? auth_str : ""; const char *add = code == 407 ? p_auth_str : (code == 401 ? w_auth_str : "");
return (write_message (connptr->client_fd, headers, return (write_message (connptr->client_fd, headers,
code, message, PACKAGE, VERSION, code, message, PACKAGE, VERSION,

View File

@ -1611,11 +1611,22 @@ void handle_connection (int fd)
if (config.basicauth_list != NULL) { if (config.basicauth_list != NULL) {
ssize_t len; ssize_t len;
char *authstring; char *authstring;
int failure = 1; int failure = 1, stathost_connect = 0;
len = hashmap_entry_by_key (hashofheaders, "proxy-authorization", len = hashmap_entry_by_key (hashofheaders, "proxy-authorization",
(void **) &authstring); (void **) &authstring);
if (len == 0 && config.stathost) {
len = hashmap_entry_by_key (hashofheaders, "host",
(void **) &authstring);
if (len && !strncmp(authstring, config.stathost, strlen(config.stathost))) {
len = hashmap_entry_by_key (hashofheaders, "authorization",
(void **) &authstring);
stathost_connect = 1;
} else len = 0;
}
if (len == 0) { if (len == 0) {
if (stathost_connect) goto e401;
update_stats (STAT_DENIED); update_stats (STAT_DENIED);
indicate_http_error (connptr, 407, "Proxy Authentication Required", indicate_http_error (connptr, 407, "Proxy Authentication Required",
"detail", "detail",
@ -1629,6 +1640,7 @@ void handle_connection (int fd)
basicauth_check (config.basicauth_list, authstring + 6) == 1) basicauth_check (config.basicauth_list, authstring + 6) == 1)
failure = 0; failure = 0;
if(failure) { if(failure) {
e401:
update_stats (STAT_DENIED); update_stats (STAT_DENIED);
indicate_http_error (connptr, 401, "Unauthorized", indicate_http_error (connptr, 401, "Unauthorized",
"detail", "detail",