Basic Auth: send correct response codes and headers acc. to rfc7235

as reported by @natedogith1
2018-01-28 04:32:59 +00:00 · 2018-01-28 04:32:59 +00:00 · bd04ed00d8
commit bd04ed00d8
parent 8db511b9bf
2 changed files with 45 additions and 26 deletions
--- a/src/html-error.c
+++ b/src/html-error.c
@ -156,13 +156,24 @@ send_html_file (FILE *infile, struct conn_s *connptr)

 int send_http_headers (struct conn_s *connptr, int code, const char *message)
 {
-        const char *headers =
+        const char headers[] =
            "HTTP/1.0 %d %s\r\n"
            "Server: %s/%s\r\n"
-            "Content-Type: text/html\r\n" "Connection: close\r\n" "\r\n";
+            "Content-Type: text/html\r\n"
+            "%s"
+            "Connection: close\r\n" "\r\n";
+
+        const char auth_str[] =
+            "Proxy-Authenticate: Basic realm=\""
+            PACKAGE_NAME "\"\r\n";
+
+	/* according to rfc7235, the 407 error must be accompanied by
+           a Proxy-Authenticate header field. */
+        const char *add = code == 407 ? auth_str : "";

        return (write_message (connptr->client_fd, headers,
-                               code, message, PACKAGE, VERSION));
+                               code, message, PACKAGE, VERSION,
+                               add));
 }

 /*
--- a/src/reqs.c
+++ b/src/reqs.c
@ -1563,29 +1563,37 @@ void handle_connection (int fd)
                goto fail;
        }

-	if (config.basicauth_list != NULL) {
-		ssize_t len;
-		char *authstring;
-		int failure = 1;
-		len = hashmap_entry_by_key (hashofheaders, "proxy-authorization",
-                                  (void **) &authstring);
-		if (len > 0 &&
-		/* currently only "basic" auth supported */
-			(strncmp(authstring, "Basic ", 6) == 0 ||
-			 strncmp(authstring, "basic ", 6) == 0) &&
-			basicauth_check (config.basicauth_list, authstring + 6) == 1)
-				failure = 0;
-		if(failure) {
-			update_stats (STAT_DENIED);
-			indicate_http_error (connptr, 403, "Access denied",
-					     "detail",
-					     "The administrator of this proxy has not configured "
-					     "it to service requests from you.",
-					     NULL);
-			goto fail;
-		}
-		hashmap_remove (hashofheaders, "proxy-authorization");
-	}
+        if (config.basicauth_list != NULL) {
+                ssize_t len;
+                char *authstring;
+                int failure = 1;
+                len = hashmap_entry_by_key (hashofheaders, "proxy-authorization",
+                                            (void **) &authstring);
+
+                if (len == 0) {
+                        update_stats (STAT_DENIED);
+                        indicate_http_error (connptr, 407, "Proxy Authentication Required",
+                                             "detail",
+                                             "This proxy requires authentication.",
+                                             NULL);
+                        goto fail;
+                }
+                if ( /* currently only "basic" auth supported */
+                        (strncmp(authstring, "Basic ", 6) == 0 ||
+                         strncmp(authstring, "basic ", 6) == 0) &&
+                        basicauth_check (config.basicauth_list, authstring + 6) == 1)
+                                failure = 0;
+                if(failure) {
+                        update_stats (STAT_DENIED);
+                        indicate_http_error (connptr, 401, "Unauthorized",
+                                             "detail",
+                                             "The administrator of this proxy has not configured "
+                                             "it to service requests from you.",
+                                             NULL);
+                        goto fail;
+                }
+                hashmap_remove (hashofheaders, "proxy-authorization");
+        }

        /*
         * Add any user-specified headers (AddHeader directive) to the