1
0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00

Select most secure challenge from WWW-Authenticate

This patch also adds support for multiple challenges per
WWW-Authenticate header line.
The test Test-auth-both.py now succeeds and thus is taken away
from XFAIL_TESTS (expected to fail tests).
This commit is contained in:
Tim Ruehsen 2014-11-22 22:00:28 +01:00 committed by Tim Rühsen
parent 007bee88d8
commit 5edc97f3f8
5 changed files with 69 additions and 12 deletions

View File

@ -1,3 +1,8 @@
2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de>
* http.c: Select strongest challenge from WWW-Authenticate,
support multiple challenges per header line.
2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de> 2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de>
* gnutls.c (ssl_connect_wget): Implement missing code for * gnutls.c (ssl_connect_wget): Implement missing code for

View File

@ -2381,26 +2381,64 @@ read_header:
the value "negotiate", and other(s) with data. Loop over the value "negotiate", and other(s) with data. Loop over
all the occurrences and pick the one we recognize. */ all the occurrences and pick the one we recognize. */
int wapos; int wapos;
char *buf;
const char *www_authenticate = NULL;
const char *wabeg, *waend; const char *wabeg, *waend;
char *www_authenticate = NULL; const char *digest = NULL, *basic = NULL, *ntlm = NULL;
for (wapos = 0; for (wapos = 0; !ntlm
(wapos = resp_header_locate (resp, "WWW-Authenticate", wapos, && (wapos = resp_header_locate (resp, "WWW-Authenticate", wapos,
&wabeg, &waend)) != -1; &wabeg, &waend)) != -1;
++wapos) ++wapos)
if (known_authentication_scheme_p (wabeg, waend)) {
{ param_token name, value;
BOUNDED_TO_ALLOCA (wabeg, waend, www_authenticate);
break;
}
if (!www_authenticate) BOUNDED_TO_ALLOCA (wabeg, waend, buf);
www_authenticate = buf;
for (;!ntlm;)
{
/* extract the auth-scheme */
while (c_isspace (*www_authenticate)) www_authenticate++;
name.e = name.b = www_authenticate;
while (*name.e && !c_isspace (*name.e)) name.e++;
if (name.b == name.e)
break;
DEBUGP (("Auth scheme found '%.*s'\n", (int) (name.e - name.b), name.b));
if (known_authentication_scheme_p (name.b, name.e))
{
if (BEGINS_WITH (name.b, "NTLM"))
{
ntlm = name.b;
break; /* this is the most secure challenge, stop here */
}
else if (!digest && BEGINS_WITH (name.b, "Digest"))
digest = name.b;
else if (!basic && BEGINS_WITH (name.b, "Basic"))
basic = name.b;
}
/* now advance over the auth-params */
www_authenticate = name.e;
DEBUGP (("Auth param list '%s'\n", www_authenticate));
while (extract_param (&www_authenticate, &name, &value, ',', NULL) && name.b && value.b)
{
DEBUGP (("Auth param %.*s=%.*s\n",
(int) (name.e - name.b), name.b, (int) (value.e - value.b), value.b));
}
}
}
if (!basic && !digest && !ntlm)
{ {
/* If the authentication header is missing or /* If the authentication header is missing or
unrecognized, there's no sense in retrying. */ unrecognized, there's no sense in retrying. */
logputs (LOG_NOTQUIET, _("Unknown authentication scheme.\n")); logputs (LOG_NOTQUIET, _("Unknown authentication scheme.\n"));
} }
else if (!basic_auth_finished else if (!basic_auth_finished
|| !BEGINS_WITH (www_authenticate, "Basic")) || !basic)
{ {
char *pth = url_full_path (u); char *pth = url_full_path (u);
const char *value; const char *value;
@ -2408,6 +2446,15 @@ read_header:
auth_stat = xmalloc (sizeof (uerr_t)); auth_stat = xmalloc (sizeof (uerr_t));
*auth_stat = RETROK; *auth_stat = RETROK;
if (ntlm)
www_authenticate = ntlm;
else if (digest)
www_authenticate = digest;
else
www_authenticate = basic;
logprintf (LOG_NOTQUIET, _("Authentication selected: %s\n"), www_authenticate);
value = create_authorization_line (www_authenticate, value = create_authorization_line (www_authenticate,
user, passwd, user, passwd,
request_method (req), request_method (req),

View File

@ -1,3 +1,7 @@
2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de>
* Makefile.am: Removed Test-auth-both.py from XFAIL_TESTS
2014-11-21 Tim Ruehsen <tim.ruehsen@gmx.de> 2014-11-21 Tim Ruehsen <tim.ruehsen@gmx.de>
* server/http/http_server.py: Fixed typo Blackisted to Blacklisted * server/http/http_server.py: Fixed typo Blackisted to Blacklisted

View File

@ -53,7 +53,8 @@ if HAVE_PYTHON3
Test-504.py \ Test-504.py \
Test--spider-r.py Test--spider-r.py
XFAIL_TESTS = Test-auth-both.py # added test cases expected to fail here and under TESTS
XFAIL_TESTS =
endif endif
EXTRA_DIST = certs conf exc misc server test README $(TESTS) $(XFAIL_TESTS) EXTRA_DIST = certs conf exc misc server test README $(TESTS) $(XFAIL_TESTS)

View File

@ -207,8 +207,8 @@ class _Handler (BaseHTTPRequestHandler):
def send_challenge (self, auth_type): def send_challenge (self, auth_type):
auth_type = auth_type.lower() auth_type = auth_type.lower()
if auth_type == "both": if auth_type == "both":
self.send_challenge ("digest")
self.send_challenge ("basic") self.send_challenge ("basic")
self.send_challenge ("digest")
return return
if auth_type == "basic": if auth_type == "basic":
challenge_str = 'BasIc realm="Wget-Test"' challenge_str = 'BasIc realm="Wget-Test"'