mirror of
https://github.com/moparisthebest/wget
synced 2024-07-03 16:38:41 -04:00
Select most secure challenge from WWW-Authenticate
This patch also adds support for multiple challenges per WWW-Authenticate header line. The test Test-auth-both.py now succeeds and thus is taken away from XFAIL_TESTS (expected to fail tests).
This commit is contained in:
parent
007bee88d8
commit
5edc97f3f8
@ -1,3 +1,8 @@
|
||||
2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de>
|
||||
|
||||
* http.c: Select strongest challenge from WWW-Authenticate,
|
||||
support multiple challenges per header line.
|
||||
|
||||
2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de>
|
||||
|
||||
* gnutls.c (ssl_connect_wget): Implement missing code for
|
||||
|
61
src/http.c
61
src/http.c
@ -2381,26 +2381,64 @@ read_header:
|
||||
the value "negotiate", and other(s) with data. Loop over
|
||||
all the occurrences and pick the one we recognize. */
|
||||
int wapos;
|
||||
char *buf;
|
||||
const char *www_authenticate = NULL;
|
||||
const char *wabeg, *waend;
|
||||
char *www_authenticate = NULL;
|
||||
for (wapos = 0;
|
||||
(wapos = resp_header_locate (resp, "WWW-Authenticate", wapos,
|
||||
const char *digest = NULL, *basic = NULL, *ntlm = NULL;
|
||||
for (wapos = 0; !ntlm
|
||||
&& (wapos = resp_header_locate (resp, "WWW-Authenticate", wapos,
|
||||
&wabeg, &waend)) != -1;
|
||||
++wapos)
|
||||
if (known_authentication_scheme_p (wabeg, waend))
|
||||
{
|
||||
BOUNDED_TO_ALLOCA (wabeg, waend, www_authenticate);
|
||||
param_token name, value;
|
||||
|
||||
BOUNDED_TO_ALLOCA (wabeg, waend, buf);
|
||||
www_authenticate = buf;
|
||||
|
||||
for (;!ntlm;)
|
||||
{
|
||||
/* extract the auth-scheme */
|
||||
while (c_isspace (*www_authenticate)) www_authenticate++;
|
||||
name.e = name.b = www_authenticate;
|
||||
while (*name.e && !c_isspace (*name.e)) name.e++;
|
||||
|
||||
if (name.b == name.e)
|
||||
break;
|
||||
|
||||
DEBUGP (("Auth scheme found '%.*s'\n", (int) (name.e - name.b), name.b));
|
||||
|
||||
if (known_authentication_scheme_p (name.b, name.e))
|
||||
{
|
||||
if (BEGINS_WITH (name.b, "NTLM"))
|
||||
{
|
||||
ntlm = name.b;
|
||||
break; /* this is the most secure challenge, stop here */
|
||||
}
|
||||
else if (!digest && BEGINS_WITH (name.b, "Digest"))
|
||||
digest = name.b;
|
||||
else if (!basic && BEGINS_WITH (name.b, "Basic"))
|
||||
basic = name.b;
|
||||
}
|
||||
|
||||
if (!www_authenticate)
|
||||
/* now advance over the auth-params */
|
||||
www_authenticate = name.e;
|
||||
DEBUGP (("Auth param list '%s'\n", www_authenticate));
|
||||
while (extract_param (&www_authenticate, &name, &value, ',', NULL) && name.b && value.b)
|
||||
{
|
||||
DEBUGP (("Auth param %.*s=%.*s\n",
|
||||
(int) (name.e - name.b), name.b, (int) (value.e - value.b), value.b));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!basic && !digest && !ntlm)
|
||||
{
|
||||
/* If the authentication header is missing or
|
||||
unrecognized, there's no sense in retrying. */
|
||||
logputs (LOG_NOTQUIET, _("Unknown authentication scheme.\n"));
|
||||
}
|
||||
else if (!basic_auth_finished
|
||||
|| !BEGINS_WITH (www_authenticate, "Basic"))
|
||||
|| !basic)
|
||||
{
|
||||
char *pth = url_full_path (u);
|
||||
const char *value;
|
||||
@ -2408,6 +2446,15 @@ read_header:
|
||||
auth_stat = xmalloc (sizeof (uerr_t));
|
||||
*auth_stat = RETROK;
|
||||
|
||||
if (ntlm)
|
||||
www_authenticate = ntlm;
|
||||
else if (digest)
|
||||
www_authenticate = digest;
|
||||
else
|
||||
www_authenticate = basic;
|
||||
|
||||
logprintf (LOG_NOTQUIET, _("Authentication selected: %s\n"), www_authenticate);
|
||||
|
||||
value = create_authorization_line (www_authenticate,
|
||||
user, passwd,
|
||||
request_method (req),
|
||||
|
@ -1,3 +1,7 @@
|
||||
2014-11-26 Tim Ruehsen <tim.ruehsen@gmx.de>
|
||||
|
||||
* Makefile.am: Removed Test-auth-both.py from XFAIL_TESTS
|
||||
|
||||
2014-11-21 Tim Ruehsen <tim.ruehsen@gmx.de>
|
||||
|
||||
* server/http/http_server.py: Fixed typo Blackisted to Blacklisted
|
||||
|
@ -53,7 +53,8 @@ if HAVE_PYTHON3
|
||||
Test-504.py \
|
||||
Test--spider-r.py
|
||||
|
||||
XFAIL_TESTS = Test-auth-both.py
|
||||
# added test cases expected to fail here and under TESTS
|
||||
XFAIL_TESTS =
|
||||
endif
|
||||
|
||||
EXTRA_DIST = certs conf exc misc server test README $(TESTS) $(XFAIL_TESTS)
|
||||
|
@ -207,8 +207,8 @@ class _Handler (BaseHTTPRequestHandler):
|
||||
def send_challenge (self, auth_type):
|
||||
auth_type = auth_type.lower()
|
||||
if auth_type == "both":
|
||||
self.send_challenge ("digest")
|
||||
self.send_challenge ("basic")
|
||||
self.send_challenge ("digest")
|
||||
return
|
||||
if auth_type == "basic":
|
||||
challenge_str = 'BasIc realm="Wget-Test"'
|
||||
|
Loading…
Reference in New Issue
Block a user