summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStef Walter <stef@memberwebs.com>2007-06-01 13:31:45 +0000
committerStef Walter <stef@memberwebs.com>2007-06-01 13:31:45 +0000
commit20cde33c0b943c77a7c9d8d5d9c3d9281a6b13a5 (patch)
treea92ce9cbf1d56ec162ab2b179116b627dd2c2b30
parent9ab8871e7d0387a7326d5179ab5b64a4995fce0d (diff)
A better fix for the problem of the method not matching up with the digest auth.
-rw-r--r--daemon/digest.c14
-rw-r--r--daemon/httpauthd.c7
-rw-r--r--daemon/httpauthd.h3
-rw-r--r--doc/httpauthd.conf.512
4 files changed, 14 insertions, 22 deletions
diff --git a/daemon/digest.c b/daemon/digest.c
index 1c68366..ecde6b7 100644
--- a/daemon/digest.c
+++ b/daemon/digest.c
@@ -356,7 +356,7 @@ int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t
return HA_BADREQ;
}
- if(!opts->digest_ignoreuri && strcmp(dg->client.uri, dg->server_uri) != 0)
+ if(!opts->digest_allowany && strcmp(dg->client.uri, dg->server_uri) != 0)
{
ha_uri_t d_uri;
ha_uri_t s_uri;
@@ -489,7 +489,12 @@ int digest_complete_check(digest_context_t* dg, const ha_context_t* opts, ha_buf
const char** m;
int ret;
- if(opts->digest_ignoremethod)
+ /* Use the method sent to us */
+ ret = internal_check (dg, dg->server_method, buf);
+ if(ret != HA_FALSE)
+ return ret;
+
+ if(opts->digest_allowany)
{
/* Try out each and every method in HTTP */
for(m = g_http_methods; *m; ++m)
@@ -499,11 +504,6 @@ int digest_complete_check(digest_context_t* dg, const ha_context_t* opts, ha_buf
break;
}
}
- else
- {
- /* Use the method sent to us */
- ret = internal_check (dg, dg->server_method, buf);
- }
return ret;
}
diff --git a/daemon/httpauthd.c b/daemon/httpauthd.c
index b77abcb..44156eb 100644
--- a/daemon/httpauthd.c
+++ b/daemon/httpauthd.c
@@ -1500,7 +1500,8 @@ static int config_parse(const char* file, ha_buffer_t* buf)
if(ha_confbool(name, value, &v) < 0)
exit(1); /* Message already printed */
- opts->digest_ignoreuri = v;
+ ha_messagex(NULL, LOG_WARNING, "DigestIgnoreURI is deprecated, use DigestAllowAnyPath");
+ opts->digest_allowany = v;
recog = 1;
}
@@ -1514,13 +1515,13 @@ static int config_parse(const char* file, ha_buffer_t* buf)
recog = 1;
}
- else if(strcmp(name, "digestignoremethod") == 0)
+ else if(strcmp(name, "digestallowanypath") == 0)
{
int v;
if(ha_confbool(name, value, &v) < 0)
exit(1); /* Message already printed */
- opts->digest_ignoremethod = v;
+ opts->digest_allowany = v;
recog = 1;
}
diff --git a/daemon/httpauthd.h b/daemon/httpauthd.h
index 36c8449..1540138 100644
--- a/daemon/httpauthd.h
+++ b/daemon/httpauthd.h
@@ -118,8 +118,7 @@ typedef struct ha_context
const char* realm;
/* For digest auth: */
- unsigned int digest_ignoremethod : 1;
- unsigned int digest_ignoreuri : 1;
+ unsigned int digest_allowany : 1;
unsigned int digest_ignorenc : 1;
const char* digest_debugnonce;
}
diff --git a/doc/httpauthd.conf.5 b/doc/httpauthd.conf.5
index bae1d2d..7bca8b6 100644
--- a/doc/httpauthd.conf.5
+++ b/doc/httpauthd.conf.5
@@ -148,14 +148,6 @@ How this exactly works depends on the method it applies to.
[ Default:
.Em 900
]
-.It Cd DigestIgnoreMethod
-When set to
-.Em True
-allows the HTTP method value in
-.Em Digest
-authentication to be mismatched with the actual request. This opens
-up a variety of replay attacks, but is useful for pass-through
-authentication (eg: a website using a SOAP service).
.It Cd DigestIgnoreNC
When set to
.Em True
@@ -166,10 +158,10 @@ authentication to be incorrect. This opens up various replay attacks.
[ Default:
.Em False
]
-.It Cd DigestIgnoreURI
+.It Cd DigestAllowAnyPath
When set to
.Em True
-allows the URI value in
+allows the URI value or HTTP method in
.Em Digest
authentication to be mismatched with the URI requested. This opens up
a variety of replay attacks, but is useful for pass-through