From 20cde33c0b943c77a7c9d8d5d9c3d9281a6b13a5 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 1 Jun 2007 13:31:45 +0000 Subject: A better fix for the problem of the method not matching up with the digest auth. --- daemon/digest.c | 14 +++++++------- daemon/httpauthd.c | 7 ++++--- daemon/httpauthd.h | 3 +-- doc/httpauthd.conf.5 | 12 ++---------- 4 files changed, 14 insertions(+), 22 deletions(-) diff --git a/daemon/digest.c b/daemon/digest.c index 1c68366..ecde6b7 100644 --- a/daemon/digest.c +++ b/daemon/digest.c @@ -356,7 +356,7 @@ int digest_pre_check(digest_context_t* dg, const ha_context_t* opts, ha_buffer_t return HA_BADREQ; } - if(!opts->digest_ignoreuri && strcmp(dg->client.uri, dg->server_uri) != 0) + if(!opts->digest_allowany && strcmp(dg->client.uri, dg->server_uri) != 0) { ha_uri_t d_uri; ha_uri_t s_uri; @@ -489,7 +489,12 @@ int digest_complete_check(digest_context_t* dg, const ha_context_t* opts, ha_buf const char** m; int ret; - if(opts->digest_ignoremethod) + /* Use the method sent to us */ + ret = internal_check (dg, dg->server_method, buf); + if(ret != HA_FALSE) + return ret; + + if(opts->digest_allowany) { /* Try out each and every method in HTTP */ for(m = g_http_methods; *m; ++m) @@ -499,11 +504,6 @@ int digest_complete_check(digest_context_t* dg, const ha_context_t* opts, ha_buf break; } } - else - { - /* Use the method sent to us */ - ret = internal_check (dg, dg->server_method, buf); - } return ret; } diff --git a/daemon/httpauthd.c b/daemon/httpauthd.c index b77abcb..44156eb 100644 --- a/daemon/httpauthd.c +++ b/daemon/httpauthd.c @@ -1500,7 +1500,8 @@ static int config_parse(const char* file, ha_buffer_t* buf) if(ha_confbool(name, value, &v) < 0) exit(1); /* Message already printed */ - opts->digest_ignoreuri = v; + ha_messagex(NULL, LOG_WARNING, "DigestIgnoreURI is deprecated, use DigestAllowAnyPath"); + opts->digest_allowany = v; recog = 1; } @@ -1514,13 +1515,13 @@ static int config_parse(const char* file, ha_buffer_t* buf) recog = 1; } - else if(strcmp(name, "digestignoremethod") == 0) + else if(strcmp(name, "digestallowanypath") == 0) { int v; if(ha_confbool(name, value, &v) < 0) exit(1); /* Message already printed */ - opts->digest_ignoremethod = v; + opts->digest_allowany = v; recog = 1; } diff --git a/daemon/httpauthd.h b/daemon/httpauthd.h index 36c8449..1540138 100644 --- a/daemon/httpauthd.h +++ b/daemon/httpauthd.h @@ -118,8 +118,7 @@ typedef struct ha_context const char* realm; /* For digest auth: */ - unsigned int digest_ignoremethod : 1; - unsigned int digest_ignoreuri : 1; + unsigned int digest_allowany : 1; unsigned int digest_ignorenc : 1; const char* digest_debugnonce; } diff --git a/doc/httpauthd.conf.5 b/doc/httpauthd.conf.5 index bae1d2d..7bca8b6 100644 --- a/doc/httpauthd.conf.5 +++ b/doc/httpauthd.conf.5 @@ -148,14 +148,6 @@ How this exactly works depends on the method it applies to. [ Default: .Em 900 ] -.It Cd DigestIgnoreMethod -When set to -.Em True -allows the HTTP method value in -.Em Digest -authentication to be mismatched with the actual request. This opens -up a variety of replay attacks, but is useful for pass-through -authentication (eg: a website using a SOAP service). .It Cd DigestIgnoreNC When set to .Em True @@ -166,10 +158,10 @@ authentication to be incorrect. This opens up various replay attacks. [ Default: .Em False ] -.It Cd DigestIgnoreURI +.It Cd DigestAllowAnyPath When set to .Em True -allows the URI value in +allows the URI value or HTTP method in .Em Digest authentication to be mismatched with the URI requested. This opens up a variety of replay attacks, but is useful for pass-through -- cgit v1.2.3