Re: [hackers] [quark][PATCH] Don't erase response on http_send_error_response

From: Laslo Hunhold <dev_AT_frign.de>
Date: Mon, 26 Oct 2020 08:34:46 +0100

On Sun, 25 Oct 2020 11:04:26 +0100
José Miguel Sánchez García <soy.jmi2k_AT_gmail.com> wrote:

Dear José,

> I'm currently relying on the req struct NOT being erased, because I'm
> storing the realm the file belongs to there. Then, I'm using that
> realm information to build the WWW-Authenticate header for the 401
> error response.
>
> I could just save that field before erasing everything else, but I
> wonder if that's the way to go. If you are getting rid of everything,
> maybe I shouldn't make exceptions?

Definitely don't make exceptions here, because erasing the entire
struct is a consistency measure and being inconsistent there
complicates the semantics.

I also don't see a reason for the constraints you mention. Just add an
array of group-auth-pairs to the server struct and also add a
group-auth-pair to the req-struct that you then fill when you parse the
request fields in http_parse_header(). Then later, in
http_prepare_header_buf(), you check if they match and either send
an error-header (access denied) or allow access.

In case the auth-field is empty but the file requires a password, you,
in turn, send the desired header to ask for auth.

With best regards

Laslo
Received on Mon Oct 26 2020 - 08:34:46 CET

This archive was generated by hypermail 2.3.0 : Mon Oct 26 2020 - 08:48:32 CET