[Bug 256677] libfetch pops for user credentials eventhough it does not support the auth mechanism

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 17 Jun 2021 19:51:30 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256677

            Bug ID: 256677
           Summary: libfetch pops for user credentials eventhough it does
                    not support the auth mechanism
           Product: Base System
           Version: 12.2-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs_at_FreeBSD.org
          Reporter: michael.osipov_at_siemens.com

Running on: stable/12:4e2ae05c3

Consider the following:
> # curl https://deblndw011x.ad001.siemens.net/repos/websvn/ -I
> HTTP/1.1 401 Unauthorized
> Date: Thu, 17 Jun 2021 19:37:35 GMT
> Server: Apache
> X-Frame-Options: SAMEORIGIN
> WWW-Authenticate: Negotiate
> Content-Type: text/html; charset=iso-8859-1

fetch nags me:
> # fetch  https://deblndw011x.ad001.siemens.net/repos/websvn/
> Authentication required for <https://deblndw011x.ad001.siemens.net:443/>!
> Login:

libfetch does not support SPNEGO authentication through the Heimdal library in
base, yet it still nags me giving a false sense of support.

The reason is here:
https://github.com/freebsd/freebsd-src/blob/68d3790ba0bce162f9fcaed09cfecd9adeab3943/lib/libfetch/http.c#L768-L796

It unconditionally sets cs.valid = 1 without even knowing whether it supports
the scheme or not.

This needs to be changed to something: if at least one AS is supported set
valid to 1 otherwise remain on 0.

May this would do the trick:
cs->valid = 0;

                if (strcasecmp(key, "basic") == 0) {
                        cs->challenges[cs->count]->scheme = HTTPAS_BASIC;
                        cs->valid = 1;
                } else if (strcasecmp(key, "digest") == 0) {
                        cs->challenges[cs->count]->scheme = HTTPAS_DIGEST;
                        cs->valid = 1;

-- 
You are receiving this mail because:
You are the assignee for the bug.
Received on Thu Jun 17 2021 - 19:51:30 UTC

Original text of this message