[PATCH 18 of 20] Upstream: multiple WWW-Authenticate headers (ticket #485)

Wed May 11 21:03:37 UTC 2022

On Thu, Apr 21, 2022 at 01:18:58AM +0300, Maxim Dounin wrote:
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1650492341 -10800
> #      Thu Apr 21 01:05:41 2022 +0300
> # Node ID fa9751ffe7723a11159c158078e454671e81cb87
> # Parent  2027b85971d4b8a7e33c018548468057cb57eaf7
> Upstream: multiple WWW-Authenticate headers (ticket #485).
> 
> When using proxy_intercept_errors and an error page for error 401
> (Unauthorized), multiple WWW-Authenticate headers from the upstream server
> response are now properly copied to the response.
> 
> diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
> --- a/src/http/ngx_http_upstream.c
> +++ b/src/http/ngx_http_upstream.c
> @@ -2647,7 +2647,7 @@ ngx_http_upstream_intercept_errors(ngx_h
>  {
>      ngx_int_t                  status;
>      ngx_uint_t                 i;
> -    ngx_table_elt_t           *h;
> +    ngx_table_elt_t           *h, *ho, **ph;
>      ngx_http_err_page_t       *err_page;
>      ngx_http_core_loc_conf_t  *clcf;
>  
> @@ -2676,18 +2676,26 @@ ngx_http_upstream_intercept_errors(ngx_h
>              if (status == NGX_HTTP_UNAUTHORIZED
>                  && u->headers_in.www_authenticate)
>              {
> -                h = ngx_list_push(&r->headers_out.headers);
> -
> -                if (h == NULL) {
> -                    ngx_http_upstream_finalize_request(r, u,
> +                h = u->headers_in.www_authenticate;
> +                ph = &r->headers_out.www_authenticate;
> +
> +                while (h) {
> +                    ho = ngx_list_push(&r->headers_out.headers);
> +
> +                    if (ho == NULL) {
> +                        ngx_http_upstream_finalize_request(r, u,
>                                                 NGX_HTTP_INTERNAL_SERVER_ERROR);
> -                    return NGX_OK;
> +                        return NGX_OK;
> +                    }
> +
> +                    *ho = *h;
> +                    ho->next = NULL;
> +
> +                    *ph = ho;
> +                    ph = &ho->next;
> +
> +                    h = h->next;
>                  }
> -
> -                *h = *u->headers_in.www_authenticate;
> -                h->next = NULL;
> -
> -                r->headers_out.www_authenticate = h;
>              }
>  
>  #if (NGX_HTTP_CACHE)
> 

While the patch certainly looks correct,
I'm not sure about usefulness of r->headers_out.www_authenticate.
Is the header accessed directly through this pointer ever?
For read purposes I mean.  Header filters seem not.

The only place is in the auth_request module,
but it doesn't seem to make sense in subrequest.