[nginx] Multiple WWW-Authenticate headers with "satisfy any;".
Sergey Kandaurov
pluknet at nginx.com
Mon May 30 22:33:05 UTC 2022
details: https://hg.nginx.org/nginx/rev/711737177b77
branches:
changeset: 8038:711737177b77
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon May 30 21:25:56 2022 +0300
description:
Multiple WWW-Authenticate headers with "satisfy any;".
If a module adds multiple WWW-Authenticate headers (ticket #485) to the
response, linked in r->headers_out.www_authenticate, all headers are now
cleared if another module later allows access.
This change is a nop for standard modules, since the only access module which
can add multiple WWW-Authenticate headers is the auth request module, and
it is checked after other standard access modules. Though this might
affect some third party access modules.
Note that if a 3rd party module adds a single WWW-Authenticate header
and not yet modified to set the header's next pointer to NULL, attempt to
clear such a header with this change will result in a segmentation fault.
diffstat:
src/http/ngx_http_core_module.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diffs (22 lines):
diff -r 8272c823a7d0 -r 711737177b77 src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Mon May 30 21:25:54 2022 +0300
+++ b/src/http/ngx_http_core_module.c Mon May 30 21:25:56 2022 +0300
@@ -1088,6 +1088,7 @@ ngx_int_t
ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
{
ngx_int_t rc;
+ ngx_table_elt_t *h;
ngx_http_core_loc_conf_t *clcf;
if (r != r->main) {
@@ -1122,8 +1123,8 @@ ngx_http_core_access_phase(ngx_http_requ
if (rc == NGX_OK) {
r->access_code = 0;
- if (r->headers_out.www_authenticate) {
- r->headers_out.www_authenticate->hash = 0;
+ for (h = r->headers_out.www_authenticate; h; h = h->next) {
+ h->hash = 0;
}
r->phase_handler = ph->next;
More information about the nginx-devel
mailing list