[gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]

[gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]

[Richard Stallman]

We can install this without papers, but is it correct?
Would someone please DTRT, then ack?

------- Start of forwarded message -------
To: emacs-pretest-bug@gnu.org
From: Shun-ichi GOTO <gotoh@taiyo.co.jp>
Date: Wed, 01 Nov 2006 18:41:43 +0900
Mime-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Subject: url-http-handle-authentication does not handle multiple
	WWW-Authenticate: lines.
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=failed 
	version=3.0.4

I found a problem of authentication in url-http.el
which handles only first WWW-Authenticate: line and
give-up authentication when first one is not supported auth scheme
although next one is supported.

For example, one page returns following two lines.
That page is configured with enabling NTLM (by mod_auth_sspi)
and BASIC auth.

...snip...
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="TAIYO domain"
...snip...

Because url-http-handle-authentication<f> gets unsupported scheme NTLM
from first line and gives up asking and storing authentication
information, so we never be able to get the page.

Attached patch is to fix this issue by checking all the lines and use
first one supported.

\f
Index: url-http.el
===================================================================
- --- url-http.el	(revision 4177)
+++ url-http.el	(working copy)
@@ -303,21 +303,29 @@
   (declare (special status success url-http-method url-http-data
 		    url-callback-function url-callback-arguments))
   (url-http-debug "Handling %s authentication" (if proxy "proxy" "normal"))
- -  (let ((auth (or (mail-fetch-field (if proxy "proxy-authenticate" "www-authenticate"))
- -		  "basic"))
+  (let ((auths (or (nreverse
+		    (mail-fetch-field
+		     (if proxy "proxy-authenticate" "www-authenticate")
+		     nil nil t))
+		  '("basic")))
 	(type nil)
 	(url (url-recreate-url url-current-object))
 	(url-basic-auth-storage 'url-http-real-basic-auth-storage)
- -	)
- -
+	auth)
     ;; Cheating, but who cares? :)
     (if proxy
 	(setq url-basic-auth-storage 'url-http-proxy-basic-auth-storage))
 
- -    (setq auth (url-eat-trailing-space (url-strip-leading-spaces auth)))
- -    (if (string-match "[ \t]" auth)
- -	(setq type (downcase (substring auth 0 (match-beginning 0))))
- -      (setq type (downcase auth)))
+    ;; find first supported auth
+    (while auths
+      (setq auth (url-eat-trailing-space (url-strip-leading-spaces (car auths))))
+      (if (string-match "[ \t]" auth)
+	  (setq type (downcase (substring auth 0 (match-beginning 0))))
+	(setq type (downcase auth)))
+      (if (url-auth-registered type)
+	  (setq auths nil)		; no more check
+	(setq auth nil
+	      auths (cdr auths))))
 
     (if (not (url-auth-registered type))
 	(progn
\f

- --- Regards,
 Shun-ichi Goto  <gotoh@taiyo.co.jp>
   R&D Group, TAIYO Corp., Tokyo, JAPAN




_______________________________________________
emacs-pretest-bug mailing list
emacs-pretest-bug@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-pretest-bug
------- End of forwarded message -------

Re: [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]

[Jason Rumney]

Richard Stallman wrote:
> We can install this without papers, but is it correct?
>   

It's better than the current situation of giving up if the auth method 
in the first header is not supported, but still not correct according to 
RFC-2617, which says that we MUST always select the most secure 
authentication method supported when offered multiple WWW-Authenticate 
headers.

Re: [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]

[Magnus Henoch]

Richard Stallman <rms@gnu.org> writes:

> We can install this without papers, but is it correct?

Yes, it is.

> Would someone please DTRT, then ack?

I just committed the patch.

Magnus

Re: [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]

[Richard Stallman]

    It's better than the current situation of giving up if the auth method 
    in the first header is not supported, but still not correct according to 
    RFC-2617, which says that we MUST always select the most secure 
    authentication method supported when offered multiple WWW-Authenticate 
    headers.

Could someone please write the correct code?

Re: [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]

[Magnus Henoch]

Jason Rumney <jasonr@f2s.com> writes:

> It's better than the current situation of giving up if the auth method
> in the first header is not supported, but still not correct according
> to RFC-2617, which says that we MUST always select the most secure
> authentication method supported when offered multiple WWW-Authenticate
> headers.

Indeed.  I just changed the code to use the strongest method.  Thanks
for noticing!

Magnus