all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]
@ 2006-11-02 21:46 Richard Stallman
  2006-11-02 22:24 ` Jason Rumney
  2006-11-02 23:07 ` Magnus Henoch
  0 siblings, 2 replies; 5+ messages in thread
From: Richard Stallman @ 2006-11-02 21:46 UTC (permalink / raw)


We can install this without papers, but is it correct?
Would someone please DTRT, then ack?

------- Start of forwarded message -------
To: emacs-pretest-bug@gnu.org
From: Shun-ichi GOTO <gotoh@taiyo.co.jp>
Date: Wed, 01 Nov 2006 18:41:43 +0900
Mime-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Subject: url-http-handle-authentication does not handle multiple
	WWW-Authenticate: lines.
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=failed 
	version=3.0.4

I found a problem of authentication in url-http.el
which handles only first WWW-Authenticate: line and
give-up authentication when first one is not supported auth scheme
although next one is supported.

For example, one page returns following two lines.
That page is configured with enabling NTLM (by mod_auth_sspi)
and BASIC auth.

...snip...
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="TAIYO domain"
...snip...

Because url-http-handle-authentication<f> gets unsupported scheme NTLM
from first line and gives up asking and storing authentication
information, so we never be able to get the page.

Attached patch is to fix this issue by checking all the lines and use
first one supported.

\f
Index: url-http.el
===================================================================
- --- url-http.el	(revision 4177)
+++ url-http.el	(working copy)
@@ -303,21 +303,29 @@
   (declare (special status success url-http-method url-http-data
 		    url-callback-function url-callback-arguments))
   (url-http-debug "Handling %s authentication" (if proxy "proxy" "normal"))
- -  (let ((auth (or (mail-fetch-field (if proxy "proxy-authenticate" "www-authenticate"))
- -		  "basic"))
+  (let ((auths (or (nreverse
+		    (mail-fetch-field
+		     (if proxy "proxy-authenticate" "www-authenticate")
+		     nil nil t))
+		  '("basic")))
 	(type nil)
 	(url (url-recreate-url url-current-object))
 	(url-basic-auth-storage 'url-http-real-basic-auth-storage)
- -	)
- -
+	auth)
     ;; Cheating, but who cares? :)
     (if proxy
 	(setq url-basic-auth-storage 'url-http-proxy-basic-auth-storage))
 
- -    (setq auth (url-eat-trailing-space (url-strip-leading-spaces auth)))
- -    (if (string-match "[ \t]" auth)
- -	(setq type (downcase (substring auth 0 (match-beginning 0))))
- -      (setq type (downcase auth)))
+    ;; find first supported auth
+    (while auths
+      (setq auth (url-eat-trailing-space (url-strip-leading-spaces (car auths))))
+      (if (string-match "[ \t]" auth)
+	  (setq type (downcase (substring auth 0 (match-beginning 0))))
+	(setq type (downcase auth)))
+      (if (url-auth-registered type)
+	  (setq auths nil)		; no more check
+	(setq auth nil
+	      auths (cdr auths))))
 
     (if (not (url-auth-registered type))
 	(progn
\f

- --- Regards,
 Shun-ichi Goto  <gotoh@taiyo.co.jp>
   R&D Group, TAIYO Corp., Tokyo, JAPAN




_______________________________________________
emacs-pretest-bug mailing list
emacs-pretest-bug@gnu.org
http://lists.gnu.org/mailman/listinfo/emacs-pretest-bug
------- End of forwarded message -------

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]
  2006-11-02 21:46 [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.] Richard Stallman
@ 2006-11-02 22:24 ` Jason Rumney
  2006-11-04  6:36   ` Richard Stallman
  2006-11-08 20:35   ` Magnus Henoch
  2006-11-02 23:07 ` Magnus Henoch
  1 sibling, 2 replies; 5+ messages in thread
From: Jason Rumney @ 2006-11-02 22:24 UTC (permalink / raw)
  Cc: emacs-devel

Richard Stallman wrote:
> We can install this without papers, but is it correct?
>   

It's better than the current situation of giving up if the auth method 
in the first header is not supported, but still not correct according to 
RFC-2617, which says that we MUST always select the most secure 
authentication method supported when offered multiple WWW-Authenticate 
headers.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]
  2006-11-02 21:46 [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.] Richard Stallman
  2006-11-02 22:24 ` Jason Rumney
@ 2006-11-02 23:07 ` Magnus Henoch
  1 sibling, 0 replies; 5+ messages in thread
From: Magnus Henoch @ 2006-11-02 23:07 UTC (permalink / raw)


Richard Stallman <rms@gnu.org> writes:

> We can install this without papers, but is it correct?

Yes, it is.

> Would someone please DTRT, then ack?

I just committed the patch.

Magnus

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]
  2006-11-02 22:24 ` Jason Rumney
@ 2006-11-04  6:36   ` Richard Stallman
  2006-11-08 20:35   ` Magnus Henoch
  1 sibling, 0 replies; 5+ messages in thread
From: Richard Stallman @ 2006-11-04  6:36 UTC (permalink / raw)
  Cc: emacs-devel

    It's better than the current situation of giving up if the auth method 
    in the first header is not supported, but still not correct according to 
    RFC-2617, which says that we MUST always select the most secure 
    authentication method supported when offered multiple WWW-Authenticate 
    headers.

Could someone please write the correct code?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.]
  2006-11-02 22:24 ` Jason Rumney
  2006-11-04  6:36   ` Richard Stallman
@ 2006-11-08 20:35   ` Magnus Henoch
  1 sibling, 0 replies; 5+ messages in thread
From: Magnus Henoch @ 2006-11-08 20:35 UTC (permalink / raw)


Jason Rumney <jasonr@f2s.com> writes:

> It's better than the current situation of giving up if the auth method
> in the first header is not supported, but still not correct according
> to RFC-2617, which says that we MUST always select the most secure
> authentication method supported when offered multiple WWW-Authenticate
> headers.

Indeed.  I just changed the code to use the strongest method.  Thanks
for noticing!

Magnus

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2006-11-08 20:35 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-02 21:46 [gotoh@taiyo.co.jp: url-http-handle-authentication does not handle multiple WWW-Authenticate: lines.] Richard Stallman
2006-11-02 22:24 ` Jason Rumney
2006-11-04  6:36   ` Richard Stallman
2006-11-08 20:35   ` Magnus Henoch
2006-11-02 23:07 ` Magnus Henoch

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.