ucb: webdav-curl: only allow system credentials for auth once
... and in any case abort authentication after 10 failed attempts. Apparently some PasswordContainer can turn this into an infinite loop. Change-Id: Ib2333b371a770999e8407ce7e1af21512aadb70d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132974 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
This commit is contained in:
@@ -1221,6 +1221,8 @@ auto CurlProcessor::ProcessRequest(
|
||||
}
|
||||
}
|
||||
bool isRetry(false);
|
||||
int nAuthRequests(0);
|
||||
int nAuthRequestsProxy(0);
|
||||
|
||||
// libcurl does not have an authentication callback so handle auth
|
||||
// related status codes and requesting credentials via this loop
|
||||
@@ -1363,8 +1365,16 @@ auto CurlProcessor::ProcessRequest(
|
||||
case SC_UNAUTHORIZED:
|
||||
case SC_PROXY_AUTHENTICATION_REQUIRED:
|
||||
{
|
||||
if (pEnv && pEnv->m_xAuthListener)
|
||||
auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ? nAuthRequests
|
||||
: nAuthRequestsProxy);
|
||||
if (rnAuthRequests == 10)
|
||||
{
|
||||
SAL_INFO("ucb.ucp.webdav.curl", "aborting authentication after "
|
||||
<< rnAuthRequests << " attempts");
|
||||
}
|
||||
else if (pEnv && pEnv->m_xAuthListener)
|
||||
{
|
||||
++rnAuthRequests;
|
||||
::std::optional<OUString> const oRealm(ExtractRealm(
|
||||
headers, statusCode == SC_UNAUTHORIZED ? "WWW-Authenticate"
|
||||
: "Proxy-Authenticate"));
|
||||
@@ -1381,7 +1391,13 @@ auto CurlProcessor::ProcessRequest(
|
||||
&authAvail);
|
||||
assert(rc == CURLE_OK);
|
||||
(void)rc;
|
||||
bool const isSystemCredSupported((authAvail & authSystem) != 0);
|
||||
// only allow SystemCredentials once - the
|
||||
// PasswordContainer may have stored it in the
|
||||
// Config (TrySystemCredentialsFirst or
|
||||
// AuthenticateUsingSystemCredentials) and then it
|
||||
// will always force its use no matter how hopeless
|
||||
bool const isSystemCredSupported((authAvail & authSystem) != 0
|
||||
&& rnAuthRequests == 0);
|
||||
|
||||
// Ask user via XInteractionHandler.
|
||||
// Warning: This likely runs an event loop which may
|
||||
|
Reference in New Issue
Block a user