ucb: webdav-curl: only allow system credentials for auth once

... and in any case abort authentication after 10 failed attempts. Apparently some PasswordContainer can turn this into an infinite loop. Change-Id: Ib2333b371a770999e8407ce7e1af21512aadb70d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132974 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
2022-04-13 16:50:30 +02:00
parent 1aced94715
commit 2bc4d1d22f
1 changed files with 18 additions and 2 deletions
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1221,6 +1221,8 @@ auto CurlProcessor::ProcessRequest(
        }
    }
    bool isRetry(false);
+    int nAuthRequests(0);
+    int nAuthRequestsProxy(0);

    // libcurl does not have an authentication callback so handle auth
    // related status codes and requesting credentials via this loop
@@ -1363,8 +1365,16 @@ auto CurlProcessor::ProcessRequest(
                    case SC_UNAUTHORIZED:
                    case SC_PROXY_AUTHENTICATION_REQUIRED:
                    {
-                        if (pEnv && pEnv->m_xAuthListener)
+                        auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ? nAuthRequests
+                                                                           : nAuthRequestsProxy);
+                        if (rnAuthRequests == 10)
                        {
+                            SAL_INFO("ucb.ucp.webdav.curl", "aborting authentication after "
+                                                                << rnAuthRequests << " attempts");
+                        }
+                        else if (pEnv && pEnv->m_xAuthListener)
+                        {
+                            ++rnAuthRequests;
                            ::std::optional<OUString> const oRealm(ExtractRealm(
                                headers, statusCode == SC_UNAUTHORIZED ? "WWW-Authenticate"
                                                                       : "Proxy-Authenticate"));
@@ -1381,7 +1391,13 @@ auto CurlProcessor::ProcessRequest(
                                                              &authAvail);
                            assert(rc == CURLE_OK);
                            (void)rc;
-                            bool const isSystemCredSupported((authAvail & authSystem) != 0);
+                            // only allow SystemCredentials once - the
+                            // PasswordContainer may have stored it in the
+                            // Config (TrySystemCredentialsFirst or
+                            // AuthenticateUsingSystemCredentials) and then it
+                            // will always force its use no matter how hopeless
+                            bool const isSystemCredSupported((authAvail & authSystem) != 0
+                                                             && rnAuthRequests == 0);

                            // Ask user via XInteractionHandler.
                            // Warning: This likely runs an event loop which may