diff options
author | Michael Stahl <michael.stahl@allotropia.de> | 2024-03-14 14:55:48 +0100 |
---|---|---|
committer | Michael Stahl <michael.stahl@allotropia.de> | 2024-03-14 17:41:50 +0100 |
commit | 602175e05f29921649f467df3f5e81a5a399737b (patch) | |
tree | 1d2d533977bc940f20ba35c555e21b38d55f0a51 | |
parent | 517df06183508742ae1f3640b28af65fc0069b79 (diff) |
ucb: webdav-curl: improve fallback authentication
The bundled curl on Linux doesn't support Negotiate, and a system curl
may not support NTLM either.
If setting the auth method fails with CURLE_NOT_BUILT_IN, abort.
Change-Id: I7b7f7afd1ebedd665d9475fd40cac0e0641062a6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164837
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 3d56fb36c47f5cfdf646e26d241b2bd7f1d68884)
-rw-r--r-- | ucb/source/ucp/webdav-curl/CurlSession.cxx | 50 |
1 files changed, 41 insertions, 9 deletions
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 4bae872b1757..7fb981838e3e 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1324,9 +1324,14 @@ auto CurlProcessor::ProcessRequest( throw DAVException(DAVException::DAV_INVALID_ARG); } rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH, oAuth->AuthMask); - assert( - rc - == CURLE_OK); // it shouldn't be possible to reduce auth to 0 via the authSystem masks + if (rc != CURLE_OK) + { // NEGOTIATE typically disabled on Linux, NTLM is optional too + assert(rc == CURLE_NOT_BUILT_IN); + SAL_INFO("ucb.ucp.webdav.curl", "no auth method available"); + throw DAVException( + DAVException::DAV_HTTP_NOAUTH, + ConnectionEndPointString(rSession.m_URI.GetHost(), rSession.m_URI.GetPort())); + } } if (oAuthProxy && !rSession.m_isAuthenticatedProxy) @@ -1352,9 +1357,14 @@ auto CurlProcessor::ProcessRequest( throw DAVException(DAVException::DAV_INVALID_ARG); } rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_PROXYAUTH, oAuthProxy->AuthMask); - assert( - rc - == CURLE_OK); // it shouldn't be possible to reduce auth to 0 via the authSystem masks + if (rc != CURLE_OK) + { // NEGOTIATE typically disabled on Linux, NTLM is optional too + assert(rc == CURLE_NOT_BUILT_IN); + SAL_INFO("ucb.ucp.webdav.curl", "no auth method available"); + throw DAVException( + DAVException::DAV_HTTP_NOAUTH, + ConnectionEndPointString(rSession.m_URI.GetHost(), rSession.m_URI.GetPort())); + } } ResponseHeaders headers(rSession.m_pCurl.get()); @@ -1504,20 +1514,42 @@ auto CurlProcessor::ProcessRequest( OUString userName(roAuth ? roAuth->UserName : OUString()); OUString passWord(roAuth ? roAuth->PassWord : OUString()); long authAvail(0); - auto const rc + auto rc = curl_easy_getinfo(rSession.m_pCurl.get(), statusCode != SC_PROXY_AUTHENTICATION_REQUIRED ? CURLINFO_HTTPAUTH_AVAIL : CURLINFO_PROXYAUTH_AVAIL, &authAvail); assert(rc == CURLE_OK); - (void)rc; if (statusCode == SC_FORBIDDEN) { // SharePoint hack: try NTLM auth assert(authAvail == 0); // note: this must be a single value! // would need 2 iterations to try CURLAUTH_NTLM too - authAvail = CURLAUTH_NEGOTIATE; + rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH, + CURLAUTH_NEGOTIATE); + if (rc == CURLE_OK) + { + authAvail = CURLAUTH_NEGOTIATE; + } + else + { + rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH, + CURLAUTH_NTLM); + if (rc == CURLE_OK) + { + authAvail = CURLAUTH_NTLM; + } + else + { // can't work + SAL_INFO("ucb.ucp.webdav.curl", + "no SP fallback auth method available"); + throw DAVException( + DAVException::DAV_HTTP_NOAUTH, + ConnectionEndPointString(rSession.m_URI.GetHost(), + rSession.m_URI.GetPort())); + } + } } // only allow SystemCredentials once - the // PasswordContainer may have stored it in the |