diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2024-03-14 14:55:48 +0100 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2024-03-14 17:40:50 +0100 |
| commit | 3d56fb36c47f5cfdf646e26d241b2bd7f1d68884 (patch) | |
| tree | b2d381d1ae0aa6f790ab4204c92c31bfad29a62b /ucb | |
| parent | 2887ffbf240aa70330cb50bf810170cf9c896405 (diff) | |
ucb: webdav-curl: improve fallback authentication
The bundled curl on Linux doesn't support Negotiate, and a system curl
may not support NTLM either.
If setting the auth method fails with CURLE_NOT_BUILT_IN, abort.
Change-Id: I7b7f7afd1ebedd665d9475fd40cac0e0641062a6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164837
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Diffstat (limited to 'ucb')
| -rw-r--r-- | ucb/source/ucp/webdav-curl/CurlSession.cxx | 50 |
1 files changed, 41 insertions, 9 deletions
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 9cd1745326b6..420e1123d589 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1338,9 +1338,14 @@ auto CurlProcessor::ProcessRequest( throw DAVException(DAVException::DAV_INVALID_ARG); } rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH, oAuth->AuthMask); - assert( - rc - == CURLE_OK); // it shouldn't be possible to reduce auth to 0 via the authSystem masks + if (rc != CURLE_OK) + { // NEGOTIATE typically disabled on Linux, NTLM is optional too + assert(rc == CURLE_NOT_BUILT_IN); + SAL_INFO("ucb.ucp.webdav.curl", "no auth method available"); + throw DAVException( + DAVException::DAV_HTTP_NOAUTH, + ConnectionEndPointString(rSession.m_URI.GetHost(), rSession.m_URI.GetPort())); + } } if (oAuthProxy && !rSession.m_isAuthenticatedProxy) @@ -1366,9 +1371,14 @@ auto CurlProcessor::ProcessRequest( throw DAVException(DAVException::DAV_INVALID_ARG); } rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_PROXYAUTH, oAuthProxy->AuthMask); - assert( - rc - == CURLE_OK); // it shouldn't be possible to reduce auth to 0 via the authSystem masks + if (rc != CURLE_OK) + { // NEGOTIATE typically disabled on Linux, NTLM is optional too + assert(rc == CURLE_NOT_BUILT_IN); + SAL_INFO("ucb.ucp.webdav.curl", "no auth method available"); + throw DAVException( + DAVException::DAV_HTTP_NOAUTH, + ConnectionEndPointString(rSession.m_URI.GetHost(), rSession.m_URI.GetPort())); + } } ResponseHeaders headers(rSession.m_pCurl.get()); @@ -1503,20 +1513,42 @@ auto CurlProcessor::ProcessRequest( OUString userName(roAuth ? roAuth->UserName : OUString()); OUString passWord(roAuth ? roAuth->PassWord : OUString()); long authAvail(0); - auto const rc + auto rc = curl_easy_getinfo(rSession.m_pCurl.get(), statusCode != SC_PROXY_AUTHENTICATION_REQUIRED ? CURLINFO_HTTPAUTH_AVAIL : CURLINFO_PROXYAUTH_AVAIL, &authAvail); assert(rc == CURLE_OK); - (void)rc; if (statusCode == SC_FORBIDDEN) { // SharePoint fallback: try Negotiate auth assert(authAvail == 0); // note: this must be a single value! // would need 2 iterations to try CURLAUTH_NTLM too - authAvail = CURLAUTH_NEGOTIATE; + rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH, + CURLAUTH_NEGOTIATE); + if (rc == CURLE_OK) + { + authAvail = CURLAUTH_NEGOTIATE; + } + else + { + rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH, + CURLAUTH_NTLM); + if (rc == CURLE_OK) + { + authAvail = CURLAUTH_NTLM; + } + else + { // can't work + SAL_INFO("ucb.ucp.webdav.curl", + "no SP fallback auth method available"); + throw DAVException( + DAVException::DAV_HTTP_NOAUTH, + ConnectionEndPointString(rSession.m_URI.GetHost(), + rSession.m_URI.GetPort())); + } + } } // only allow SystemCredentials once - the // PasswordContainer may have stored it in the |