From d98aa6397dce8c3ad27cee7faaeb3048c5933b75 Mon Sep 17 00:00:00 2001
From: Michael Stahl <michael.stahl@allotropia.de>
Date: Wed, 13 Apr 2022 16:50:30 +0200
Subject: ucb: webdav-curl: only allow system credentials for auth once

... and in any case abort authentication after 10 failed attempts.

Apparently some PasswordContainer can turn this into an infinite loop.

Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132974
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 2bc4d1d22fdbd9d97c66bb53762b4b4bf7b61b47)

ucb: webdav-curl: oops, increment after checking
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132982
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
Tested-by: Jenkins
(cherry picked from commit ab65a74998b498ff49c15db87fc14a9afa89d8bf)

Change-Id: Ib2333b371a770999e8407ce7e1af21512aadb70d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132867
Tested-by: Jenkins
Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
(cherry picked from commit 6b54e6a8e64233de63b826211b81a8ed6767483f)
---
 ucb/source/ucp/webdav-curl/CurlSession.cxx | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index bddefa1ad117..dbc2e45cd3eb 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1222,6 +1222,8 @@ auto CurlProcessor::ProcessRequest(
         }
     }
     bool isRetry(false);
+    int nAuthRequests(0);
+    int nAuthRequestsProxy(0);
 
     // libcurl does not have an authentication callback so handle auth
     // related status codes and requesting credentials via this loop
@@ -1364,7 +1366,14 @@ auto CurlProcessor::ProcessRequest(
                     case SC_UNAUTHORIZED:
                     case SC_PROXY_AUTHENTICATION_REQUIRED:
                     {
-                        if (pEnv && pEnv->m_xAuthListener)
+                        auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ? nAuthRequests
+                                                                           : nAuthRequestsProxy);
+                        if (rnAuthRequests == 10)
+                        {
+                            SAL_INFO("ucb.ucp.webdav.curl", "aborting authentication after "
+                                                                << rnAuthRequests << " attempts");
+                        }
+                        else if (pEnv && pEnv->m_xAuthListener)
                         {
                             ::std::optional<OUString> const oRealm(ExtractRealm(
                                 headers, statusCode == SC_UNAUTHORIZED ? "WWW-Authenticate"
@@ -1382,7 +1391,14 @@ auto CurlProcessor::ProcessRequest(
                                                               &authAvail);
                             assert(rc == CURLE_OK);
                             (void)rc;
-                            bool const isSystemCredSupported((authAvail & authSystem) != 0);
+                            // only allow SystemCredentials once - the
+                            // PasswordContainer may have stored it in the
+                            // Config (TrySystemCredentialsFirst or
+                            // AuthenticateUsingSystemCredentials) and then it
+                            // will always force its use no matter how hopeless
+                            bool const isSystemCredSupported((authAvail & authSystem) != 0
+                                                             && rnAuthRequests == 0);
+                            ++rnAuthRequests;
 
                             // Ask user via XInteractionHandler.
                             // Warning: This likely runs an event loop which may
-- 
cgit