From: Michael R Sweet Date: Wed, 27 Aug 2025 15:29:29 +0000 (-0400) Subject: Block authentication using alternate method. X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f70033725aa5b8933f688b443ec032e274a9699;p=thirdparty%2Fcups.git Block authentication using alternate method. --- diff --git a/scheduler/auth.c b/scheduler/auth.c index a3ca5ef6b0..3f537f7693 100644 --- a/scheduler/auth.c +++ b/scheduler/auth.c @@ -576,6 +576,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ int userlen; /* Username:password length */ + /* + * Only allow Basic if enabled... + */ + + if (type != CUPSD_AUTH_BASIC) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled."); + return; + } + authorization += 5; while (isspace(*authorization & 255)) authorization ++; @@ -621,7 +631,6 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ * Validate the username and password... */ - if (type == CUPSD_AUTH_BASIC) { #if HAVE_LIBPAM /* @@ -715,6 +724,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ *name, // Real name *email; // Email address + /* + * Only allow OAuth if enabled... + */ + + if (type != CUPSD_AUTH_BEARER) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "OAuth authentication is not enabled."); + return; + } + // Skip whitespace after "Bearer"... authorization += 7; while (isspace(*authorization & 255)) @@ -768,6 +787,16 @@ cupsdAuthorize(cupsd_client_t *con) /* I - Client connection */ /* Output token for username */ gss_name_t client_name; /* Client name */ + /* + * Only allow Kerberos if enabled... + */ + + if (type != CUPSD_AUTH_NEGOTIATE) + { + cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled."); + return; + } + # ifdef __APPLE__DISABLED // Remove DISABLED if ever this code is used for macOS installer /* * If the weak-linked GSSAPI/Kerberos library is not present, don't try