Regression: login=PASS send no credentials when none available.

login=PASS should act like PASSTHRU, sending no credentials header, when
no client supplied OR external ACL credentials are available.
3.2 has been found wrongly adding the username "PASS" in this case.

diff --git a/src/http.cc b/src/http.cc
index eb8b40eae690445e77db123304c56ae11108c366..34b44a1b258f05464aec32b9b043d88162568662 100644 (file)
--- a/src/http.cc
+++ b/src/http.cc
@@ -1584,6 +1584,9 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
                           old_base64_encode(loginbuf));
         return;
     }
+    // if no external user credentials are available to fake authentication with PASS acts like PASSTHRU
+    if (strcmp(request->peer_login, "PASS") == 0)
+        continue;
 
     /* Kerberos login to peer */
 #if HAVE_AUTH_MODULE_NEGOTIATE && HAVE_KRB5 && HAVE_GSSAPI