Regression: login=PASS send no credentials when none available.

login=PASS should act like PASSTHRU, sending no credentials header, when
no client supplied OR external ACL credentials are available.
3.2 has been found wrongly adding the username "PASS" in this case.

diff --git a/src/http.cc b/src/http.cc
index 85eeb4ef5b52f9a7079d9c015f1b134c7c6d78d0..a959dc16465fb2c097d17f2786e621c5ab2389f3 100644 (file)
--- a/src/http.cc
+++ b/src/http.cc
@@ -1576,6 +1576,9 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
                           old_base64_encode(loginbuf));
         return;
     }
+    // if no external user credentials are available to fake authentication with PASS acts like PASSTHRU
+    if (strcmp(request->peer_login, "PASS") == 0)
+        continue;
 
     /* Kerberos login to peer */
 #if HAVE_AUTH_MODULE_NEGOTIATE && HAVE_KRB5 && HAVE_GSSAPI