From: Jaroslav Kysela <perex@perex.cz>
Date: Tue, 20 Mar 2018 11:43:27 +0000 (+0100)
Subject: http server: return 401 error when authentication method is valid, but not allowed
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6017f4f98bf9ab9f3b51d5ffb5c9c43854239c05;p=thirdparty%2Ftvheadend.git

http server: return 401 error when authentication method is valid, but not allowed
---

diff --git a/src/http.c b/src/http.c
index a9cbbb02e..1c1ba0b42 100644
--- a/src/http.c
+++ b/src/http.c
@@ -1414,39 +1414,47 @@ process_request(http_connection_t *hc, htsbuf_queue_t *spill)
   /* Extract authorization */
   if((v = http_arg_get(&hc->hc_args, "Authorization")) != NULL) {
     if((n = http_tokenize(v, argv, 2, -1)) == 2) {
-      if ((config.http_auth == HTTP_AUTH_PLAIN ||
-           config.http_auth == HTTP_AUTH_PLAIN_DIGEST) &&
-          strcasecmp(argv[0], "basic") == 0) {
-        n = base64_decode((uint8_t *)authbuf, argv[1], sizeof(authbuf) - 1);
-        if (n < 0)
-          n = 0;
-        authbuf[n] = 0;
-        if((n = http_tokenize(authbuf, argv, 2, ':')) == 2) {
-          hc->hc_username = tvh_strdupa(argv[0]);
-          hc->hc_password = tvh_strdupa(argv[1]);
-          http_deescape(hc->hc_username);
-          http_deescape(hc->hc_password);
-          // No way to actually track this
+      if (strcasecmp(argv[0], "basic") == 0) {
+        if (config.http_auth == HTTP_AUTH_PLAIN ||
+            config.http_auth == HTTP_AUTH_PLAIN_DIGEST) {
+          n = base64_decode((uint8_t *)authbuf, argv[1], sizeof(authbuf) - 1);
+          if (n < 0)
+            n = 0;
+          authbuf[n] = 0;
+          if((n = http_tokenize(authbuf, argv, 2, ':')) == 2) {
+            hc->hc_username = tvh_strdupa(argv[0]);
+            hc->hc_password = tvh_strdupa(argv[1]);
+            http_deescape(hc->hc_username);
+            http_deescape(hc->hc_password);
+            // No way to actually track this
+          } else {
+            http_error(hc, HTTP_STATUS_UNAUTHORIZED);
+            return -1;
+          }
         } else {
           http_error(hc, HTTP_STATUS_UNAUTHORIZED);
           return -1;
         }
-      } else if ((config.http_auth == HTTP_AUTH_DIGEST ||
-                  config.http_auth == HTTP_AUTH_PLAIN_DIGEST) &&
-                 strcasecmp(argv[0], "digest") == 0) {
-        v = http_get_header_value(argv[1], "nonce");
-        if (v == NULL || !http_nonce_exists(v)) {
+      } else if (strcasecmp(argv[0], "digest") == 0) {
+        if (config.http_auth == HTTP_AUTH_DIGEST ||
+            config.http_auth == HTTP_AUTH_PLAIN_DIGEST) {
+          v = http_get_header_value(argv[1], "nonce");
+          if (v == NULL || !http_nonce_exists(v)) {
+            free(v);
+            http_error(hc, HTTP_STATUS_UNAUTHORIZED);
+            return -1;
+          }
+          free(hc->hc_nonce);
+          hc->hc_nonce = v;
+          v = http_get_header_value(argv[1], "username");
+          hc->hc_authhdr  = tvh_strdupa(argv[1]);
+          hc->hc_username = tvh_strdupa(v);
+          http_deescape(hc->hc_username);
           free(v);
+        } else {
           http_error(hc, HTTP_STATUS_UNAUTHORIZED);
           return -1;
         }
-        free(hc->hc_nonce);
-        hc->hc_nonce = v;
-        v = http_get_header_value(argv[1], "username");
-        hc->hc_authhdr  = tvh_strdupa(argv[1]);
-        hc->hc_username = tvh_strdupa(v);
-        http_deescape(hc->hc_username);
-        free(v);
       } else {
         http_error(hc, HTTP_STATUS_BAD_REQUEST);
         return -1;