From efd0422ed9bc5c9bb8d7b04b5662f292f2c97ef3 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 28 Aug 2012 21:36:29 -0600
Subject: [PATCH] Regression: login=PASS send no credentials when none
 available.

login=PASS should act like PASSTHRU, sending no credentials header, when
no client supplied OR external ACL credentials are available.
3.2 has been found wrongly adding the username "PASS" in this case.
---
 src/http.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/http.cc b/src/http.cc
index 85eeb4ef5b..a959dc1646 100644
--- a/src/http.cc
+++ b/src/http.cc
@@ -1576,6 +1576,9 @@ httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHe
                           old_base64_encode(loginbuf));
         return;
     }
+    // if no external user credentials are available to fake authentication with PASS acts like PASSTHRU
+    if (strcmp(request->peer_login, "PASS") == 0)
+        continue;
 
     /* Kerberos login to peer */
 #if HAVE_AUTH_MODULE_NEGOTIATE && HAVE_KRB5 && HAVE_GSSAPI
-- 
2.47.2