On Friday 13 June 2008 15:42, Peter Korsgaard wrote:
> >> #if ENABLE_FEATURE_HTTPD_BASIC_AUTH
> >> - /* Case: no "Authorization:" was seen, but page does require passwd.
> >> - * Check that with dummy user:pass */
> >> - if ((authorized < 0) && check_user_passwd(urlcopy, ":") == 0) {
> >> + /* invalid user:pass or no "Authorization:" was seen, but page
> >> + * does require passwd. Check that with dummy user:pass */
> >> + if ((authorized <= 0) && check_user_passwd(urlcopy, ":") == 0) {
>
> Denys> My point is that "authorized <= 0" is true if there was no
> Denys> "Authorization:" AND if it was seen, checked, and found to
> Denys> contain wrong user/passwd.
>
> Denys> But those are different situations! In second case, we should
> Denys> not check dummy credentials ":", we already know that user
> Denys> shall not get the page.
>
> True, it's more effecient to not do the double check.
It's not an efficiency question. check_user_passwd(urlcopy, ":")
might SUCCEED, and thus user who supplied wrong user:password
pair will be granted access.
--
vda
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox
