ucb/source/ucp/webdav-curl/CurlSession.cxx | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-)
New commits: commit 2bc4d1d22fdbd9d97c66bb53762b4b4bf7b61b47 Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Wed Apr 13 16:50:30 2022 +0200 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Wed Apr 13 20:09:18 2022 +0200 ucb: webdav-curl: only allow system credentials for auth once ... and in any case abort authentication after 10 failed attempts. Apparently some PasswordContainer can turn this into an infinite loop. Change-Id: Ib2333b371a770999e8407ce7e1af21512aadb70d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132974 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 7ad84fb9b217..ed0fb60fb2b9 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1221,6 +1221,8 @@ auto CurlProcessor::ProcessRequest( } } bool isRetry(false); + int nAuthRequests(0); + int nAuthRequestsProxy(0); // libcurl does not have an authentication callback so handle auth // related status codes and requesting credentials via this loop @@ -1363,8 +1365,16 @@ auto CurlProcessor::ProcessRequest( case SC_UNAUTHORIZED: case SC_PROXY_AUTHENTICATION_REQUIRED: { - if (pEnv && pEnv->m_xAuthListener) + auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ? nAuthRequests + : nAuthRequestsProxy); + if (rnAuthRequests == 10) { + SAL_INFO("ucb.ucp.webdav.curl", "aborting authentication after " + << rnAuthRequests << " attempts"); + } + else if (pEnv && pEnv->m_xAuthListener) + { + ++rnAuthRequests; ::std::optional<OUString> const oRealm(ExtractRealm( headers, statusCode == SC_UNAUTHORIZED ? "WWW-Authenticate" : "Proxy-Authenticate")); @@ -1381,7 +1391,13 @@ auto CurlProcessor::ProcessRequest( &authAvail); assert(rc == CURLE_OK); (void)rc; - bool const isSystemCredSupported((authAvail & authSystem) != 0); + // only allow SystemCredentials once - the + // PasswordContainer may have stored it in the + // Config (TrySystemCredentialsFirst or + // AuthenticateUsingSystemCredentials) and then it + // will always force its use no matter how hopeless + bool const isSystemCredSupported((authAvail & authSystem) != 0 + && rnAuthRequests == 0); // Ask user via XInteractionHandler. // Warning: This likely runs an event loop which may