ucb/source/ucp/webdav-curl/CurlSession.cxx | 50 +++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 9 deletions(-)
New commits: commit 3d56fb36c47f5cfdf646e26d241b2bd7f1d68884 Author: Michael Stahl <michael.st...@allotropia.de> AuthorDate: Thu Mar 14 14:55:48 2024 +0100 Commit: Michael Stahl <michael.st...@allotropia.de> CommitDate: Thu Mar 14 17:40:50 2024 +0100 ucb: webdav-curl: improve fallback authentication The bundled curl on Linux doesn't support Negotiate, and a system curl may not support NTLM either. If setting the auth method fails with CURLE_NOT_BUILT_IN, abort. Change-Id: I7b7f7afd1ebedd665d9475fd40cac0e0641062a6 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164837 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.st...@allotropia.de> diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 9cd1745326b6..420e1123d589 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1338,9 +1338,14 @@ auto CurlProcessor::ProcessRequest( throw DAVException(DAVException::DAV_INVALID_ARG); } rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH, oAuth->AuthMask); - assert( - rc - == CURLE_OK); // it shouldn't be possible to reduce auth to 0 via the authSystem masks + if (rc != CURLE_OK) + { // NEGOTIATE typically disabled on Linux, NTLM is optional too + assert(rc == CURLE_NOT_BUILT_IN); + SAL_INFO("ucb.ucp.webdav.curl", "no auth method available"); + throw DAVException( + DAVException::DAV_HTTP_NOAUTH, + ConnectionEndPointString(rSession.m_URI.GetHost(), rSession.m_URI.GetPort())); + } } if (oAuthProxy && !rSession.m_isAuthenticatedProxy) @@ -1366,9 +1371,14 @@ auto CurlProcessor::ProcessRequest( throw DAVException(DAVException::DAV_INVALID_ARG); } rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_PROXYAUTH, oAuthProxy->AuthMask); - assert( - rc - == CURLE_OK); // it shouldn't be possible to reduce auth to 0 via the authSystem masks + if (rc != CURLE_OK) + { // NEGOTIATE typically disabled on Linux, NTLM is optional too + assert(rc == CURLE_NOT_BUILT_IN); + SAL_INFO("ucb.ucp.webdav.curl", "no auth method available"); + throw DAVException( + DAVException::DAV_HTTP_NOAUTH, + ConnectionEndPointString(rSession.m_URI.GetHost(), rSession.m_URI.GetPort())); + } } ResponseHeaders headers(rSession.m_pCurl.get()); @@ -1503,20 +1513,42 @@ auto CurlProcessor::ProcessRequest( OUString userName(roAuth ? roAuth->UserName : OUString()); OUString passWord(roAuth ? roAuth->PassWord : OUString()); long authAvail(0); - auto const rc + auto rc = curl_easy_getinfo(rSession.m_pCurl.get(), statusCode != SC_PROXY_AUTHENTICATION_REQUIRED ? CURLINFO_HTTPAUTH_AVAIL : CURLINFO_PROXYAUTH_AVAIL, &authAvail); assert(rc == CURLE_OK); - (void)rc; if (statusCode == SC_FORBIDDEN) { // SharePoint fallback: try Negotiate auth assert(authAvail == 0); // note: this must be a single value! // would need 2 iterations to try CURLAUTH_NTLM too - authAvail = CURLAUTH_NEGOTIATE; + rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH, + CURLAUTH_NEGOTIATE); + if (rc == CURLE_OK) + { + authAvail = CURLAUTH_NEGOTIATE; + } + else + { + rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH, + CURLAUTH_NTLM); + if (rc == CURLE_OK) + { + authAvail = CURLAUTH_NTLM; + } + else + { // can't work + SAL_INFO("ucb.ucp.webdav.curl", + "no SP fallback auth method available"); + throw DAVException( + DAVException::DAV_HTTP_NOAUTH, + ConnectionEndPointString(rSession.m_URI.GetHost(), + rSession.m_URI.GetPort())); + } + } } // only allow SystemCredentials once - the // PasswordContainer may have stored it in the