ucb/source/ucp/webdav-curl/CurlSession.cxx | 50 +++++++++++++++++++++++------
1 file changed, 41 insertions(+), 9 deletions(-)
New commits:
commit 3d56fb36c47f5cfdf646e26d241b2bd7f1d68884
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Thu Mar 14 14:55:48 2024 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Thu Mar 14 17:40:50 2024 +0100
ucb: webdav-curl: improve fallback authentication
The bundled curl on Linux doesn't support Negotiate, and a system curl
may not support NTLM either.
If setting the auth method fails with CURLE_NOT_BUILT_IN, abort.
Change-Id: I7b7f7afd1ebedd665d9475fd40cac0e0641062a6
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164837
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 9cd1745326b6..420e1123d589 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1338,9 +1338,14 @@ auto CurlProcessor::ProcessRequest(
throw DAVException(DAVException::DAV_INVALID_ARG);
}
rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH,
oAuth->AuthMask);
- assert(
- rc
- == CURLE_OK); // it shouldn't be possible to reduce auth to 0
via the authSystem masks
+ if (rc != CURLE_OK)
+ { // NEGOTIATE typically disabled on Linux, NTLM is optional too
+ assert(rc == CURLE_NOT_BUILT_IN);
+ SAL_INFO("ucb.ucp.webdav.curl", "no auth method available");
+ throw DAVException(
+ DAVException::DAV_HTTP_NOAUTH,
+ ConnectionEndPointString(rSession.m_URI.GetHost(),
rSession.m_URI.GetPort()));
+ }
}
if (oAuthProxy && !rSession.m_isAuthenticatedProxy)
@@ -1366,9 +1371,14 @@ auto CurlProcessor::ProcessRequest(
throw DAVException(DAVException::DAV_INVALID_ARG);
}
rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_PROXYAUTH,
oAuthProxy->AuthMask);
- assert(
- rc
- == CURLE_OK); // it shouldn't be possible to reduce auth to 0
via the authSystem masks
+ if (rc != CURLE_OK)
+ { // NEGOTIATE typically disabled on Linux, NTLM is optional too
+ assert(rc == CURLE_NOT_BUILT_IN);
+ SAL_INFO("ucb.ucp.webdav.curl", "no auth method available");
+ throw DAVException(
+ DAVException::DAV_HTTP_NOAUTH,
+ ConnectionEndPointString(rSession.m_URI.GetHost(),
rSession.m_URI.GetPort()));
+ }
}
ResponseHeaders headers(rSession.m_pCurl.get());
@@ -1503,20 +1513,42 @@ auto CurlProcessor::ProcessRequest(
OUString userName(roAuth ? roAuth->UserName :
OUString());
OUString passWord(roAuth ? roAuth->PassWord :
OUString());
long authAvail(0);
- auto const rc
+ auto rc
= curl_easy_getinfo(rSession.m_pCurl.get(),
statusCode !=
SC_PROXY_AUTHENTICATION_REQUIRED
?
CURLINFO_HTTPAUTH_AVAIL
:
CURLINFO_PROXYAUTH_AVAIL,
&authAvail);
assert(rc == CURLE_OK);
- (void)rc;
if (statusCode == SC_FORBIDDEN)
{ // SharePoint fallback: try Negotiate auth
assert(authAvail == 0);
// note: this must be a single value!
// would need 2 iterations to try
CURLAUTH_NTLM too
- authAvail = CURLAUTH_NEGOTIATE;
+ rc = curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_HTTPAUTH,
+ CURLAUTH_NEGOTIATE);
+ if (rc == CURLE_OK)
+ {
+ authAvail = CURLAUTH_NEGOTIATE;
+ }
+ else
+ {
+ rc =
curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_HTTPAUTH,
+ CURLAUTH_NTLM);
+ if (rc == CURLE_OK)
+ {
+ authAvail = CURLAUTH_NTLM;
+ }
+ else
+ { // can't work
+ SAL_INFO("ucb.ucp.webdav.curl",
+ "no SP fallback auth method
available");
+ throw DAVException(
+ DAVException::DAV_HTTP_NOAUTH,
+
ConnectionEndPointString(rSession.m_URI.GetHost(),
+
rSession.m_URI.GetPort()));
+ }
+ }
}
// only allow SystemCredentials once - the
// PasswordContainer may have stored it in the
