core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/ImportCookies.cxx |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
New commits:
commit 84baeb6c2b7690c18d00ee78d34c5cceba3a46ba
Author: Michael Stahl
AuthorDate: Tue Mar 12 15:10:35 2024 +0100
Commit: Michael Stahl
CommitDate: Tue Mar 12 15:10:35 2024 +0100
ucb: webdav-curl: add missing return
diff --git a/ucb/source/ucp/webdav-curl/ImportCookies.cxx
b/ucb/source/ucp/webdav-curl/ImportCookies.cxx
index fa9aa9731b1a..ff5d7389aeac 100644
--- a/ucb/source/ucp/webdav-curl/ImportCookies.cxx
+++ b/ucb/source/ucp/webdav-curl/ImportCookies.cxx
@@ -97,7 +97,11 @@ OString
TryImportCookies(uno::Reference const& xContext[
// apparently this may crash, and sqlite3_errstr() isn't exported?
// SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " <<
sqlite3_errmsg(db));
SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " << rc);
-sqlite3_close(db);
+if (db)
+{
+sqlite3_close(db);
+}
+return OString();
}
char* err(nullptr);
Value value;
core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 19 +--
1 file changed, 9 insertions(+), 10 deletions(-)
New commits:
commit b0aeac2376ee5d74373e35eace8258a500e7cf00
Author: Michael Stahl
AuthorDate: Fri Mar 8 11:20:45 2024 +0100
Commit: Michael Stahl
CommitDate: Tue Mar 12 14:51:32 2024 +0100
ucb: webdav-curl: only set CURLOPT_NOBODY for HEAD
Some testing with Apache httpd+mod_dav reveals that it usually sends a
body with a 401 status, which causes the CURLE_WEIRD_SERVER_REPLY error
code from curl.
So we should either ignore this error in case there's a HTTP status too,
or stop using CURLOPT_NOBODY.
The latter seems to have no downside, except for HEAD requests, where
strangely the server keeps the connection open and curl waits for 5
seconds for no body to arrive, blocking the UI, so continue to use
CURLOPT_NOBODY for HEAD.
The other methods don't seem to block.
It turns out that the SAL_LOG-dependent setting of g_NoBody turned HEAD
into GET anyway if logging is enabled, so explicitly set the method.
Change-Id: Ibe2eef8e7a827d4e356ba37c4b56bee0be3b9c13
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164569
Tested-by: Jenkins
Reviewed-by: Michael Stahl
(cherry picked from commit e0259d4c0951c4dd77c74d08b9d905728d4c8dfd)
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 645d41502156..4bae872b1757 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1914,7 +1914,9 @@ auto CurlSession::HEAD(OUString const& rURIReference,
::std::vector co
CurlUri const uri(CurlProcessor::URIReferenceToURI(*this, rURIReference));
-::std::vector const options{ g_NoBody };
+::std::vector const options{
+g_NoBody, { CURLOPT_CUSTOMREQUEST, "HEAD", "CURLOPT_CUSTOMREQUEST" }
+};
::std::pair<::std::vector const&, DAVResource&> const
headers(rHeaderNames,
io_rResource);
@@ -2147,9 +2149,8 @@ auto CurlSession::MKCOL(OUString const& rURIReference,
DAVRequestEnvironment con
CurlUri const uri(CurlProcessor::URIReferenceToURI(*this, rURIReference));
-::std::vector const options{
-g_NoBody, { CURLOPT_CUSTOMREQUEST, "MKCOL", "CURLOPT_CUSTOMREQUEST" }
-};
+::std::vector const options{ { CURLOPT_CUSTOMREQUEST, "MKCOL",
+ "CURLOPT_CUSTOMREQUEST" } };
CurlProcessor::ProcessRequest(*this, uri, "MKCOL", options, ,
nullptr, nullptr, nullptr,
nullptr);
@@ -2177,9 +2178,8 @@ auto CurlProcessor::MoveOrCopy(CurlSession& rSession,
OUString const& rSourceURI
throw uno::RuntimeException("curl_slist_append failed");
}
-::std::vector const options{
-g_NoBody, { CURLOPT_CUSTOMREQUEST, pMethod, "CURLOPT_CUSTOMREQUEST" }
-};
+::std::vector const options{ { CURLOPT_CUSTOMREQUEST, pMethod,
+ "CURLOPT_CUSTOMREQUEST" } };
CurlProcessor::ProcessRequest(rSession, uriSource,
OUString::createFromAscii(pMethod), options,
, ::std::move(pList), nullptr, nullptr,
nullptr);
@@ -2209,9 +2209,8 @@ auto CurlSession::DESTROY(OUString const& rURIReference,
DAVRequestEnvironment c
CurlUri const uri(CurlProcessor::URIReferenceToURI(*this, rURIReference));
-::std::vector const options{
-g_NoBody, { CURLOPT_CUSTOMREQUEST, "DELETE", "CURLOPT_CUSTOMREQUEST" }
-};
+::std::vector const options{ { CURLOPT_CUSTOMREQUEST, "DELETE",
+ "CURLOPT_CUSTOMREQUEST" } };
CurlProcessor::ProcessRequest(*this, uri, "DESTROY", options, ,
nullptr, nullptr, nullptr,
nullptr);
core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/ImportCookies.cxx |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
New commits:
commit 4c6574abe8cca7d74129c12c486b722c668fdaba
Author: Michael Stahl
AuthorDate: Tue Mar 12 14:44:00 2024 +0100
Commit: Michael Stahl
CommitDate: Tue Mar 12 14:44:16 2024 +0100
ucb: webdav-curl: avoid crashing in SAL_INFO
It's not clear why calling sqlite3_errmsg would crash, but avoid it...
Change-Id: If2a375671fd5484d72af1c0f538f424f02149a0a
diff --git a/ucb/source/ucp/webdav-curl/ImportCookies.cxx
b/ucb/source/ucp/webdav-curl/ImportCookies.cxx
index 4df885e4efc7..fa9aa9731b1a 100644
--- a/ucb/source/ucp/webdav-curl/ImportCookies.cxx
+++ b/ucb/source/ucp/webdav-curl/ImportCookies.cxx
@@ -94,7 +94,9 @@ OString
TryImportCookies(uno::Reference const& xContext[
int rc = sqlite3_open_v2(dbUrl.getStr(), , SQLITE_OPEN_READONLY |
SQLITE_OPEN_URI, nullptr);
if (rc != SQLITE_OK)
{
-SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " <<
sqlite3_errmsg(db));
+// apparently this may crash, and sqlite3_errstr() isn't exported?
+// SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " <<
sqlite3_errmsg(db));
+SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " << rc);
sqlite3_close(db);
}
char* err(nullptr);
core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
New commits:
commit dafc3780ffbef9b316839059076f58fe8c4eb231
Author: Michael Stahl
AuthorDate: Thu Mar 7 20:10:48 2024 +0100
Commit: Michael Stahl
CommitDate: Fri Mar 8 10:26:34 2024 +0100
ucb: webdav-curl: don't set CURLOPT_NOBODY for OPTIONS
The problem is that if the server does send a body, then curl returns
CURLE_WEIRD_SERVER_REPLY error code, which is translated to
DAVException; this looks unnecessary now because write_callback
will just return if there's no stream to write to anyway.
Change-Id: Iddaee9778ac7bbd538b64584f822f65ab0e395c2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164550
Tested-by: Jenkins
Reviewed-by: Michael Stahl
(cherry picked from commit 980ca3953084560806cd980d2ec16951d9e30c2b)
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 2a15b9faea5b..645d41502156 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1607,9 +1607,8 @@ auto CurlSession::OPTIONS(OUString const& rURIReference,
DAVResource result;
::std::pair<::std::vector const&, DAVResource&> const
headers(headerNames, result);
-::std::vector const options{
-g_NoBody, { CURLOPT_CUSTOMREQUEST, "OPTIONS", "CURLOPT_CUSTOMREQUEST" }
-};
+::std::vector const options{ { CURLOPT_CUSTOMREQUEST,
"OPTIONS",
+ "CURLOPT_CUSTOMREQUEST" } };
CurlProcessor::ProcessRequest(*this, uri, "OPTIONS", options, ,
nullptr, nullptr, nullptr,
);
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
New commits:
commit 174b3a7e48393577c815037a3bc8146470dcf78e
Author: Noel Grandin
AuthorDate: Fri Aug 18 13:49:54 2023 +0200
Commit: Michael Stahl
CommitDate: Thu Sep 28 13:05:21 2023 +0200
Fix curl proxy access for non-authenticated proxy
If rSession.m_Proxy.aName is a simple host-name, the CurlUri constructor
will fail with CURLUE_BAD_SCHEME, so just ignore the error here,
we only care about parsing out the username/password
Change-Id: Iec2d6e7315a5899f6120a43199b75bf62db2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155834
Tested-by: Jenkins
Reviewed-by: Noel Grandin
(cherry picked from commit 9b30b4b1678e8be15ba51d236bd9a3e693d8d3d6)
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 407d91f19248..2a15b9faea5b 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1251,11 +1251,18 @@ auto CurlProcessor::ProcessRequest(
::std::optional oAuthProxy;
if (pEnv && !rSession.m_isAuthenticatedProxy &&
!rSession.m_Proxy.aName.isEmpty())
{
-// the hope is that this must be a URI
-CurlUri const uri(rSession.m_Proxy.aName);
-if (!uri.GetUser().isEmpty() || !uri.GetPassword().isEmpty())
+try
+{
+// the hope is that this must be a URI
+CurlUri const uri(rSession.m_Proxy.aName);
+if (!uri.GetUser().isEmpty() || !uri.GetPassword().isEmpty())
+{
+oAuthProxy.emplace(uri.GetUser(), uri.GetPassword(),
CURLAUTH_ANY);
+}
+}
+catch (DAVException&)
{
-oAuthProxy.emplace(uri.GetUser(), uri.GetPassword(), CURLAUTH_ANY);
+// ignore any parsing failure here
}
}
decltype(CURLAUTH_ANY) const authSystem(CURLAUTH_NEGOTIATE | CURLAUTH_NTLM
| CURLAUTH_NTLM_WB);
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |4
1 file changed, 4 insertions(+)
New commits:
commit 829658fda824f465c596cdd7bcaf6397d8e66982
Author: Michael Stahl
AuthorDate: Tue Jun 6 14:06:35 2023 +0200
Commit: Michael Stahl
CommitDate: Tue Jun 6 16:42:33 2023 +0200
ucb: webdav-curl: auth data is invalid when receiving 401
Even if it used to be valid before; unfortunately newly entered
credentials weren't actually used because the flag was never reset.
Change-Id: Ib36689f40ff780596b9cfe6fe589a6f2e79cfcd2
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 430c927df60d..407d91f19248 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1472,6 +1472,10 @@ auto CurlProcessor::ProcessRequest(
case SC_UNAUTHORIZED:
case SC_PROXY_AUTHENTICATION_REQUIRED:
{
+(statusCode != SC_PROXY_AUTHENTICATION_REQUIRED
+ ? rSession.m_isAuthenticated
+ : rSession.m_isAuthenticatedProxy)
+= false; // any auth data in m_pCurl is invalid
auto& rnAuthRequests(statusCode !=
SC_PROXY_AUTHENTICATION_REQUIRED
? nAuthRequests
: nAuthRequestsProxy);
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) New commits: commit ce3d69ec11b0aacff085d0ce20e8ed84406743da Author: Michael Stahl AuthorDate: Fri Aug 12 16:43:12 2022 +0200 Commit: Michael Stahl CommitDate: Fri Jun 2 12:22:22 2023 +0200 tdf#149921 ucb: webdav-curl: WNT: certificate revocation check - don't require it to be successful. Trying to connect to a server with self-signed CA results in: warn:ucb.ucp.webdav.curl:6796:6568:ucb/source/ucp/webdav-curl/CurlSession.cxx:946: curl_easy_perform failed: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Apparently schannel wants to check by default (called with SCH_CRED_REVOCATION_CHECK_CHAIN) that all the certificates aren't revoked, but the self-signed CA doesn't specify how to check. Set it to only check revocation when the way to do so actually works, via CURLSSLOPT_REVOKE_BEST_EFFORT, which sets these flags: SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_REVOCATION_CHECK_CHAIN Change-Id: I6d77ca23fe2012d8a5d65000b14775070b5c9a0f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138204 Tested-by: Jenkins Reviewed-by: Michael Stahl (cherry picked from commit f6a0ca0e92e41ad8fea71acdacdc7ec5e775dc59) diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index f1a0b736e5f9..430c927df60d 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -724,8 +724,16 @@ CurlSession::CurlSession(uno::Reference const& xContext, rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, _callback); rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SHARE, g_Init.pShare.get()); assert(rc == CURLE_OK); -// set this initially, may be overwritten during authentication +// tdf#149921 by default, with schannel (WNT) connection fails if revocation +// lists cannot be checked; try to limit the checking to when revocation +// lists can actually be retrieved (usually not the case for self-signed CA) +#if CURL_AT_LEAST_VERSION(7, 70, 0) +rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); +assert(rc == CURLE_OK); +rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); assert(rc == CURLE_OK); +#endif +// set this initially, may be overwritten during authentication rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY); assert(rc == CURLE_OK); // ANY is always available // always set CURLOPT_PROXY to suppress proxy detection in libcurl
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
New commits:
commit e84c21aca4b72d9e86c856f717b3bf1b75f190af
Author: Michael Stahl
AuthorDate: Wed Oct 19 11:40:28 2022 +0200
Commit: Michael Stahl
CommitDate: Wed Oct 19 11:42:33 2022 +0200
ucb: webdav-curl: enable cookie engine on 403 fallback
Change-Id: Iafa8bdd183ef8a514b656ec41a9b7a6fa1e3acb9
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index eda577ef722f..f986896c7e57 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1384,6 +1384,10 @@ auto CurlProcessor::ProcessRequest(
{
break;
}
+// both fallbacks need cookie engine enabled
+CURLcode rc
+= curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_COOKIEFILE, "");
+assert(rc == CURLE_OK);
if (cookies.isEmpty() // retry only once - could be
expired...
&& rSession.m_URI.GetScheme() == "https") // only
encrypted
{
@@ -1391,9 +1395,6 @@ auto CurlProcessor::ProcessRequest(
= TryImportCookies(rSession.m_xContext,
rSession.m_URI.GetHost());
if (!cookies.isEmpty())
{
-CURLcode rc =
curl_easy_setopt(rSession.m_pCurl.get(),
-
CURLOPT_COOKIEFILE, "");
-assert(rc == CURLE_OK);
rc = curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_COOKIE,
cookies.getStr());
assert(rc == CURLE_OK);
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |7 +++
1 file changed, 7 insertions(+)
New commits:
commit 388a702af2fe45b2c436e64eb8639f16c1e24b76
Author: Michael Stahl
AuthorDate: Tue Oct 18 18:35:35 2022 +0200
Commit: Michael Stahl
CommitDate: Tue Oct 18 18:36:25 2022 +0200
ucb: webdav-curl: add magic header to disable FBA in 403 fallback
Change-Id: I0018a9904857d7521895936dc27607a54523f300
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 5d0616e2e1b9..eda577ef722f 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1404,6 +1404,13 @@ auto CurlProcessor::ProcessRequest(
}
}
SAL_INFO("ucb.ucp.webdav.curl", "403 fallback
authentication hack");
+// disable 302 redirect
+pRequestHeaderList.reset(curl_slist_append(
+pRequestHeaderList.release(),
"X-FORMS_BASED_AUTH_ACCEPTED: f"));
+if (!pRequestHeaderList)
+{
+throw uno::RuntimeException("curl_slist_append
failed");
+}
}
[[fallthrough]]; // SP, no cookie, or cookie failed:
try NTLM
case SC_UNAUTHORIZED:
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
New commits:
commit 37abfd767874441568d9f5ac499b2d93d34e10fe
Author: Michael Stahl
AuthorDate: Thu Oct 13 12:15:21 2022 +0200
Commit: Michael Stahl
CommitDate: Thu Oct 13 12:16:02 2022 +0200
ucb: webdav-curl: try fallback authentication with Negotiate instead
Change-Id: I93e0c8f95beafc30b94296430352f2ae54e65b11
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index b698026d16b6..5d0616e2e1b9 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1442,8 +1442,8 @@ auto CurlProcessor::ProcessRequest(
{ // SharePoint hack: try NTLM auth
assert(authAvail == 0);
// note: this must be a single value!
-// would need 2 iterations to try
CURLAUTH_NEGOTIATE too
-authAvail = CURLAUTH_NTLM;
+// would need 2 iterations to try
CURLAUTH_NTLM too
+authAvail = CURLAUTH_NEGOTIATE;
}
// only allow SystemCredentials once - the
// PasswordContainer may have stored it in the
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 60 +++--
1 file changed, 40 insertions(+), 20 deletions(-)
New commits:
commit c6df10ce7f91b3084255bfbbac95e865bbb3ce7b
Author: Michael Stahl
AuthorDate: Mon Oct 10 15:40:41 2022 +0200
Commit: Michael Stahl
CommitDate: Wed Oct 12 11:25:40 2022 +0200
ucb: webdav-curl: try fallback authentication on 403 error
Sharepoint reports lack of authentication with 403 status and additional
X-MSDAVEXT_ERROR header value 0x000E0098.
Try to fallback to NTLM auth in this case, if a first attempt with
imported cookie didn't work.
Note that the build config of libcurl on Linux is such that adding
CURLAUTH_NEGOTIATE has no effect, but on WNT it causes the AuthMask
to be ambiguous and prevents curl from trying NTLM.
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index cc0a2368784f..b698026d16b6 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1380,29 +1380,38 @@ auto CurlProcessor::ProcessRequest(
ProcessHeaders(headers.HeaderFields.back().first));
// X-MSDAVEXT_Error see [MS-WEBDAVE] 2.2.3.1.9
auto const it(headerMap.find("x-msdavext_error"));
+if (it == headerMap.end() ||
!it->second.startsWith("917656;"))
+{
+break;
+}
if (cookies.isEmpty() // retry only once - could be
expired...
-&& rSession.m_URI.GetScheme() == "https" // only
encrypted
-&& it != headerMap.end()
-&& it->second.startsWith("917656;"))
+&& rSession.m_URI.GetScheme() == "https") // only
encrypted
{
-cookies = TryImportCookies(rSession.m_xContext,
rSession.m_URI.GetHost());
+cookies
+= TryImportCookies(rSession.m_xContext,
rSession.m_URI.GetHost());
if (!cookies.isEmpty())
{
-CURLcode rc =
curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIEFILE, "");
+CURLcode rc =
curl_easy_setopt(rSession.m_pCurl.get(),
+
CURLOPT_COOKIEFILE, "");
assert(rc == CURLE_OK);
-rc = curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_COOKIE, cookies.getStr());
+rc = curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_COOKIE,
+ cookies.getStr());
assert(rc == CURLE_OK);
(void)rc;
isRetry = true;
+SAL_INFO("ucb.ucp.webdav.curl", "FedAuth
cookie set");
+break; // try cookie once
}
}
-break;
+SAL_INFO("ucb.ucp.webdav.curl", "403 fallback
authentication hack");
}
+[[fallthrough]]; // SP, no cookie, or cookie failed:
try NTLM
case SC_UNAUTHORIZED:
case SC_PROXY_AUTHENTICATION_REQUIRED:
{
-auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ?
nAuthRequests
- :
nAuthRequestsProxy);
+auto& rnAuthRequests(statusCode !=
SC_PROXY_AUTHENTICATION_REQUIRED
+ ? nAuthRequests
+ : nAuthRequestsProxy);
if (rnAuthRequests == 10)
{
SAL_INFO("ucb.ucp.webdav.curl", "aborting
authentication after "
@@ -1410,22 +1419,32 @@ auto CurlProcessor::ProcessRequest(
}
else if (pEnv && pEnv->m_xAuthListener)
{
-::std::optional const
oRealm(ExtractRealm(
-headers, statusCode == SC_UNAUTHORIZED ?
"WWW-Authenticate"
- :
"Proxy-Authenticate"));
+::std::optional const oRealm(
+ExtractRealm(headers, statusCode !=
SC_PROXY_AUTHENTICATION_REQUIRED
+ ? "WWW-Authenticate"
+ :
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 58 ++---
1 file changed, 20 insertions(+), 38 deletions(-)
New commits:
commit ecf5156e53878fb19d8921af64a54a8b4e6ddf4c
Author: Michael Stahl
AuthorDate: Mon Oct 10 15:01:08 2022 +0200
Commit: Michael Stahl
CommitDate: Mon Oct 10 15:01:08 2022 +0200
Revert "ucb: webdav-curl: try fallback authentication on 403 error"
This reverts commit cc77bc0e5273c6cf404851624ce5b127cdd839f4.
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 5b2479fb1f88..cc0a2368784f 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1380,38 +1380,29 @@ auto CurlProcessor::ProcessRequest(
ProcessHeaders(headers.HeaderFields.back().first));
// X-MSDAVEXT_Error see [MS-WEBDAVE] 2.2.3.1.9
auto const it(headerMap.find("x-msdavext_error"));
-if (it == headerMap.end() ||
!it->second.startsWith("917656;"))
-{
-break;
-}
if (cookies.isEmpty() // retry only once - could be
expired...
-&& rSession.m_URI.GetScheme() == "https") // only
encrypted
+&& rSession.m_URI.GetScheme() == "https" // only
encrypted
+&& it != headerMap.end()
+&& it->second.startsWith("917656;"))
{
-cookies
-= TryImportCookies(rSession.m_xContext,
rSession.m_URI.GetHost());
+cookies = TryImportCookies(rSession.m_xContext,
rSession.m_URI.GetHost());
if (!cookies.isEmpty())
{
-CURLcode rc =
curl_easy_setopt(rSession.m_pCurl.get(),
-
CURLOPT_COOKIEFILE, "");
+CURLcode rc =
curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIEFILE, "");
assert(rc == CURLE_OK);
-rc = curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_COOKIE,
- cookies.getStr());
+rc = curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_COOKIE, cookies.getStr());
assert(rc == CURLE_OK);
(void)rc;
isRetry = true;
-SAL_INFO("ucb.ucp.webdav.curl", "FedAuth
cookie set");
-break; // try cookie once
}
}
-SAL_INFO("ucb.ucp.webdav.curl", "403 fallback
authentication hack");
+break;
}
-[[fallthrough]]; // SP, no cookie, or cookie failed:
try NTLM
case SC_UNAUTHORIZED:
case SC_PROXY_AUTHENTICATION_REQUIRED:
{
-auto& rnAuthRequests(statusCode !=
SC_PROXY_AUTHENTICATION_REQUIRED
- ? nAuthRequests
- : nAuthRequestsProxy);
+auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ?
nAuthRequests
+ :
nAuthRequestsProxy);
if (rnAuthRequests == 10)
{
SAL_INFO("ucb.ucp.webdav.curl", "aborting
authentication after "
@@ -1419,30 +1410,22 @@ auto CurlProcessor::ProcessRequest(
}
else if (pEnv && pEnv->m_xAuthListener)
{
-::std::optional const oRealm(
-ExtractRealm(headers, statusCode !=
SC_PROXY_AUTHENTICATION_REQUIRED
- ? "WWW-Authenticate"
- :
"Proxy-Authenticate"));
+::std::optional const
oRealm(ExtractRealm(
+headers, statusCode == SC_UNAUTHORIZED ?
"WWW-Authenticate"
+ :
"Proxy-Authenticate"));
::std::optional& roAuth(
-statusCode != SC_PROXY_AUTHENTICATION_REQUIRED
? oAuth
-
: oAuthProxy);
+statusCode == SC_UNAUTHORIZED ? oAuth :
oAuthProxy);
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 58 +++--
1 file changed, 38 insertions(+), 20 deletions(-)
New commits:
commit cc77bc0e5273c6cf404851624ce5b127cdd839f4
Author: Michael Stahl
AuthorDate: Fri Oct 7 12:41:29 2022 +0200
Commit: Michael Stahl
CommitDate: Fri Oct 7 13:34:48 2022 +0200
ucb: webdav-curl: try fallback authentication on 403 error
Sharepoint reports lack of authentication with 403 status and additional
X-MSDAVEXT_ERROR header value 0x000E0098.
Try to fallback to NTLM auth in this case, if a first attempt with
imported cookie didn't work.
Change-Id: I0d6dca2989d276262547a61784a3d0ed8bff9abd
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index cc0a2368784f..5b2479fb1f88 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1380,29 +1380,38 @@ auto CurlProcessor::ProcessRequest(
ProcessHeaders(headers.HeaderFields.back().first));
// X-MSDAVEXT_Error see [MS-WEBDAVE] 2.2.3.1.9
auto const it(headerMap.find("x-msdavext_error"));
+if (it == headerMap.end() ||
!it->second.startsWith("917656;"))
+{
+break;
+}
if (cookies.isEmpty() // retry only once - could be
expired...
-&& rSession.m_URI.GetScheme() == "https" // only
encrypted
-&& it != headerMap.end()
-&& it->second.startsWith("917656;"))
+&& rSession.m_URI.GetScheme() == "https") // only
encrypted
{
-cookies = TryImportCookies(rSession.m_xContext,
rSession.m_URI.GetHost());
+cookies
+= TryImportCookies(rSession.m_xContext,
rSession.m_URI.GetHost());
if (!cookies.isEmpty())
{
-CURLcode rc =
curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIEFILE, "");
+CURLcode rc =
curl_easy_setopt(rSession.m_pCurl.get(),
+
CURLOPT_COOKIEFILE, "");
assert(rc == CURLE_OK);
-rc = curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_COOKIE, cookies.getStr());
+rc = curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_COOKIE,
+ cookies.getStr());
assert(rc == CURLE_OK);
(void)rc;
isRetry = true;
+SAL_INFO("ucb.ucp.webdav.curl", "FedAuth
cookie set");
+break; // try cookie once
}
}
-break;
+SAL_INFO("ucb.ucp.webdav.curl", "403 fallback
authentication hack");
}
+[[fallthrough]]; // SP, no cookie, or cookie failed:
try NTLM
case SC_UNAUTHORIZED:
case SC_PROXY_AUTHENTICATION_REQUIRED:
{
-auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ?
nAuthRequests
- :
nAuthRequestsProxy);
+auto& rnAuthRequests(statusCode !=
SC_PROXY_AUTHENTICATION_REQUIRED
+ ? nAuthRequests
+ : nAuthRequestsProxy);
if (rnAuthRequests == 10)
{
SAL_INFO("ucb.ucp.webdav.curl", "aborting
authentication after "
@@ -1410,22 +1419,30 @@ auto CurlProcessor::ProcessRequest(
}
else if (pEnv && pEnv->m_xAuthListener)
{
-::std::optional const
oRealm(ExtractRealm(
-headers, statusCode == SC_UNAUTHORIZED ?
"WWW-Authenticate"
- :
"Proxy-Authenticate"));
+::std::optional const oRealm(
+ExtractRealm(headers, statusCode !=
SC_PROXY_AUTHENTICATION_REQUIRED
+ ? "WWW-Authenticate"
+ :
"Proxy-Authenticate"));
::std::optional& roAuth(
-statusCode == SC_UNAUTHORIZED ?
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 38 +--
ucb/source/ucp/webdav-curl/ImportCookies.cxx | 19 +
2 files changed, 38 insertions(+), 19 deletions(-)
New commits:
commit 23ff13457247e4457817b3e2dc24d99fc8703f9d
Author: Michael Stahl
AuthorDate: Fri Sep 16 21:25:50 2022 +0200
Commit: Michael Stahl
CommitDate: Fri Sep 16 21:25:50 2022 +0200
ucb: webdav-curl: tweak cookie import
Improve error handling/logging, and do it only if the error code
0x000E0098 is received.
Change-Id: I47dada2ef08b21a43cdfa3db9eb2fcdb4043a04f
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 066ad2d2feb9..cc0a2368784f 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -707,19 +707,6 @@
CurlSession::CurlSession(uno::Reference const& xContext,
rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_FORBID_REUSE, 1L);
assert(rc == CURLE_OK);
}
-#ifdef _WIN32
-if (m_URI.GetScheme() == "https")
-{
-OString const cookies(TryImportCookies(m_xContext, m_URI.GetHost()));
-if (!cookies.isEmpty())
-{
-rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_COOKIEFILE, "");
-assert(rc == CURLE_OK);
-rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_COOKIE,
cookies.getStr());
-assert(rc == CURLE_OK);
-}
-}
-#endif
}
CurlSession::~CurlSession() {}
@@ -1247,6 +1234,7 @@ auto CurlProcessor::ProcessRequest(
bool isRetry(false);
int nAuthRequests(0);
int nAuthRequestsProxy(0);
+OString cookies;
// libcurl does not have an authentication callback so handle auth
// related status codes and requesting credentials via this loop
@@ -1386,6 +1374,30 @@ auto CurlProcessor::ProcessRequest(
}
break;
}
+case SC_FORBIDDEN:
+{
+::std::map const headerMap(
+ProcessHeaders(headers.HeaderFields.back().first));
+// X-MSDAVEXT_Error see [MS-WEBDAVE] 2.2.3.1.9
+auto const it(headerMap.find("x-msdavext_error"));
+if (cookies.isEmpty() // retry only once - could be
expired...
+&& rSession.m_URI.GetScheme() == "https" // only
encrypted
+&& it != headerMap.end()
+&& it->second.startsWith("917656;"))
+{
+cookies = TryImportCookies(rSession.m_xContext,
rSession.m_URI.GetHost());
+if (!cookies.isEmpty())
+{
+CURLcode rc =
curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIEFILE, "");
+assert(rc == CURLE_OK);
+rc = curl_easy_setopt(rSession.m_pCurl.get(),
CURLOPT_COOKIE, cookies.getStr());
+assert(rc == CURLE_OK);
+(void)rc;
+isRetry = true;
+}
+}
+break;
+}
case SC_UNAUTHORIZED:
case SC_PROXY_AUTHENTICATION_REQUIRED:
{
diff --git a/ucb/source/ucp/webdav-curl/ImportCookies.cxx
b/ucb/source/ucp/webdav-curl/ImportCookies.cxx
index 897299da3c0a..4df885e4efc7 100644
--- a/ucb/source/ucp/webdav-curl/ImportCookies.cxx
+++ b/ucb/source/ucp/webdav-curl/ImportCookies.cxx
@@ -24,6 +24,8 @@
#include
#ifdef _WIN32
+#include
+
#include
#include
@@ -98,7 +100,7 @@ OString
TryImportCookies(uno::Reference const& xContext[
char* err(nullptr);
Value value;
OString const statement("SELECT value, LENGTH(encrypted_value),
encrypted_value FROM cookies "
-"WHERE name = \"FedAuth\" and host_key = \""
+"WHERE name = \"FedAuth\" AND host_key = \""
+ ::rtl::OUStringToOString(rHost,
RTL_TEXTENCODING_ASCII_US) + "\";");
rc = sqlite3_exec(db, statement.getStr(), callback, , );
if (rc != SQLITE_OK)
@@ -113,7 +115,7 @@ OString
TryImportCookies(uno::Reference const& xContext[
}
if (value.encryptedValue.getLength() < 3 + 12 + 16)
{
-SAL_INFO("ucb.ucp.webdav.curl", "encrypted_value too short");
+SAL_INFO("ucb.ucp.webdav.curl", "encrypted_value too short: " <<
value.encryptedValue.getLength());
return OString();
}
@@ -125,7 +127,7 @@ OString
TryImportCookies(uno::Reference const& xContext[
OUString const stateUrl = localAppDirUrl + "/Microsoft/Edge/User
Data/Local State";
OUString statePathU;
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |6 --
1 file changed, 6 deletions(-)
New commits:
commit 5df5d4c179af34166f85f7cfa507cabe2d08f720
Author: Michael Stahl
AuthorDate: Thu Sep 1 11:14:51 2022 +0200
Commit: Michael Stahl
CommitDate: Thu Sep 1 11:16:22 2022 +0200
Revert "ucb: webdav-curl: try to auth on 403"
This reverts commit 9352ba337a84672a0ba60651023422de88105456.
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index c503b265fcb0..066ad2d2feb9 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1386,12 +1386,6 @@ auto CurlProcessor::ProcessRequest(
}
break;
}
-case SC_FORBIDDEN: // treat as 401, just for testing!
-if (rSession.m_isAuthenticated)
-{
-break;
-}
-[[fallthrough]];
case SC_UNAUTHORIZED:
case SC_PROXY_AUTHENTICATION_REQUIRED:
{
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |6 ++
1 file changed, 6 insertions(+)
New commits:
commit 9352ba337a84672a0ba60651023422de88105456
Author: Michael Stahl
AuthorDate: Tue Jul 19 14:12:38 2022 +0200
Commit: Michael Stahl
CommitDate: Tue Jul 19 14:23:59 2022 +0200
ucb: webdav-curl: try to auth on 403
This is just for testing, don't ship.
Change-Id: Ic2344c61cbe3cf419b698be526a20388c0ef4f37
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index 4fe05ab97e72..c3fd76062e2c 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1373,6 +1373,12 @@ auto CurlProcessor::ProcessRequest(
}
break;
}
+case SC_FORBIDDEN: // treat as 401, just for testing!
+if (rSession.m_isAuthenticated)
+{
+break;
+}
+[[fallthrough]];
case SC_UNAUTHORIZED:
case SC_PROXY_AUTHENTICATION_REQUIRED:
{
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 20 ++--
1 file changed, 18 insertions(+), 2 deletions(-)
New commits:
commit d98aa6397dce8c3ad27cee7faaeb3048c5933b75
Author: Michael Stahl
AuthorDate: Wed Apr 13 16:50:30 2022 +0200
Commit: Michael Stahl
CommitDate: Thu Apr 14 12:15:44 2022 +0200
ucb: webdav-curl: only allow system credentials for auth once
... and in any case abort authentication after 10 failed attempts.
Apparently some PasswordContainer can turn this into an infinite loop.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132974
Tested-by: Jenkins
Reviewed-by: Michael Stahl
(cherry picked from commit 2bc4d1d22fdbd9d97c66bb53762b4b4bf7b61b47)
ucb: webdav-curl: oops, increment after checking
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132982
Reviewed-by: Michael Stahl
Tested-by: Jenkins
(cherry picked from commit ab65a74998b498ff49c15db87fc14a9afa89d8bf)
Change-Id: Ib2333b371a770999e8407ce7e1af21512aadb70d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132867
Tested-by: Jenkins
Reviewed-by: Thorsten Behrens
(cherry picked from commit 6b54e6a8e64233de63b826211b81a8ed6767483f)
diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx
b/ucb/source/ucp/webdav-curl/CurlSession.cxx
index bddefa1ad117..dbc2e45cd3eb 100644
--- a/ucb/source/ucp/webdav-curl/CurlSession.cxx
+++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx
@@ -1222,6 +1222,8 @@ auto CurlProcessor::ProcessRequest(
}
}
bool isRetry(false);
+int nAuthRequests(0);
+int nAuthRequestsProxy(0);
// libcurl does not have an authentication callback so handle auth
// related status codes and requesting credentials via this loop
@@ -1364,7 +1366,14 @@ auto CurlProcessor::ProcessRequest(
case SC_UNAUTHORIZED:
case SC_PROXY_AUTHENTICATION_REQUIRED:
{
-if (pEnv && pEnv->m_xAuthListener)
+auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ?
nAuthRequests
+ :
nAuthRequestsProxy);
+if (rnAuthRequests == 10)
+{
+SAL_INFO("ucb.ucp.webdav.curl", "aborting
authentication after "
+<<
rnAuthRequests << " attempts");
+}
+else if (pEnv && pEnv->m_xAuthListener)
{
::std::optional const
oRealm(ExtractRealm(
headers, statusCode == SC_UNAUTHORIZED ?
"WWW-Authenticate"
@@ -1382,7 +1391,14 @@ auto CurlProcessor::ProcessRequest(
);
assert(rc == CURLE_OK);
(void)rc;
-bool const isSystemCredSupported((authAvail &
authSystem) != 0);
+// only allow SystemCredentials once - the
+// PasswordContainer may have stored it in the
+// Config (TrySystemCredentialsFirst or
+// AuthenticateUsingSystemCredentials) and then it
+// will always force its use no matter how hopeless
+bool const isSystemCredSupported((authAvail &
authSystem) != 0
+ && rnAuthRequests
== 0);
+++rnAuthRequests;
// Ask user via XInteractionHandler.
// Warning: This likely runs an event loop which
may
