core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/ImportCookies.cxx |6 +- 1 file changed, 5 insertions(+), 1 deletion(-) New commits: commit 84baeb6c2b7690c18d00ee78d34c5cceba3a46ba Author: Michael Stahl AuthorDate: Tue Mar 12 15:10:35 2024 +0100 Commit: Michael Stahl CommitDate: Tue Mar 12 15:10:35 2024 +0100 ucb: webdav-curl: add missing return diff --git a/ucb/source/ucp/webdav-curl/ImportCookies.cxx b/ucb/source/ucp/webdav-curl/ImportCookies.cxx index fa9aa9731b1a..ff5d7389aeac 100644 --- a/ucb/source/ucp/webdav-curl/ImportCookies.cxx +++ b/ucb/source/ucp/webdav-curl/ImportCookies.cxx @@ -97,7 +97,11 @@ OString TryImportCookies(uno::Reference const& xContext[ // apparently this may crash, and sqlite3_errstr() isn't exported? // SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " << sqlite3_errmsg(db)); SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " << rc); -sqlite3_close(db); +if (db) +{ +sqlite3_close(db); +} +return OString(); } char* err(nullptr); Value value;
core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 19 +-- 1 file changed, 9 insertions(+), 10 deletions(-) New commits: commit b0aeac2376ee5d74373e35eace8258a500e7cf00 Author: Michael Stahl AuthorDate: Fri Mar 8 11:20:45 2024 +0100 Commit: Michael Stahl CommitDate: Tue Mar 12 14:51:32 2024 +0100 ucb: webdav-curl: only set CURLOPT_NOBODY for HEAD Some testing with Apache httpd+mod_dav reveals that it usually sends a body with a 401 status, which causes the CURLE_WEIRD_SERVER_REPLY error code from curl. So we should either ignore this error in case there's a HTTP status too, or stop using CURLOPT_NOBODY. The latter seems to have no downside, except for HEAD requests, where strangely the server keeps the connection open and curl waits for 5 seconds for no body to arrive, blocking the UI, so continue to use CURLOPT_NOBODY for HEAD. The other methods don't seem to block. It turns out that the SAL_LOG-dependent setting of g_NoBody turned HEAD into GET anyway if logging is enabled, so explicitly set the method. Change-Id: Ibe2eef8e7a827d4e356ba37c4b56bee0be3b9c13 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164569 Tested-by: Jenkins Reviewed-by: Michael Stahl (cherry picked from commit e0259d4c0951c4dd77c74d08b9d905728d4c8dfd) diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 645d41502156..4bae872b1757 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1914,7 +1914,9 @@ auto CurlSession::HEAD(OUString const& rURIReference, ::std::vector co CurlUri const uri(CurlProcessor::URIReferenceToURI(*this, rURIReference)); -::std::vector const options{ g_NoBody }; +::std::vector const options{ +g_NoBody, { CURLOPT_CUSTOMREQUEST, "HEAD", "CURLOPT_CUSTOMREQUEST" } +}; ::std::pair<::std::vector const&, DAVResource&> const headers(rHeaderNames, io_rResource); @@ -2147,9 +2149,8 @@ auto CurlSession::MKCOL(OUString const& rURIReference, DAVRequestEnvironment con CurlUri const uri(CurlProcessor::URIReferenceToURI(*this, rURIReference)); -::std::vector const options{ -g_NoBody, { CURLOPT_CUSTOMREQUEST, "MKCOL", "CURLOPT_CUSTOMREQUEST" } -}; +::std::vector const options{ { CURLOPT_CUSTOMREQUEST, "MKCOL", + "CURLOPT_CUSTOMREQUEST" } }; CurlProcessor::ProcessRequest(*this, uri, "MKCOL", options, , nullptr, nullptr, nullptr, nullptr); @@ -2177,9 +2178,8 @@ auto CurlProcessor::MoveOrCopy(CurlSession& rSession, OUString const& rSourceURI throw uno::RuntimeException("curl_slist_append failed"); } -::std::vector const options{ -g_NoBody, { CURLOPT_CUSTOMREQUEST, pMethod, "CURLOPT_CUSTOMREQUEST" } -}; +::std::vector const options{ { CURLOPT_CUSTOMREQUEST, pMethod, + "CURLOPT_CUSTOMREQUEST" } }; CurlProcessor::ProcessRequest(rSession, uriSource, OUString::createFromAscii(pMethod), options, , ::std::move(pList), nullptr, nullptr, nullptr); @@ -2209,9 +2209,8 @@ auto CurlSession::DESTROY(OUString const& rURIReference, DAVRequestEnvironment c CurlUri const uri(CurlProcessor::URIReferenceToURI(*this, rURIReference)); -::std::vector const options{ -g_NoBody, { CURLOPT_CUSTOMREQUEST, "DELETE", "CURLOPT_CUSTOMREQUEST" } -}; +::std::vector const options{ { CURLOPT_CUSTOMREQUEST, "DELETE", + "CURLOPT_CUSTOMREQUEST" } }; CurlProcessor::ProcessRequest(*this, uri, "DESTROY", options, , nullptr, nullptr, nullptr, nullptr);
core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/ImportCookies.cxx |4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) New commits: commit 4c6574abe8cca7d74129c12c486b722c668fdaba Author: Michael Stahl AuthorDate: Tue Mar 12 14:44:00 2024 +0100 Commit: Michael Stahl CommitDate: Tue Mar 12 14:44:16 2024 +0100 ucb: webdav-curl: avoid crashing in SAL_INFO It's not clear why calling sqlite3_errmsg would crash, but avoid it... Change-Id: If2a375671fd5484d72af1c0f538f424f02149a0a diff --git a/ucb/source/ucp/webdav-curl/ImportCookies.cxx b/ucb/source/ucp/webdav-curl/ImportCookies.cxx index 4df885e4efc7..fa9aa9731b1a 100644 --- a/ucb/source/ucp/webdav-curl/ImportCookies.cxx +++ b/ucb/source/ucp/webdav-curl/ImportCookies.cxx @@ -94,7 +94,9 @@ OString TryImportCookies(uno::Reference const& xContext[ int rc = sqlite3_open_v2(dbUrl.getStr(), , SQLITE_OPEN_READONLY | SQLITE_OPEN_URI, nullptr); if (rc != SQLITE_OK) { -SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " << sqlite3_errmsg(db)); +// apparently this may crash, and sqlite3_errstr() isn't exported? +// SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " << sqlite3_errmsg(db)); +SAL_INFO("ucb.ucp.webdav.curl", "sqlite3_open failed: " << rc); sqlite3_close(db); } char* err(nullptr);
core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) New commits: commit dafc3780ffbef9b316839059076f58fe8c4eb231 Author: Michael Stahl AuthorDate: Thu Mar 7 20:10:48 2024 +0100 Commit: Michael Stahl CommitDate: Fri Mar 8 10:26:34 2024 +0100 ucb: webdav-curl: don't set CURLOPT_NOBODY for OPTIONS The problem is that if the server does send a body, then curl returns CURLE_WEIRD_SERVER_REPLY error code, which is translated to DAVException; this looks unnecessary now because write_callback will just return if there's no stream to write to anyway. Change-Id: Iddaee9778ac7bbd538b64584f822f65ab0e395c2 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/164550 Tested-by: Jenkins Reviewed-by: Michael Stahl (cherry picked from commit 980ca3953084560806cd980d2ec16951d9e30c2b) diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 2a15b9faea5b..645d41502156 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1607,9 +1607,8 @@ auto CurlSession::OPTIONS(OUString const& rURIReference, DAVResource result; ::std::pair<::std::vector const&, DAVResource&> const headers(headerNames, result); -::std::vector const options{ -g_NoBody, { CURLOPT_CUSTOMREQUEST, "OPTIONS", "CURLOPT_CUSTOMREQUEST" } -}; +::std::vector const options{ { CURLOPT_CUSTOMREQUEST, "OPTIONS", + "CURLOPT_CUSTOMREQUEST" } }; CurlProcessor::ProcessRequest(*this, uri, "OPTIONS", options, , nullptr, nullptr, nullptr, );
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) New commits: commit 174b3a7e48393577c815037a3bc8146470dcf78e Author: Noel Grandin AuthorDate: Fri Aug 18 13:49:54 2023 +0200 Commit: Michael Stahl CommitDate: Thu Sep 28 13:05:21 2023 +0200 Fix curl proxy access for non-authenticated proxy If rSession.m_Proxy.aName is a simple host-name, the CurlUri constructor will fail with CURLUE_BAD_SCHEME, so just ignore the error here, we only care about parsing out the username/password Change-Id: Iec2d6e7315a5899f6120a43199b75bf62db2 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/155834 Tested-by: Jenkins Reviewed-by: Noel Grandin (cherry picked from commit 9b30b4b1678e8be15ba51d236bd9a3e693d8d3d6) diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 407d91f19248..2a15b9faea5b 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1251,11 +1251,18 @@ auto CurlProcessor::ProcessRequest( ::std::optional oAuthProxy; if (pEnv && !rSession.m_isAuthenticatedProxy && !rSession.m_Proxy.aName.isEmpty()) { -// the hope is that this must be a URI -CurlUri const uri(rSession.m_Proxy.aName); -if (!uri.GetUser().isEmpty() || !uri.GetPassword().isEmpty()) +try +{ +// the hope is that this must be a URI +CurlUri const uri(rSession.m_Proxy.aName); +if (!uri.GetUser().isEmpty() || !uri.GetPassword().isEmpty()) +{ +oAuthProxy.emplace(uri.GetUser(), uri.GetPassword(), CURLAUTH_ANY); +} +} +catch (DAVException&) { -oAuthProxy.emplace(uri.GetUser(), uri.GetPassword(), CURLAUTH_ANY); +// ignore any parsing failure here } } decltype(CURLAUTH_ANY) const authSystem(CURLAUTH_NEGOTIATE | CURLAUTH_NTLM | CURLAUTH_NTLM_WB);
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |4 1 file changed, 4 insertions(+) New commits: commit 829658fda824f465c596cdd7bcaf6397d8e66982 Author: Michael Stahl AuthorDate: Tue Jun 6 14:06:35 2023 +0200 Commit: Michael Stahl CommitDate: Tue Jun 6 16:42:33 2023 +0200 ucb: webdav-curl: auth data is invalid when receiving 401 Even if it used to be valid before; unfortunately newly entered credentials weren't actually used because the flag was never reset. Change-Id: Ib36689f40ff780596b9cfe6fe589a6f2e79cfcd2 diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 430c927df60d..407d91f19248 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1472,6 +1472,10 @@ auto CurlProcessor::ProcessRequest( case SC_UNAUTHORIZED: case SC_PROXY_AUTHENTICATION_REQUIRED: { +(statusCode != SC_PROXY_AUTHENTICATION_REQUIRED + ? rSession.m_isAuthenticated + : rSession.m_isAuthenticatedProxy) += false; // any auth data in m_pCurl is invalid auto& rnAuthRequests(statusCode != SC_PROXY_AUTHENTICATION_REQUIRED ? nAuthRequests : nAuthRequestsProxy);
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) New commits: commit ce3d69ec11b0aacff085d0ce20e8ed84406743da Author: Michael Stahl AuthorDate: Fri Aug 12 16:43:12 2022 +0200 Commit: Michael Stahl CommitDate: Fri Jun 2 12:22:22 2023 +0200 tdf#149921 ucb: webdav-curl: WNT: certificate revocation check - don't require it to be successful. Trying to connect to a server with self-signed CA results in: warn:ucb.ucp.webdav.curl:6796:6568:ucb/source/ucp/webdav-curl/CurlSession.cxx:946: curl_easy_perform failed: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Apparently schannel wants to check by default (called with SCH_CRED_REVOCATION_CHECK_CHAIN) that all the certificates aren't revoked, but the self-signed CA doesn't specify how to check. Set it to only check revocation when the way to do so actually works, via CURLSSLOPT_REVOKE_BEST_EFFORT, which sets these flags: SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_REVOCATION_CHECK_CHAIN Change-Id: I6d77ca23fe2012d8a5d65000b14775070b5c9a0f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/138204 Tested-by: Jenkins Reviewed-by: Michael Stahl (cherry picked from commit f6a0ca0e92e41ad8fea71acdacdc7ec5e775dc59) diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index f1a0b736e5f9..430c927df60d 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -724,8 +724,16 @@ CurlSession::CurlSession(uno::Reference const& xContext, rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HEADERFUNCTION, _callback); rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SHARE, g_Init.pShare.get()); assert(rc == CURLE_OK); -// set this initially, may be overwritten during authentication +// tdf#149921 by default, with schannel (WNT) connection fails if revocation +// lists cannot be checked; try to limit the checking to when revocation +// lists can actually be retrieved (usually not the case for self-signed CA) +#if CURL_AT_LEAST_VERSION(7, 70, 0) +rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); +assert(rc == CURLE_OK); +rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_REVOKE_BEST_EFFORT); assert(rc == CURLE_OK); +#endif +// set this initially, may be overwritten during authentication rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_HTTPAUTH, CURLAUTH_ANY); assert(rc == CURLE_OK); // ANY is always available // always set CURLOPT_PROXY to suppress proxy detection in libcurl
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |7 --- 1 file changed, 4 insertions(+), 3 deletions(-) New commits: commit e84c21aca4b72d9e86c856f717b3bf1b75f190af Author: Michael Stahl AuthorDate: Wed Oct 19 11:40:28 2022 +0200 Commit: Michael Stahl CommitDate: Wed Oct 19 11:42:33 2022 +0200 ucb: webdav-curl: enable cookie engine on 403 fallback Change-Id: Iafa8bdd183ef8a514b656ec41a9b7a6fa1e3acb9 diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index eda577ef722f..f986896c7e57 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1384,6 +1384,10 @@ auto CurlProcessor::ProcessRequest( { break; } +// both fallbacks need cookie engine enabled +CURLcode rc += curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIEFILE, ""); +assert(rc == CURLE_OK); if (cookies.isEmpty() // retry only once - could be expired... && rSession.m_URI.GetScheme() == "https") // only encrypted { @@ -1391,9 +1395,6 @@ auto CurlProcessor::ProcessRequest( = TryImportCookies(rSession.m_xContext, rSession.m_URI.GetHost()); if (!cookies.isEmpty()) { -CURLcode rc = curl_easy_setopt(rSession.m_pCurl.get(), - CURLOPT_COOKIEFILE, ""); -assert(rc == CURLE_OK); rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIE, cookies.getStr()); assert(rc == CURLE_OK);
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |7 +++ 1 file changed, 7 insertions(+) New commits: commit 388a702af2fe45b2c436e64eb8639f16c1e24b76 Author: Michael Stahl AuthorDate: Tue Oct 18 18:35:35 2022 +0200 Commit: Michael Stahl CommitDate: Tue Oct 18 18:36:25 2022 +0200 ucb: webdav-curl: add magic header to disable FBA in 403 fallback Change-Id: I0018a9904857d7521895936dc27607a54523f300 diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 5d0616e2e1b9..eda577ef722f 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1404,6 +1404,13 @@ auto CurlProcessor::ProcessRequest( } } SAL_INFO("ucb.ucp.webdav.curl", "403 fallback authentication hack"); +// disable 302 redirect +pRequestHeaderList.reset(curl_slist_append( +pRequestHeaderList.release(), "X-FORMS_BASED_AUTH_ACCEPTED: f")); +if (!pRequestHeaderList) +{ +throw uno::RuntimeException("curl_slist_append failed"); +} } [[fallthrough]]; // SP, no cookie, or cookie failed: try NTLM case SC_UNAUTHORIZED:
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) New commits: commit 37abfd767874441568d9f5ac499b2d93d34e10fe Author: Michael Stahl AuthorDate: Thu Oct 13 12:15:21 2022 +0200 Commit: Michael Stahl CommitDate: Thu Oct 13 12:16:02 2022 +0200 ucb: webdav-curl: try fallback authentication with Negotiate instead Change-Id: I93e0c8f95beafc30b94296430352f2ae54e65b11 diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index b698026d16b6..5d0616e2e1b9 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1442,8 +1442,8 @@ auto CurlProcessor::ProcessRequest( { // SharePoint hack: try NTLM auth assert(authAvail == 0); // note: this must be a single value! -// would need 2 iterations to try CURLAUTH_NEGOTIATE too -authAvail = CURLAUTH_NTLM; +// would need 2 iterations to try CURLAUTH_NTLM too +authAvail = CURLAUTH_NEGOTIATE; } // only allow SystemCredentials once - the // PasswordContainer may have stored it in the
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 60 +++-- 1 file changed, 40 insertions(+), 20 deletions(-) New commits: commit c6df10ce7f91b3084255bfbbac95e865bbb3ce7b Author: Michael Stahl AuthorDate: Mon Oct 10 15:40:41 2022 +0200 Commit: Michael Stahl CommitDate: Wed Oct 12 11:25:40 2022 +0200 ucb: webdav-curl: try fallback authentication on 403 error Sharepoint reports lack of authentication with 403 status and additional X-MSDAVEXT_ERROR header value 0x000E0098. Try to fallback to NTLM auth in this case, if a first attempt with imported cookie didn't work. Note that the build config of libcurl on Linux is such that adding CURLAUTH_NEGOTIATE has no effect, but on WNT it causes the AuthMask to be ambiguous and prevents curl from trying NTLM. diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index cc0a2368784f..b698026d16b6 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1380,29 +1380,38 @@ auto CurlProcessor::ProcessRequest( ProcessHeaders(headers.HeaderFields.back().first)); // X-MSDAVEXT_Error see [MS-WEBDAVE] 2.2.3.1.9 auto const it(headerMap.find("x-msdavext_error")); +if (it == headerMap.end() || !it->second.startsWith("917656;")) +{ +break; +} if (cookies.isEmpty() // retry only once - could be expired... -&& rSession.m_URI.GetScheme() == "https" // only encrypted -&& it != headerMap.end() -&& it->second.startsWith("917656;")) +&& rSession.m_URI.GetScheme() == "https") // only encrypted { -cookies = TryImportCookies(rSession.m_xContext, rSession.m_URI.GetHost()); +cookies += TryImportCookies(rSession.m_xContext, rSession.m_URI.GetHost()); if (!cookies.isEmpty()) { -CURLcode rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIEFILE, ""); +CURLcode rc = curl_easy_setopt(rSession.m_pCurl.get(), + CURLOPT_COOKIEFILE, ""); assert(rc == CURLE_OK); -rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIE, cookies.getStr()); +rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIE, + cookies.getStr()); assert(rc == CURLE_OK); (void)rc; isRetry = true; +SAL_INFO("ucb.ucp.webdav.curl", "FedAuth cookie set"); +break; // try cookie once } } -break; +SAL_INFO("ucb.ucp.webdav.curl", "403 fallback authentication hack"); } +[[fallthrough]]; // SP, no cookie, or cookie failed: try NTLM case SC_UNAUTHORIZED: case SC_PROXY_AUTHENTICATION_REQUIRED: { -auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ? nAuthRequests - : nAuthRequestsProxy); +auto& rnAuthRequests(statusCode != SC_PROXY_AUTHENTICATION_REQUIRED + ? nAuthRequests + : nAuthRequestsProxy); if (rnAuthRequests == 10) { SAL_INFO("ucb.ucp.webdav.curl", "aborting authentication after " @@ -1410,22 +1419,32 @@ auto CurlProcessor::ProcessRequest( } else if (pEnv && pEnv->m_xAuthListener) { -::std::optional const oRealm(ExtractRealm( -headers, statusCode == SC_UNAUTHORIZED ? "WWW-Authenticate" - : "Proxy-Authenticate")); +::std::optional const oRealm( +ExtractRealm(headers, statusCode != SC_PROXY_AUTHENTICATION_REQUIRED + ? "WWW-Authenticate" + :
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 58 ++--- 1 file changed, 20 insertions(+), 38 deletions(-) New commits: commit ecf5156e53878fb19d8921af64a54a8b4e6ddf4c Author: Michael Stahl AuthorDate: Mon Oct 10 15:01:08 2022 +0200 Commit: Michael Stahl CommitDate: Mon Oct 10 15:01:08 2022 +0200 Revert "ucb: webdav-curl: try fallback authentication on 403 error" This reverts commit cc77bc0e5273c6cf404851624ce5b127cdd839f4. diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 5b2479fb1f88..cc0a2368784f 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1380,38 +1380,29 @@ auto CurlProcessor::ProcessRequest( ProcessHeaders(headers.HeaderFields.back().first)); // X-MSDAVEXT_Error see [MS-WEBDAVE] 2.2.3.1.9 auto const it(headerMap.find("x-msdavext_error")); -if (it == headerMap.end() || !it->second.startsWith("917656;")) -{ -break; -} if (cookies.isEmpty() // retry only once - could be expired... -&& rSession.m_URI.GetScheme() == "https") // only encrypted +&& rSession.m_URI.GetScheme() == "https" // only encrypted +&& it != headerMap.end() +&& it->second.startsWith("917656;")) { -cookies -= TryImportCookies(rSession.m_xContext, rSession.m_URI.GetHost()); +cookies = TryImportCookies(rSession.m_xContext, rSession.m_URI.GetHost()); if (!cookies.isEmpty()) { -CURLcode rc = curl_easy_setopt(rSession.m_pCurl.get(), - CURLOPT_COOKIEFILE, ""); +CURLcode rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIEFILE, ""); assert(rc == CURLE_OK); -rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIE, - cookies.getStr()); +rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIE, cookies.getStr()); assert(rc == CURLE_OK); (void)rc; isRetry = true; -SAL_INFO("ucb.ucp.webdav.curl", "FedAuth cookie set"); -break; // try cookie once } } -SAL_INFO("ucb.ucp.webdav.curl", "403 fallback authentication hack"); +break; } -[[fallthrough]]; // SP, no cookie, or cookie failed: try NTLM case SC_UNAUTHORIZED: case SC_PROXY_AUTHENTICATION_REQUIRED: { -auto& rnAuthRequests(statusCode != SC_PROXY_AUTHENTICATION_REQUIRED - ? nAuthRequests - : nAuthRequestsProxy); +auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ? nAuthRequests + : nAuthRequestsProxy); if (rnAuthRequests == 10) { SAL_INFO("ucb.ucp.webdav.curl", "aborting authentication after " @@ -1419,30 +1410,22 @@ auto CurlProcessor::ProcessRequest( } else if (pEnv && pEnv->m_xAuthListener) { -::std::optional const oRealm( -ExtractRealm(headers, statusCode != SC_PROXY_AUTHENTICATION_REQUIRED - ? "WWW-Authenticate" - : "Proxy-Authenticate")); +::std::optional const oRealm(ExtractRealm( +headers, statusCode == SC_UNAUTHORIZED ? "WWW-Authenticate" + : "Proxy-Authenticate")); ::std::optional& roAuth( -statusCode != SC_PROXY_AUTHENTICATION_REQUIRED ? oAuth - : oAuthProxy); +statusCode == SC_UNAUTHORIZED ? oAuth : oAuthProxy);
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 58 +++-- 1 file changed, 38 insertions(+), 20 deletions(-) New commits: commit cc77bc0e5273c6cf404851624ce5b127cdd839f4 Author: Michael Stahl AuthorDate: Fri Oct 7 12:41:29 2022 +0200 Commit: Michael Stahl CommitDate: Fri Oct 7 13:34:48 2022 +0200 ucb: webdav-curl: try fallback authentication on 403 error Sharepoint reports lack of authentication with 403 status and additional X-MSDAVEXT_ERROR header value 0x000E0098. Try to fallback to NTLM auth in this case, if a first attempt with imported cookie didn't work. Change-Id: I0d6dca2989d276262547a61784a3d0ed8bff9abd diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index cc0a2368784f..5b2479fb1f88 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1380,29 +1380,38 @@ auto CurlProcessor::ProcessRequest( ProcessHeaders(headers.HeaderFields.back().first)); // X-MSDAVEXT_Error see [MS-WEBDAVE] 2.2.3.1.9 auto const it(headerMap.find("x-msdavext_error")); +if (it == headerMap.end() || !it->second.startsWith("917656;")) +{ +break; +} if (cookies.isEmpty() // retry only once - could be expired... -&& rSession.m_URI.GetScheme() == "https" // only encrypted -&& it != headerMap.end() -&& it->second.startsWith("917656;")) +&& rSession.m_URI.GetScheme() == "https") // only encrypted { -cookies = TryImportCookies(rSession.m_xContext, rSession.m_URI.GetHost()); +cookies += TryImportCookies(rSession.m_xContext, rSession.m_URI.GetHost()); if (!cookies.isEmpty()) { -CURLcode rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIEFILE, ""); +CURLcode rc = curl_easy_setopt(rSession.m_pCurl.get(), + CURLOPT_COOKIEFILE, ""); assert(rc == CURLE_OK); -rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIE, cookies.getStr()); +rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIE, + cookies.getStr()); assert(rc == CURLE_OK); (void)rc; isRetry = true; +SAL_INFO("ucb.ucp.webdav.curl", "FedAuth cookie set"); +break; // try cookie once } } -break; +SAL_INFO("ucb.ucp.webdav.curl", "403 fallback authentication hack"); } +[[fallthrough]]; // SP, no cookie, or cookie failed: try NTLM case SC_UNAUTHORIZED: case SC_PROXY_AUTHENTICATION_REQUIRED: { -auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ? nAuthRequests - : nAuthRequestsProxy); +auto& rnAuthRequests(statusCode != SC_PROXY_AUTHENTICATION_REQUIRED + ? nAuthRequests + : nAuthRequestsProxy); if (rnAuthRequests == 10) { SAL_INFO("ucb.ucp.webdav.curl", "aborting authentication after " @@ -1410,22 +1419,30 @@ auto CurlProcessor::ProcessRequest( } else if (pEnv && pEnv->m_xAuthListener) { -::std::optional const oRealm(ExtractRealm( -headers, statusCode == SC_UNAUTHORIZED ? "WWW-Authenticate" - : "Proxy-Authenticate")); +::std::optional const oRealm( +ExtractRealm(headers, statusCode != SC_PROXY_AUTHENTICATION_REQUIRED + ? "WWW-Authenticate" + : "Proxy-Authenticate")); ::std::optional& roAuth( -statusCode == SC_UNAUTHORIZED ?
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 38 +-- ucb/source/ucp/webdav-curl/ImportCookies.cxx | 19 + 2 files changed, 38 insertions(+), 19 deletions(-) New commits: commit 23ff13457247e4457817b3e2dc24d99fc8703f9d Author: Michael Stahl AuthorDate: Fri Sep 16 21:25:50 2022 +0200 Commit: Michael Stahl CommitDate: Fri Sep 16 21:25:50 2022 +0200 ucb: webdav-curl: tweak cookie import Improve error handling/logging, and do it only if the error code 0x000E0098 is received. Change-Id: I47dada2ef08b21a43cdfa3db9eb2fcdb4043a04f diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 066ad2d2feb9..cc0a2368784f 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -707,19 +707,6 @@ CurlSession::CurlSession(uno::Reference const& xContext, rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_FORBID_REUSE, 1L); assert(rc == CURLE_OK); } -#ifdef _WIN32 -if (m_URI.GetScheme() == "https") -{ -OString const cookies(TryImportCookies(m_xContext, m_URI.GetHost())); -if (!cookies.isEmpty()) -{ -rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_COOKIEFILE, ""); -assert(rc == CURLE_OK); -rc = curl_easy_setopt(m_pCurl.get(), CURLOPT_COOKIE, cookies.getStr()); -assert(rc == CURLE_OK); -} -} -#endif } CurlSession::~CurlSession() {} @@ -1247,6 +1234,7 @@ auto CurlProcessor::ProcessRequest( bool isRetry(false); int nAuthRequests(0); int nAuthRequestsProxy(0); +OString cookies; // libcurl does not have an authentication callback so handle auth // related status codes and requesting credentials via this loop @@ -1386,6 +1374,30 @@ auto CurlProcessor::ProcessRequest( } break; } +case SC_FORBIDDEN: +{ +::std::map const headerMap( +ProcessHeaders(headers.HeaderFields.back().first)); +// X-MSDAVEXT_Error see [MS-WEBDAVE] 2.2.3.1.9 +auto const it(headerMap.find("x-msdavext_error")); +if (cookies.isEmpty() // retry only once - could be expired... +&& rSession.m_URI.GetScheme() == "https" // only encrypted +&& it != headerMap.end() +&& it->second.startsWith("917656;")) +{ +cookies = TryImportCookies(rSession.m_xContext, rSession.m_URI.GetHost()); +if (!cookies.isEmpty()) +{ +CURLcode rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIEFILE, ""); +assert(rc == CURLE_OK); +rc = curl_easy_setopt(rSession.m_pCurl.get(), CURLOPT_COOKIE, cookies.getStr()); +assert(rc == CURLE_OK); +(void)rc; +isRetry = true; +} +} +break; +} case SC_UNAUTHORIZED: case SC_PROXY_AUTHENTICATION_REQUIRED: { diff --git a/ucb/source/ucp/webdav-curl/ImportCookies.cxx b/ucb/source/ucp/webdav-curl/ImportCookies.cxx index 897299da3c0a..4df885e4efc7 100644 --- a/ucb/source/ucp/webdav-curl/ImportCookies.cxx +++ b/ucb/source/ucp/webdav-curl/ImportCookies.cxx @@ -24,6 +24,8 @@ #include #ifdef _WIN32 +#include + #include #include @@ -98,7 +100,7 @@ OString TryImportCookies(uno::Reference const& xContext[ char* err(nullptr); Value value; OString const statement("SELECT value, LENGTH(encrypted_value), encrypted_value FROM cookies " -"WHERE name = \"FedAuth\" and host_key = \"" +"WHERE name = \"FedAuth\" AND host_key = \"" + ::rtl::OUStringToOString(rHost, RTL_TEXTENCODING_ASCII_US) + "\";"); rc = sqlite3_exec(db, statement.getStr(), callback, , ); if (rc != SQLITE_OK) @@ -113,7 +115,7 @@ OString TryImportCookies(uno::Reference const& xContext[ } if (value.encryptedValue.getLength() < 3 + 12 + 16) { -SAL_INFO("ucb.ucp.webdav.curl", "encrypted_value too short"); +SAL_INFO("ucb.ucp.webdav.curl", "encrypted_value too short: " << value.encryptedValue.getLength()); return OString(); } @@ -125,7 +127,7 @@ OString TryImportCookies(uno::Reference const& xContext[ OUString const stateUrl = localAppDirUrl + "/Microsoft/Edge/User Data/Local State"; OUString statePathU;
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |6 -- 1 file changed, 6 deletions(-) New commits: commit 5df5d4c179af34166f85f7cfa507cabe2d08f720 Author: Michael Stahl AuthorDate: Thu Sep 1 11:14:51 2022 +0200 Commit: Michael Stahl CommitDate: Thu Sep 1 11:16:22 2022 +0200 Revert "ucb: webdav-curl: try to auth on 403" This reverts commit 9352ba337a84672a0ba60651023422de88105456. diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index c503b265fcb0..066ad2d2feb9 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1386,12 +1386,6 @@ auto CurlProcessor::ProcessRequest( } break; } -case SC_FORBIDDEN: // treat as 401, just for testing! -if (rSession.m_isAuthenticated) -{ -break; -} -[[fallthrough]]; case SC_UNAUTHORIZED: case SC_PROXY_AUTHENTICATION_REQUIRED: {
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx |6 ++ 1 file changed, 6 insertions(+) New commits: commit 9352ba337a84672a0ba60651023422de88105456 Author: Michael Stahl AuthorDate: Tue Jul 19 14:12:38 2022 +0200 Commit: Michael Stahl CommitDate: Tue Jul 19 14:23:59 2022 +0200 ucb: webdav-curl: try to auth on 403 This is just for testing, don't ship. Change-Id: Ic2344c61cbe3cf419b698be526a20388c0ef4f37 diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index 4fe05ab97e72..c3fd76062e2c 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1373,6 +1373,12 @@ auto CurlProcessor::ProcessRequest( } break; } +case SC_FORBIDDEN: // treat as 401, just for testing! +if (rSession.m_isAuthenticated) +{ +break; +} +[[fallthrough]]; case SC_UNAUTHORIZED: case SC_PROXY_AUTHENTICATION_REQUIRED: {
[Libreoffice-commits] core.git: Branch 'distro/cib/libreoffice-6-4' - ucb/source
ucb/source/ucp/webdav-curl/CurlSession.cxx | 20 ++-- 1 file changed, 18 insertions(+), 2 deletions(-) New commits: commit d98aa6397dce8c3ad27cee7faaeb3048c5933b75 Author: Michael Stahl AuthorDate: Wed Apr 13 16:50:30 2022 +0200 Commit: Michael Stahl CommitDate: Thu Apr 14 12:15:44 2022 +0200 ucb: webdav-curl: only allow system credentials for auth once ... and in any case abort authentication after 10 failed attempts. Apparently some PasswordContainer can turn this into an infinite loop. Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132974 Tested-by: Jenkins Reviewed-by: Michael Stahl (cherry picked from commit 2bc4d1d22fdbd9d97c66bb53762b4b4bf7b61b47) ucb: webdav-curl: oops, increment after checking Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132982 Reviewed-by: Michael Stahl Tested-by: Jenkins (cherry picked from commit ab65a74998b498ff49c15db87fc14a9afa89d8bf) Change-Id: Ib2333b371a770999e8407ce7e1af21512aadb70d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/132867 Tested-by: Jenkins Reviewed-by: Thorsten Behrens (cherry picked from commit 6b54e6a8e64233de63b826211b81a8ed6767483f) diff --git a/ucb/source/ucp/webdav-curl/CurlSession.cxx b/ucb/source/ucp/webdav-curl/CurlSession.cxx index bddefa1ad117..dbc2e45cd3eb 100644 --- a/ucb/source/ucp/webdav-curl/CurlSession.cxx +++ b/ucb/source/ucp/webdav-curl/CurlSession.cxx @@ -1222,6 +1222,8 @@ auto CurlProcessor::ProcessRequest( } } bool isRetry(false); +int nAuthRequests(0); +int nAuthRequestsProxy(0); // libcurl does not have an authentication callback so handle auth // related status codes and requesting credentials via this loop @@ -1364,7 +1366,14 @@ auto CurlProcessor::ProcessRequest( case SC_UNAUTHORIZED: case SC_PROXY_AUTHENTICATION_REQUIRED: { -if (pEnv && pEnv->m_xAuthListener) +auto& rnAuthRequests(statusCode == SC_UNAUTHORIZED ? nAuthRequests + : nAuthRequestsProxy); +if (rnAuthRequests == 10) +{ +SAL_INFO("ucb.ucp.webdav.curl", "aborting authentication after " +<< rnAuthRequests << " attempts"); +} +else if (pEnv && pEnv->m_xAuthListener) { ::std::optional const oRealm(ExtractRealm( headers, statusCode == SC_UNAUTHORIZED ? "WWW-Authenticate" @@ -1382,7 +1391,14 @@ auto CurlProcessor::ProcessRequest( ); assert(rc == CURLE_OK); (void)rc; -bool const isSystemCredSupported((authAvail & authSystem) != 0); +// only allow SystemCredentials once - the +// PasswordContainer may have stored it in the +// Config (TrySystemCredentialsFirst or +// AuthenticateUsingSystemCredentials) and then it +// will always force its use no matter how hopeless +bool const isSystemCredSupported((authAvail & authSystem) != 0 + && rnAuthRequests == 0); +++rnAuthRequests; // Ask user via XInteractionHandler. // Warning: This likely runs an event loop which may