diff options
author | Robert Newson <rnewson@apache.org> | 2020-01-20 14:30:54 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-01-20 14:30:54 +0000 |
commit | 2c9ddd696b024267b051d069e91f95e49b8eec22 (patch) | |
tree | 4f2a8609d7618e084454d88e607adcfb3bfcd261 | |
parent | 7214e506199f41babd09611c7ab3564291d5be06 (diff) | |
parent | b94645752f374847e70821137cc6eba53d83c944 (diff) | |
download | couchdb-2c9ddd696b024267b051d069e91f95e49b8eec22.tar.gz |
Merge pull request #2473 from apache/infinite-loop-auth
Fix infinite loop in default_authentication_handler
-rw-r--r-- | src/chttpd/src/chttpd_auth.erl | 8 | ||||
-rw-r--r-- | src/couch/src/couch_httpd_auth.erl | 5 |
2 files changed, 5 insertions, 8 deletions
diff --git a/src/chttpd/src/chttpd_auth.erl b/src/chttpd/src/chttpd_auth.erl index 45e11905b..607f09a8a 100644 --- a/src/chttpd/src/chttpd_auth.erl +++ b/src/chttpd/src/chttpd_auth.erl @@ -55,10 +55,12 @@ party_mode_handler(#httpd{method='POST', path_parts=[<<"_session">>]} = Req) -> % See #1947 - users should always be able to attempt a login Req#httpd{user_ctx=#user_ctx{}}; party_mode_handler(Req) -> - case config:get("chttpd", "require_valid_user", "false") of - "true" -> + RequireValidUser = config:get_boolean("chttpd", "require_valid_user", false), + ExceptUp = config:get_boolean("chttpd", "require_valid_user_except_for_up", true), + case RequireValidUser andalso not ExceptUp of + true -> throw({unauthorized, <<"Authentication required.">>}); - "false" -> + false -> case config:get("admins") of [] -> Req#httpd{user_ctx = ?ADMIN_USER}; diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl index 96de5bf3b..5e4450301 100644 --- a/src/couch/src/couch_httpd_auth.erl +++ b/src/couch/src/couch_httpd_auth.erl @@ -88,11 +88,6 @@ basic_name_pw(Req) -> default_authentication_handler(Req) -> default_authentication_handler(Req, couch_auth_cache). -default_authentication_handler(#httpd{path_parts=[<<"_up">>]}=Req, AuthModule) -> - case config:get_boolean("chttpd", "require_valid_user_except_for_up", false) of - true -> Req#httpd{user_ctx=?ADMIN_USER}; - _False -> default_authentication_handler(Req, AuthModule) - end; default_authentication_handler(Req, AuthModule) -> case basic_name_pw(Req) of {User, Pass} -> |