summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Newson <rnewson@apache.org>2020-01-20 14:30:54 +0000
committerGitHub <noreply@github.com>2020-01-20 14:30:54 +0000
commit2c9ddd696b024267b051d069e91f95e49b8eec22 (patch)
tree4f2a8609d7618e084454d88e607adcfb3bfcd261
parent7214e506199f41babd09611c7ab3564291d5be06 (diff)
parentb94645752f374847e70821137cc6eba53d83c944 (diff)
downloadcouchdb-2c9ddd696b024267b051d069e91f95e49b8eec22.tar.gz
Merge pull request #2473 from apache/infinite-loop-auth
Fix infinite loop in default_authentication_handler
-rw-r--r--src/chttpd/src/chttpd_auth.erl8
-rw-r--r--src/couch/src/couch_httpd_auth.erl5
2 files changed, 5 insertions, 8 deletions
diff --git a/src/chttpd/src/chttpd_auth.erl b/src/chttpd/src/chttpd_auth.erl
index 45e11905b..607f09a8a 100644
--- a/src/chttpd/src/chttpd_auth.erl
+++ b/src/chttpd/src/chttpd_auth.erl
@@ -55,10 +55,12 @@ party_mode_handler(#httpd{method='POST', path_parts=[<<"_session">>]} = Req) ->
% See #1947 - users should always be able to attempt a login
Req#httpd{user_ctx=#user_ctx{}};
party_mode_handler(Req) ->
- case config:get("chttpd", "require_valid_user", "false") of
- "true" ->
+ RequireValidUser = config:get_boolean("chttpd", "require_valid_user", false),
+ ExceptUp = config:get_boolean("chttpd", "require_valid_user_except_for_up", true),
+ case RequireValidUser andalso not ExceptUp of
+ true ->
throw({unauthorized, <<"Authentication required.">>});
- "false" ->
+ false ->
case config:get("admins") of
[] ->
Req#httpd{user_ctx = ?ADMIN_USER};
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index 96de5bf3b..5e4450301 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -88,11 +88,6 @@ basic_name_pw(Req) ->
default_authentication_handler(Req) ->
default_authentication_handler(Req, couch_auth_cache).
-default_authentication_handler(#httpd{path_parts=[<<"_up">>]}=Req, AuthModule) ->
- case config:get_boolean("chttpd", "require_valid_user_except_for_up", false) of
- true -> Req#httpd{user_ctx=?ADMIN_USER};
- _False -> default_authentication_handler(Req, AuthModule)
- end;
default_authentication_handler(Req, AuthModule) ->
case basic_name_pw(Req) of
{User, Pass} ->