nginx: src/http/ngx_http_core_module.c comparison

comparison src/http/ngx_http_core_module.c @ 8038:711737177b77

Multiple WWW-Authenticate headers with "satisfy any;". If a module adds multiple WWW-Authenticate headers (ticket #485) to the response, linked in r->headers_out.www_authenticate, all headers are now cleared if another module later allows access. This change is a nop for standard modules, since the only access module which can add multiple WWW-Authenticate headers is the auth request module, and it is checked after other standard access modules. Though this might affect some third party access modules. Note that if a 3rd party module adds a single WWW-Authenticate header and not yet modified to set the header's next pointer to NULL, attempt to clear such a header with this change will result in a segmentation fault.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Mon, 30 May 2022 21:25:56 +0300
parents	d26db4f82d7d
children	4cc2bfeff46c 8d0753760546

comparison

equal deleted inserted replaced

-:8272c823a7d0
+:711737177b77
 ngx_int_t
 ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
 {
 ngx_int_t                  rc;
+ngx_table_elt_t           *h;
 ngx_http_core_loc_conf_t  *clcf;
 if (r != r->main) {
 r->phase_handler = ph->next;
 return NGX_AGAIN;
 } else {
 if (rc == NGX_OK) {
 r->access_code = 0;
-if (r->headers_out.www_authenticate) {
+for (h = r->headers_out.www_authenticate; h; h = h->next) {
-r->headers_out.www_authenticate->hash = 0;
+h->hash = 0;
 }
 r->phase_handler = ph->next;
 return NGX_AGAIN;
 }

Mercurial > hg > nginx

comparison src/http/ngx_http_core_module.c @ 8038:711737177b77