# HG changeset patch # User Maxim Dounin # Date 1382105629 -14400 # Node ID fcecb9c6a0573f2edd48ff87cef69bd7e7523729 # Parent 7ed23dcfea3d3d7fa3924d924414bd9cb341b163 Fixed "satisfy any" if 403 is returned after 401 (ticket #285). The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the latter should be returned with the WWW-Authenticate header to request authentication by a client. The problem could be triggered with 3rd party modules and the "deny" directive, or with auth_basic and auth_request which returns 403 (in 1.5.4+). Patch by Jan Marc Hoffmann. diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -1144,7 +1144,9 @@ ngx_http_core_access_phase(ngx_http_requ } if (rc == NGX_HTTP_FORBIDDEN || rc == NGX_HTTP_UNAUTHORIZED) { - r->access_code = rc; + if (r->access_code != NGX_HTTP_UNAUTHORIZED) { + r->access_code = rc; + } r->phase_handler++; return NGX_AGAIN;