Mercurial > hg > nginx

changeset 5428:fcecb9c6a057

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed "satisfy any" if 403 is returned after 401 (ticket #285). The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the latter should be returned with the WWW-Authenticate header to request authentication by a client. The problem could be triggered with 3rd party modules and the "deny" directive, or with auth_basic and auth_request which returns 403 (in 1.5.4+). Patch by Jan Marc Hoffmann.
author Maxim Dounin <mdounin@mdounin.ru>
date Fri, 18 Oct 2013 18:13:49 +0400
parents 7ed23dcfea3d
children e6a1623f87bc
files src/http/ngx_http_core_module.c
diffstat 1 files changed, 3 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1144,7 +1144,9 @@ ngx_http_core_access_phase(ngx_http_requ
         }
 
         if (rc == NGX_HTTP_FORBIDDEN || rc == NGX_HTTP_UNAUTHORIZED) {
-            r->access_code = rc;
+            if (r->access_code != NGX_HTTP_UNAUTHORIZED) {
+                r->access_code = rc;
+            }
 
             r->phase_handler++;
             return NGX_AGAIN;