Multiple WWW-Authenticate headers with "satisfy any;".
If a module adds multiple WWW-Authenticate headers (ticket #485) to the response, linked in r->headers_out.www_authenticate, all headers are now cleared if another module later allows access. This change is a nop for standard modules, since the only access module which can add multiple WWW-Authenticate headers is the auth request module, and it is checked after other standard access modules. Though this might affect some third party access modules. Note that if a 3rd party module adds a single WWW-Authenticate header and not yet modified to set the header's next pointer to NULL, attempt to clear such a header with this change will result in a segmentation fault.
This commit is contained in:
parent
ac4d19865a
commit
c43e768c74
|
@ -1088,6 +1088,7 @@ ngx_int_t
|
|||
ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
|
||||
{
|
||||
ngx_int_t rc;
|
||||
ngx_table_elt_t *h;
|
||||
ngx_http_core_loc_conf_t *clcf;
|
||||
|
||||
if (r != r->main) {
|
||||
|
@ -1122,8 +1123,8 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
|
|||
if (rc == NGX_OK) {
|
||||
r->access_code = 0;
|
||||
|
||||
if (r->headers_out.www_authenticate) {
|
||||
r->headers_out.www_authenticate->hash = 0;
|
||||
for (h = r->headers_out.www_authenticate; h; h = h->next) {
|
||||
h->hash = 0;
|
||||
}
|
||||
|
||||
r->phase_handler = ph->next;
|
||||
|
|
Loading…
Reference in New Issue