Project

General

Profile

Bug #1324

authorization blocks OPTIONS

Added by HenrikHolst about 9 years ago. Updated over 8 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
Due date:
% Done:

0%

Missing in 1.5.x:

Description

If a client sends a OPTIONS method for a resource that is under authorization, then mod_auth blocks the other modules from inserting their options since it breaks the calling chain. To make matters worse, the lighttpd core sends a 200 for all OPTIONS requests.

One case where this fails miserably is webdav, the Windows Web Folders client and the davfs2 (neon based) filesystem checks for DAV compliance with OPTIONS before allowing a server. Since mod_auth blocks mod_webdav from inserting it's options and the reply is a 200 (so that the client does not know that it has to send it's credentials) the connection is refused by the client.

I have included a small patch which changes this last behaviour into replying with 401 if authorization is required. I have tested this against both neon and the Windows Web Folders Client and they both work properly now.

Debate is whether this is the correct fix or not. One other fix would be to let mod_auth skip it's checks if HTTP_METHOD_OPTIONS but then I cannot find support in the RFCs for such behaviour so I think that my patch is the correct one :)

connections.patch View - patch for connections.c (519 Bytes) HenrikHolst, 2007-08-24 09:04

Associated revisions

Revision a25cbfa3 (diff)
Added by stbuehler over 8 years ago

r2091@chromobil: stefan | 2008-02-26 17:06:03 +0100
Fix #1324: req-method OPTIONS: do not insert default response if request was denied

- Request is handled as denied if status != 0 && status != 200

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2086 152afb58-edef-0310-8abb-c4023f1b3aa9

Revision 40a41e3b (diff)
Added by stbuehler over 8 years ago

Fix the fix #1324/[2086]: if no module handled a request, treat method OPTION as 200, all others as 403.

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2095 152afb58-edef-0310-8abb-c4023f1b3aa9

History

#1 Updated by simmel almost 9 years ago

I can confirm that this patch works with 1.4.18.

Using WebDAV with auth does NOT work WITHOUT this patch.

#2 Updated by stbuehler over 8 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

Fixed in r2086

Also available in: Atom