diff options
author | Christian Grothoff <christian@grothoff.org> | 2021-02-04 18:27:54 +0100 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2021-02-04 18:27:54 +0100 |
commit | 00c02568ebbd2ea126d76e1859ba02fc66941123 (patch) | |
tree | f865b841ec078e2290934a33b06f21e745f75f7b /src/backend/taler-merchant-httpd.c | |
parent | e919d68d0275803a8eb8cb6d11b89937e92e44ea (diff) | |
download | merchant-00c02568ebbd2ea126d76e1859ba02fc66941123.tar.gz merchant-00c02568ebbd2ea126d76e1859ba02fc66941123.tar.bz2 merchant-00c02568ebbd2ea126d76e1859ba02fc66941123.zip |
fix #6737
Diffstat (limited to 'src/backend/taler-merchant-httpd.c')
-rw-r--r-- | src/backend/taler-merchant-httpd.c | 27 |
1 files changed, 20 insertions, 7 deletions
diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c index f53e0bec..6205eeda 100644 --- a/src/backend/taler-merchant-httpd.c +++ b/src/backend/taler-merchant-httpd.c @@ -1631,6 +1631,7 @@ url_handler (void *cls, const char *auth; struct TMH_MerchantInstance *def_instance; bool auth_ok; + bool auth_malformed = false; /* PATCHing an instance can alternatively be checked against the default instance */ @@ -1644,13 +1645,19 @@ url_handler (void *cls, RFC_8959_PREFIX, strlen (RFC_8959_PREFIX))) { - return TALER_MHD_reply_with_error (connection, - MHD_HTTP_UNAUTHORIZED, - TALER_EC_GENERIC_PARAMETER_MALFORMED, - "'" RFC_8959_PREFIX - "' prefix missing in 'Authorization' header"); + /* We _only_ complain about malformed auth headers if + authorization was truly required (#6737). This helps + in case authorization was disabled in the backend + because some reverse proxy is already doing it, and + then that reverse proxy may forward malformed auth + headers to the backend. */ + auth_malformed = true; + auth = NULL; + } + else + { + auth += strlen (RFC_8959_PREFIX); } - auth += strlen (RFC_8959_PREFIX); } /* Are the credentials provided OK for the default instance? @@ -1684,12 +1691,18 @@ url_handler (void *cls, &hc->instance->settings.auth_hash)); if (! auth_ok) { + if (auth_malformed) + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_UNAUTHORIZED, + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "'" RFC_8959_PREFIX + "' prefix missing in 'Authorization' header"); return TALER_MHD_reply_with_error (connection, MHD_HTTP_UNAUTHORIZED, TALER_EC_MERCHANT_GENERIC_UNAUTHORIZED, "Check 'Authorization' header"); } - } + } /* if (use_private) */ if ( (NULL == hc->instance) && |