From 00c02568ebbd2ea126d76e1859ba02fc66941123 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Thu, 4 Feb 2021 18:27:54 +0100 Subject: fix #6737 --- src/backend/taler-merchant-httpd.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/src/backend/taler-merchant-httpd.c b/src/backend/taler-merchant-httpd.c index f53e0bec..6205eeda 100644 --- a/src/backend/taler-merchant-httpd.c +++ b/src/backend/taler-merchant-httpd.c @@ -1631,6 +1631,7 @@ url_handler (void *cls, const char *auth; struct TMH_MerchantInstance *def_instance; bool auth_ok; + bool auth_malformed = false; /* PATCHing an instance can alternatively be checked against the default instance */ @@ -1644,13 +1645,19 @@ url_handler (void *cls, RFC_8959_PREFIX, strlen (RFC_8959_PREFIX))) { - return TALER_MHD_reply_with_error (connection, - MHD_HTTP_UNAUTHORIZED, - TALER_EC_GENERIC_PARAMETER_MALFORMED, - "'" RFC_8959_PREFIX - "' prefix missing in 'Authorization' header"); + /* We _only_ complain about malformed auth headers if + authorization was truly required (#6737). This helps + in case authorization was disabled in the backend + because some reverse proxy is already doing it, and + then that reverse proxy may forward malformed auth + headers to the backend. */ + auth_malformed = true; + auth = NULL; + } + else + { + auth += strlen (RFC_8959_PREFIX); } - auth += strlen (RFC_8959_PREFIX); } /* Are the credentials provided OK for the default instance? @@ -1684,12 +1691,18 @@ url_handler (void *cls, &hc->instance->settings.auth_hash)); if (! auth_ok) { + if (auth_malformed) + return TALER_MHD_reply_with_error (connection, + MHD_HTTP_UNAUTHORIZED, + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "'" RFC_8959_PREFIX + "' prefix missing in 'Authorization' header"); return TALER_MHD_reply_with_error (connection, MHD_HTTP_UNAUTHORIZED, TALER_EC_MERCHANT_GENERIC_UNAUTHORIZED, "Check 'Authorization' header"); } - } + } /* if (use_private) */ if ( (NULL == hc->instance) && -- cgit v1.2.3