Fossil

Check-in [2e76b99f]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Simplify the Basic Authentication implementation, removing the need for the strtok_r() library function.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 2e76b99f5ce5301c4cf82f06d069ec608da888cce543cf8d736d51b110eff6d2
User & Date: drh 2017-03-15 00:19:41
Context
2017-03-15
00:31
added missing return type in login_basic_authentication() definition. check-in: fd928b6e user: stephan tags: trunk
00:19
Simplify the Basic Authentication implementation, removing the need for the strtok_r() library function. check-in: 2e76b99f user: drh tags: trunk
2017-03-14
23:30
Changed remaining regexps in test cases that match hashes to allow hashes to range from 40 to 64 hex digits. Added the same_uuid proc to the test harness to regularize comparing uuids. It is true if one is a prefix of the other. There are still regressions in the test suite, especially in amend.test, but this is progress. check-in: 0541af5f user: rberteig tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/login.c.

47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
...
883
884
885
886
887
888
889




















































890
891
892
893
894
895
896
....
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067

1068
1069
1070
1071
1072
1073
1074
#  include <windows.h>           /* for Sleep */
#  if defined(__MINGW32__) || defined(_MSC_VER)
#    define sleep Sleep            /* windows does not have sleep, but Sleep */
#  endif
#endif
#include <time.h>

#ifdef _WIN32
/*
** MinGW doesn't have strtok_r in its libc. Here's a public domain one
** found at StackOverflow as a work-around, with formatting adjusted to
** make it more like the usual style here. This is certainly the wrong
** place for it, which is emphasized by making the function static.
**
** See http://stackoverflow.com/a/12979321/68204
**
** public domain strtok_r() by Charlie Gordon
**   from comp.lang.c  9/14/2007
**   http://groups.google.com/group/comp.lang.c/msg/2ab1ecbb86646684
** (Declaration that it's public domain):
**   http://groups.google.com/group/comp.lang.c/msg/7c7b39328fefab9c
*/
static char* win32_strtok_r(
  char *str,
  const char *delim,
  char **nextp
){
  char *ret;
  if( str == NULL ){
    str = *nextp;
  }
  str += strspn(str, delim);
  if( *str == '\0' ){
    return NULL;
  }
  ret = str;
  str += strcspn(str, delim);
  if( *str ){
    *str++ = '\0';
  }
  *nextp = str;
  return ret;
}
#define strtok_r win32_strtok_r
#endif

/*
** Return the login-group name.  Or return 0 if this repository is
** not a member of a login-group.
*/
const char *login_group_name(void){
  static const char *zGroup = 0;
................................................................................
int login_wants_https_redirect(void){
  if( g.sslNotAvailable ) return 0;
  if( db_get_boolean("redirect-to-https",0)==0 ) return 0;
  if( P("HTTPS")!=0 ) return 0;
  return 1;
}





















































/*
** This routine examines the login cookie to see if it exists and
** is valid.  If the login cookie checks out, it then sets global
** variables appropriately.
**
**    g.userUid      Database USER.UID value.  Might be -1 for "nobody"
**    g.zLogin       Database USER.LOGIN value.  NULL for user "nobody"
................................................................................
    }
  }

  /* If the request didn't provide a login cookie or the login cookie didn't
  ** match a known valid user, check the HTTP "Authorization" header and
  ** see if those credentials are valid for a known user.
  */
  if( uid==0 ){
    const char *zHTTPAuth = PD("HTTP_AUTHORIZATION", 0);

    /* Check to see if the HTTP "Authorization" header is present
    */
    if( zHTTPAuth!=0 && zHTTPAuth[0]!=0
     && db_get_boolean("http_authentication_ok",0)
    ){
      char *zBuf = fossil_strdup(zHTTPAuth);

      if( zBuf!=0 ){
        char *zPos;
        char *zTok = strtok_r(zBuf, " ", &zPos);

        if( zTok != 0 ){
          /* Check to see if the authorization scheme is HTTP
          ** basic auth.
          */
          if (strncmp(zTok, "Basic", zTok - zBuf) == 0) {
            zTok = strtok_r(NULL, " ", &zPos);
            int zBytesDecoded = 0;
            char *zDecodedAuth = decode64(zTok, &zBytesDecoded);

            char *zUsername = strtok_r(zDecodedAuth, ":", &zPos);
            char *zPasswd = strtok_r(NULL, ":", &zPos);

            if( zUsername!=0 && zPasswd!=0 && zPasswd[0]!=0 ){
              /* Attempting to log in as the user provided by HTTP
              ** basic auth
              */
              uid = login_search_uid(zUsername, zPasswd);
              if( uid>0 ){
                record_login_attempt(zUsername, zIpAddr, 1);
              }else{
                record_login_attempt(zUsername, zIpAddr, 0);

                /* The user attempted to login specifically with HTTP basic
                ** auth, but provided invalid credentials. Inform them of
                ** the failed login attempt via 401.
                */
                cgi_set_status(401, "Unauthorized");
                cgi_reply();
                fossil_exit(0);
              }
            }

            fossil_free(zDecodedAuth);
          }
        }

        fossil_free(zBuf);
      }
    }

  }

  /* If no user found yet, try to log in as "nobody" */
  if( uid==0 ){
    uid = db_int(0, "SELECT uid FROM user WHERE login='nobody'");
    if( uid==0 ){
      /* If there is no user "nobody", then make one up - with no privileges */







<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<







 







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







 







<
<
<
<
<
<
|
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
<
>







47
48
49
50
51
52
53






































54
55
56
57
58
59
60
...
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
....
1022
1023
1024
1025
1026
1027
1028






1029














































1030
1031
1032
1033
1034
1035
1036
1037
#  include <windows.h>           /* for Sleep */
#  if defined(__MINGW32__) || defined(_MSC_VER)
#    define sleep Sleep            /* windows does not have sleep, but Sleep */
#  endif
#endif
#include <time.h>








































/*
** Return the login-group name.  Or return 0 if this repository is
** not a member of a login-group.
*/
const char *login_group_name(void){
  static const char *zGroup = 0;
................................................................................
int login_wants_https_redirect(void){
  if( g.sslNotAvailable ) return 0;
  if( db_get_boolean("redirect-to-https",0)==0 ) return 0;
  if( P("HTTPS")!=0 ) return 0;
  return 1;
}


/*
** Attempt to use Basic Authentication to establish the user.  Return the
** (non-zero) uid if successful.  Return 0 if it does not work.
*/
static logic_basic_authentication(const char *zIpAddr){
  const char *zAuth = PD("HTTP_AUTHORIZATION", 0);
  int i;
  int uid = 0;
  int nDecode = 0;
  char *zDecode = 0;
  const char *zUsername = 0;
  const char *zPasswd = 0;
  

  if( zAuth==0 ) return 0;                    /* Fail: No Authentication: header */
  while( fossil_isspace(zAuth[0]) ) zAuth++;  /* Skip leading whitespace */
  if( strncmp(zAuth, "Basic ", 6)!=0 ) return 0;  /* Fail: Not Basic Authentication */

  /* Parse out the username and password, separated by a ":" */
  zAuth += 6;
  while( fossil_isspace(zAuth[0]) ) zAuth++;
  zDecode = decode64(zAuth, &nDecode);

  for(i=0; zDecode[i] && zDecode[i]!=':'; i++){}
  if( zDecode[i] ){
    zDecode[i] = 0;
    zUsername = zDecode;
    zPasswd = &zDecode[i+1];

    /* Attempting to log in as the user provided by HTTP
    ** basic auth
    */
    uid = login_search_uid(zUsername, zPasswd);
    if( uid>0 ){
      record_login_attempt(zUsername, zIpAddr, 1);
    }else{
      record_login_attempt(zUsername, zIpAddr, 0);

      /* The user attempted to login specifically with HTTP basic
      ** auth, but provided invalid credentials. Inform them of
      ** the failed login attempt via 401.
      */
      cgi_set_status(401, "Unauthorized");
      cgi_reply();
      fossil_exit(0);
    }
  }
  fossil_free(zDecode);
  return uid;
}

/*
** This routine examines the login cookie to see if it exists and
** is valid.  If the login cookie checks out, it then sets global
** variables appropriately.
**
**    g.userUid      Database USER.UID value.  Might be -1 for "nobody"
**    g.zLogin       Database USER.LOGIN value.  NULL for user "nobody"
................................................................................
    }
  }

  /* If the request didn't provide a login cookie or the login cookie didn't
  ** match a known valid user, check the HTTP "Authorization" header and
  ** see if those credentials are valid for a known user.
  */






  if( uid==0 && db_get_boolean("http_authentication_ok",0) ){














































    uid = logic_basic_authentication(zIpAddr);
  }

  /* If no user found yet, try to log in as "nobody" */
  if( uid==0 ){
    uid = db_int(0, "SELECT uid FROM user WHERE login='nobody'");
    if( uid==0 ){
      /* If there is no user "nobody", then make one up - with no privileges */