From 7e1fda24a5c4c73851ca8b01456f7a820613905e Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Fri, 13 Jun 2008 13:33:44 +0200 Subject: [PATCH] httpd: send HTTP_UNAUTHORIZED on auth failure r22315 is wrong - We should send HTTP_UNAUTHORIZED both if there wasn't an Authorization: header, AND if authorization failed. Signed-off-by: Peter Korsgaard --- networking/httpd.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/networking/httpd.c b/networking/httpd.c index 382893b..f1afc1d 100644 --- a/networking/httpd.c +++ b/networking/httpd.c @@ -2043,9 +2043,9 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr) } #if ENABLE_FEATURE_HTTPD_BASIC_AUTH - /* Case: no "Authorization:" was seen, but page does require passwd. - * Check that with dummy user:pass */ - if ((authorized < 0) && check_user_passwd(urlcopy, ":") == 0) { + /* invalid user:pass or no "Authorization:" was seen, but page + * does require passwd. Check that with dummy user:pass */ + if ((authorized <= 0) && check_user_passwd(urlcopy, ":") == 0) { send_headers_and_exit(HTTP_UNAUTHORIZED); } #endif -- 1.5.5.1