diff options
author | Patrick Ohly <patrick.ohly@intel.com> | 2013-03-04 07:05:56 -0800 |
---|---|---|
committer | Patrick Ohly <patrick.ohly@intel.com> | 2013-03-04 07:36:21 -0800 |
commit | 68ef2f37dd2490e90fc3dad4b97d8ab3e893f108 (patch) | |
tree | eb7dfb631f1854057dada27456c8798f9dffb73f /src | |
parent | 4898f813ff8e49023c54bc698540c2f241c0c66a (diff) |
WebDAV: don't send Basic Auth via http (FDO #57248)
Sending basic authentication headers via http is insecure.
Only do it when the connection is encrypted and thus
protects the information.
Diffstat (limited to 'src')
-rw-r--r-- | src/backends/webdav/NeonCXX.cpp | 24 |
1 files changed, 14 insertions, 10 deletions
diff --git a/src/backends/webdav/NeonCXX.cpp b/src/backends/webdav/NeonCXX.cpp index 26a6ea58..5092af21 100644 --- a/src/backends/webdav/NeonCXX.cpp +++ b/src/backends/webdav/NeonCXX.cpp @@ -341,17 +341,21 @@ void Session::preSend(ne_request *req, ne_buffer *header) // only do this once m_forceAuthorizationOnce = false; - // append "Authorization: Basic" header if not present already - if (!boost::starts_with(header->data, "Authorization:") && - !strstr(header->data, "\nAuthorization:")) { - std::string credentials = m_forceUsername + ":" + m_forcePassword; - SmartPtr<char *> blob(ne_base64((const unsigned char *)credentials.c_str(), credentials.size())); - ne_buffer_concat(header, "Authorization: Basic ", blob.get(), "\r\n", NULL); - } + if (m_uri.m_scheme == "https") { + // append "Authorization: Basic" header if not present already + if (!boost::starts_with(header->data, "Authorization:") && + !strstr(header->data, "\nAuthorization:")) { + std::string credentials = m_forceUsername + ":" + m_forcePassword; + SmartPtr<char *> blob(ne_base64((const unsigned char *)credentials.c_str(), credentials.size())); + ne_buffer_concat(header, "Authorization: Basic ", blob.get(), "\r\n", NULL); + } - // check for acceptance of credentials later - m_credentialsSent = true; - SE_LOG_DEBUG(NULL, NULL, "forced sending credentials"); + // check for acceptance of credentials later + m_credentialsSent = true; + SE_LOG_DEBUG(NULL, NULL, "forced sending credentials"); + } else { + SE_LOG_DEBUG(NULL, NULL, "skipping forced sending credentials because not using https"); + } } } |