[PATCH] clear sspi_token buffer after each request
Danil Shopyrin
danil at visualsvn.com
Mon Nov 30 06:56:49 EST 2009
Ping!
On Sat, Nov 21, 2009 at 12:19 AM, Danil Shopyrin <danil at visualsvn.com> wrote:
> Hi!
>
> We're experiencing the following problem. Neon continues to send the
> last used SSPI token even if client is already authenticated. This can
> cause server to permanently restart the authentication handshake.
>
> Here is the transaction log:
>
> 1. Client -> Server: OPTIONS /svn/AnyCalc HTTP/1.1
> Server -> Client: HTTP/1.1 401 Authorization Required
>
> 2. Client -> Server: OPTIONS /svn/AnyCalc HTTP/1.1
> Authorization: NTLM T1
> Server -> Client: HTTP/1.1 401 Authorization Required
> Authorization: NTLM T2
>
> 3. Client -> Server: OPTIONS /svn/AnyCalc HTTP/1.1
> Authorization: NTLM T3
> Server -> Client: HTTP/1.1 200 OK
>
> ###The client is successfully authenticated starting from this point.
>
> 4. Client -> Server: PROPFIND /svn/AnyCalc HTTP/1.1
> Authorization: NTLM T3
>
> ### Oops! The client have accidentally sent the last used NTLM T3
> token. This should
> ### cause server to refuse the request and restart authentication handshake.
>
> Please note that neon provides the more smart behavior for GSSAPI
> implementation. The cashed gssapi_token is cleared every time in the
> ah_post_send() handler.
>
> We propose the attached patch to clear sspi_token pretty much as in
> the GSSAPI. Here is the proposed log message:
> [[[
> Clear sspi_token buffer after each request.
>
> * src/ne_auth.c (request_sspi): Return NULL if sspi_token is not present.
>
> * src/ne_auth.c (ah_post_send): Clear the buffered sspi_token.
> ]]]
>
> Thanks in advance!
>
> --
> With best regards,
> Danil Shopyrin
> VisualSVN Team
>
--
With best regards,
Danil Shopyrin
VisualSVN Team
More information about the neon
mailing list