summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--source3/web/cgi.c57
1 files changed, 28 insertions, 29 deletions
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index 4f44d10afcd..a99b9d3c5d2 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -26,8 +26,6 @@
/* set the expiry on fixed pages */
#define EXPIRY_TIME (60*60*24*7)
-#define CGI_LOGGING 0
-
#ifdef DEBUG_COMMENTS
extern void print_title(char *fmt, ...);
#endif
@@ -327,7 +325,6 @@ static void base64_decode(char *s)
d[n] = 0;
}
-
/***************************************************************************
handle a http authentication line
***************************************************************************/
@@ -336,11 +333,17 @@ static BOOL cgi_handle_authorization(char *line)
char *p, *user, *user_pass;
struct passwd *pass = NULL;
BOOL ret = False;
+ BOOL got_name = False;
+ BOOL tested_pass = False;
+ fstring default_user_lookup;
+ fstring default_user_pass;
+
+ /* Dummy user lookup to take the same time as a valid user. */
+ fstrcpy(default_user_lookup, "zzzz bibble");
+ fstrcpy(default_user_pass, "123456789");
if (strncasecmp(line,"Basic ", 6)) {
- cgi_setup_error("401 Bad Authorization", "",
- "Only basic authorization is understood");
- return False;
+ goto err;
}
line += 6;
while (line[0] == ' ') line++;
@@ -350,9 +353,7 @@ static BOOL cgi_handle_authorization(char *line)
* Always give the same error so a cracker
* cannot tell why we fail.
*/
- cgi_setup_error("401 Bad Authorization", "",
- "username/password must be supplied");
- return False;
+ goto err;
}
*p = 0;
user = line;
@@ -367,15 +368,16 @@ static BOOL cgi_handle_authorization(char *line)
* Always give the same error so a cracker
* cannot tell why we fail.
*/
- cgi_setup_error("401 Bad Authorization", "",
- "username/password must be supplied");
- return False;
+ got_name = True;
+ goto err;
}
/*
* Validate the password they have given.
*/
+ tested_pass = True;
+
if((ret = pass_check(user, user_pass, strlen(user_pass), NULL, NULL)) == True) {
/*
@@ -394,7 +396,20 @@ static BOOL cgi_handle_authorization(char *line)
C_user = strdup(user);
}
- return ret;
+ err:
+
+ /* Always take the same time. */
+ if (!got_name)
+ Get_Pwnam(default_user_lookup,False);
+
+ if (!tested_pass)
+ pass_check(default_user_lookup, default_user_pass,
+ strlen(default_user_pass), NULL, NULL);
+
+ cgi_setup_error("401 Bad Authorization", "",
+ "username or password incorrect");
+
+ return False;
}
/***************************************************************************
@@ -478,9 +493,6 @@ void cgi_setup(char *rootdir, int auth_required)
char line[1024];
char *url=NULL;
char *p;
-#if CGI_LOGGING
- FILE *f;
-#endif
if (chdir(rootdir)) {
cgi_setup_error("400 Server Error", "",
@@ -502,19 +514,9 @@ void cgi_setup(char *rootdir, int auth_required)
"Samba is configured to deny access from this client\n<br>Check your \"hosts allow\" and \"hosts deny\" options in smb.conf ");
}
-#if CGI_LOGGING
- f = sys_fopen("/tmp/cgi.log", "a");
- if (f) fprintf(f,"\n[Date: %s %s (%s)]\n",
- http_timestring(time(NULL)),
- get_socket_name(1), get_socket_addr(1));
-#endif
-
/* we are a mini-web server. We need to read the request from stdin
and handle authentication etc */
while (fgets(line, sizeof(line)-1, stdin)) {
-#if CGI_LOGGING
- if (f) fputs(line, f);
-#endif
if (line[0] == '\r' || line[0] == '\n') break;
if (strncasecmp(line,"GET ", 4)==0) {
got_request = True;
@@ -534,9 +536,6 @@ void cgi_setup(char *rootdir, int auth_required)
}
/* ignore all other requests! */
}
-#if CGI_LOGGING
- if (f) fclose(f);
-#endif
if (auth_required && !authenticated) {
cgi_auth_error();