Fixed "satisfy any" if 403 is returned after 401 (ticket #285).

The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the latter should be returned with the WWW-Authenticate header to request authentication by a client. The problem could be triggered with 3rd party modules and the "deny" directive, or with auth_basic and auth_request which returns 403 (in 1.5.4+). Patch by Jan Marc Hoffmann.
2024-12-19 13:43:28 -06:00 · 2013-10-18 18:13:49 +04:00 · 2013-10-18 18:13:49 +04:00 · a6b7cfe967
commit a6b7cfe967
parent 6291a29992
1 changed files with 3 additions and 1 deletions
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@ -1144,7 +1144,9 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
        }

        if (rc == NGX_HTTP_FORBIDDEN || rc == NGX_HTTP_UNAUTHORIZED) {
-            r->access_code = rc;
+            if (r->access_code != NGX_HTTP_UNAUTHORIZED) {
+                r->access_code = rc;
+            }

            r->phase_handler++;
            return NGX_AGAIN;