Althttpd

View Ticket
Login

View Ticket

Edit New Ticket Plaintext
Ticket Hash: bef72e625df4074cd8e1cdaa6ee9903c5bed9df7
Title: -auth ignored for subdirectories
Status: Closed Type: Documentation
Severity: Minor Priority: Low
Subsystem: Resolution: Fixed
Last Modified: 2024-02-22 03:26:22
Version Found In: 077ca4231c
User Comments:
MaxGyver83 added on 2022-11-30 21:14:22:

The documentation (althttpd.md) says:

If a file named "-auth" appears anywhere within the content hierarchy, then all sibling files and all files in lower-level directories require HTTP basic authentication, as defined by the content of the "-auth" file.

(Emphasis added by me.)

Is this really true?

I'm running althttpd via xinetd.

service https
{
  port = 443
  flags = IPv4
  socket_type = stream
  wait = no
  user = root
  server = /usr/local/bin/althttpd
  server_args = -logfile /var/log/althttpd.log -root /home/user/srv -user www-data -cert /etc/acme.sh/static/cert.pem -pkey /etc/acme.sh/static/key.pem
  bind = xx.xx.xx.xx
}

I have added a -auth file (including a user name and a password) to ~/srv/default.website/. When I surf to https://example.com/index.html, I'm asked for my credentials. https://example.com/m/index.html works without authentication. (Same when I change the password and try the subdirectory first. So it's not about saving the credentials in the browser.)

I'm wondering if this is a bug or just a wrong/outdated documentation because in althttpd.c, the comment says:

If the file "-auth" exists in the same directory as the content file ...

No subdirectories mentioned!

MaxGyver83 added on 2022-12-06 15:30:15:

Minimal example for reproducing this issue:

wget -O althttpd.c "https://sqlite.org/althttpd/raw/077ca4231caec28d5a3830ed3aefb27e74666837d464c2b3934bd09c1b8dbe42?at=althttpd.c"
sudo gcc -Os -o /usr/bin/althttpd althttpd.c

cd /tmp
mkdir -p default.website/subdir
echo secret > default.website/index.html
echo "also secret" > default.website/subdir/index.html
echo "realm My secret webspace
user john john:passwd" > default.website/-auth

althttpd -root /tmp/ -port 7000

Browse to localhost:7000/subdir → Secret file is accessible. Browse to localhost:7000 → You will be asked for credentials.

drh added on 2022-12-06 17:09:00:

The documentation is incorrect. The -auth only protects the directory that it is in. Subdirectories are unprotected and can be accessed directly.

geoffrey added on 2023-09-27 10:36:51:

The following patch is released into the public domain:

@@ -3103,13 +3343,24 @@
 
   /* Check to see if there is an authorization file.  If there is,
   ** process it.
   */
   sprintf(zLine, "%s/-auth", zDir);
-  if( access(zLine,R_OK)==0 && !CheckBasicAuthorization(zLine) ){
-    tls_close_conn();
-    return;
+  for( ;; ){
+    if( access(zLine,R_OK)==0 ){
+      if( !CheckBasicAuthorization(zLine) ){
+        tls_close_conn();
+       	return;
+      }else break;
+    }else{
+      char *ptr=zLine+strlen(zLine)-1;
+      for( ; ptr!=zLine && *ptr!='/'; --ptr );
+      if( ptr==zLine ) break;
+      for( --ptr; ptr!=zLine && *ptr!='/'; --ptr );
+      if( ptr==zLine ) break;
+      strcpy(ptr+1, "-auth");
+    }
   }
stephan added on 2024-02-22 03:26:22:

Docs fixed in [4d3ea9a0f77e2ff391].