ws: only spawn cockpit-session on known auth types

If we receive requests for exotic authentication types from the client like: Authorization: Random xyz and those types are not explicitly disabled in cockpit.conf with a stanza like: [Random] action = none then by default we'll try to spawn cockpit-session to respond to them. This doesn't make a lot of sense, as cockpit-session doesn't support any types other than "basic", "negotiate" and "tls-cert" (which is only ever used internally, and already blocked when received from clients). Modify the check to only spawn cockpit-session for the recognised types. In case another type is specified, then the command to handle that type needs to be explicitly specified: [Random] command = /path/to/my/handler as we already have for several cases in the unit tests.
cockpit-project · Dec 1, 2021 · cb76707 · cb76707
1 parent e22276b
commit cb76707
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
@@ -1121,7 +1121,6 @@ cockpit_session_launch (CockpitAuth *self,
   const gchar *action;
   const gchar *command;
   const gchar *section;
-  const gchar *program_default;
 
   gchar **env = g_get_environ ();
 
@@ -1153,6 +1152,7 @@ cockpit_session_launch (CockpitAuth *self,
   else
     section = type;
 
+  const gchar *program_default = NULL;
   if (g_strcmp0 (section, COCKPIT_CONF_SSH_SECTION) == 0)
     {
       if (!host)
@@ -1164,13 +1164,22 @@ cockpit_session_launch (CockpitAuth *self,
       capture_stderr = cockpit_conf_bool ("WebService", "X-For-CockpitClient", FALSE);
       program_default = cockpit_ws_ssh_program;
     }
-  else
+  else if (type && (g_str_equal (type, "basic") ||
+                    g_str_equal (type, "negotiate") ||
+                    g_str_equal (type, "tls-cert")))
     {
       program_default = cockpit_ws_session_program;
     }
 
   command = type_option (section, "command", program_default);
 
+  if (!command)
+    {
+      g_set_error (error, COCKPIT_ERROR, COCKPIT_ERROR_AUTHENTICATION_FAILED,
+                   "Authentication disabled");
+      goto out;
+    }
+
   if (cockpit_creds_get_rhost (creds))
     {
       env = g_environ_setenv (env, "COCKPIT_REMOTE_PEER",

diff --git a/src/ws/test-handlers.c b/src/ws/test-handlers.c
@@ -233,7 +233,7 @@ test_login_bad (Test *test,
   g_hash_table_unref (headers);
 
   g_assert (ret == TRUE);
-  cockpit_assert_strmatch (output_as_string (test), "HTTP/1.1 401 Authentication failed\r\n*");
+  cockpit_assert_strmatch (output_as_string (test), "HTTP/1.1 401 Authentication disabled\r\n*");
 }
 
 static void