Fixed "satisfy any" if 403 is returned after 401 (ticket #285).

The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the latter should be returned with the WWW-Authenticate header to request authentication by a client. The problem could be triggered with 3rd party modules and the "deny" directive, or with auth_basic and auth_request which returns 403 (in 1.5.4+). Patch by Jan Marc Hoffmann.
author: Maxim Dounin <mdounin@mdounin.ru> 2013-10-18 18:13:49 +0400
committer: Maxim Dounin <mdounin@mdounin.ru> 2013-10-18 18:13:49 +0400
commit: a6b7cfe967674267bafb5ed28152a8ad42992cc1 (patch)
tree: 0862200eafffbd23ced7335ecb53a363e65079ee /src/http/ngx_http_core_module.c
parent: 6291a299925e2de2fc7c8793423d62b029ffab92 (diff)
download: nginx-a6b7cfe967674267bafb5ed28152a8ad42992cc1.tar.gz
nginx-a6b7cfe967674267bafb5ed28152a8ad42992cc1.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index f8c695645..d2e29136d 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1144,7 +1144,9 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
         }
 
         if (rc == NGX_HTTP_FORBIDDEN || rc == NGX_HTTP_UNAUTHORIZED) {
-            r->access_code = rc;
+            if (r->access_code != NGX_HTTP_UNAUTHORIZED) {
+                r->access_code = rc;
+            }
 
             r->phase_handler++;
             return NGX_AGAIN;
author	Maxim Dounin <mdounin@mdounin.ru>	2013-10-18 18:13:49 +0400
committer	Maxim Dounin <mdounin@mdounin.ru>	2013-10-18 18:13:49 +0400
commit	a6b7cfe967674267bafb5ed28152a8ad42992cc1 (patch)
tree	0862200eafffbd23ced7335ecb53a363e65079ee /src/http/ngx_http_core_module.c
parent	6291a299925e2de2fc7c8793423d62b029ffab92 (diff)
download	nginx-a6b7cfe967674267bafb5ed28152a8ad42992cc1.tar.gz nginx-a6b7cfe967674267bafb5ed28152a8ad42992cc1.zip