From: Maxim Dounin <mdounin@mdounin.ru>
Date: Fri, 18 Oct 2013 14:13:49 +0000 (+0400)
Subject: Fixed "satisfy any" if 403 is returned after 401 (ticket #285).
X-Git-Tag: release-1.5.7~15
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=a6b7cfe967674267bafb5ed28152a8ad42992cc1;p=nginx.git

Fixed "satisfy any" if 403 is returned after 401 (ticket #285).

The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the
latter should be returned with the WWW-Authenticate header to request
authentication by a client.

The problem could be triggered with 3rd party modules and the "deny"
directive, or with auth_basic and auth_request which returns 403
(in 1.5.4+).

Patch by Jan Marc Hoffmann.
---

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index f8c695645..d2e29136d 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1144,7 +1144,9 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
         }
 
         if (rc == NGX_HTTP_FORBIDDEN || rc == NGX_HTTP_UNAUTHORIZED) {
-            r->access_code = rc;
+            if (r->access_code != NGX_HTTP_UNAUTHORIZED) {
+                r->access_code = rc;
+            }
 
             r->phase_handler++;
             return NGX_AGAIN;