<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[212358] trunk/Tools</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/212358">212358</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2017-02-15 06:22:42 -0800 (Wed, 15 Feb 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>[SOUP] Credentials stored by libsoup are used even StoredCredentials policy is DoNotAllowStoredCredentials
https://bugs.webkit.org/show_bug.cgi?id=168364
Reviewed by Michael Catanzaro.
This can happen if a previous load with allowed to use stored credentials authenticated successfully, saving the
credentials in libsoup. It's actually a libsoup bug, but since it's causing layout test failures and we have
patches for them, let's patch out jhbuild until we have a new libsoup version to depend on.
Fixes: http/tests/security/credentials-from-different-domains.html
http/tests/xmlhttprequest/cross-origin-no-authorization.html
* gtk/jhbuild.modules:
* gtk/patches/libsoup-auth-Fix-async-authentication-when-flag-SOUP_MESSAGE.patch: Added.
* gtk/patches/libsoup-auth-do-not-use-cached-credentials-in-lookup-method-.patch: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsgtkjhbuildmodules">trunk/Tools/gtk/jhbuild.modules</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkToolsgtkpatcheslibsoupauthFixasyncauthenticationwhenflagSOUP_MESSAGEpatch">trunk/Tools/gtk/patches/libsoup-auth-Fix-async-authentication-when-flag-SOUP_MESSAGE.patch</a></li>
<li><a href="#trunkToolsgtkpatcheslibsoupauthdonotusecachedcredentialsinlookupmethodpatch">trunk/Tools/gtk/patches/libsoup-auth-do-not-use-cached-credentials-in-lookup-method-.patch</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (212357 => 212358)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog 2017-02-15 14:10:54 UTC (rev 212357)
+++ trunk/Tools/ChangeLog 2017-02-15 14:22:42 UTC (rev 212358)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2017-02-15 Carlos Garcia Campos <cgarcia@igalia.com>
+
+ [SOUP] Credentials stored by libsoup are used even StoredCredentials policy is DoNotAllowStoredCredentials
+ https://bugs.webkit.org/show_bug.cgi?id=168364
+
+ Reviewed by Michael Catanzaro.
+
+ This can happen if a previous load with allowed to use stored credentials authenticated successfully, saving the
+ credentials in libsoup. It's actually a libsoup bug, but since it's causing layout test failures and we have
+ patches for them, let's patch out jhbuild until we have a new libsoup version to depend on.
+
+ Fixes: http/tests/security/credentials-from-different-domains.html
+ http/tests/xmlhttprequest/cross-origin-no-authorization.html
+
+ * gtk/jhbuild.modules:
+ * gtk/patches/libsoup-auth-Fix-async-authentication-when-flag-SOUP_MESSAGE.patch: Added.
+ * gtk/patches/libsoup-auth-do-not-use-cached-credentials-in-lookup-method-.patch: Added.
+
</ins><span class="cx"> 2017-02-14 Carlos Garcia Campos <cgarcia@igalia.com>
</span><span class="cx">
</span><span class="cx"> [GTK] Update cookie manager API to properly work with ephemeral sessions
</span></span></pre></div>
<a id="trunkToolsgtkjhbuildmodules"></a>
<div class="modfile"><h4>Modified: trunk/Tools/gtk/jhbuild.modules (212357 => 212358)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/gtk/jhbuild.modules 2017-02-15 14:10:54 UTC (rev 212357)
+++ trunk/Tools/gtk/jhbuild.modules 2017-02-15 14:22:42 UTC (rev 212358)
</span><span class="lines">@@ -240,9 +240,12 @@
</span><span class="cx"> <dependencies>
</span><span class="cx"> <dep package="glib-networking"/>
</span><span class="cx"> </dependencies>
</span><del>- <branch module="libsoup" version="2.57.1"
- repo="git.gnome.org"
- tag="6acdbacc107c99fe6f05b78b81f4a40fb3fde9e9"/>
</del><ins>+ <branch module="/pub/GNOME/sources/libsoup/2.57/libsoup-2.57.1.tar.xz" version="2.57.1"
+ repo="ftp.gnome.org"
+ hash="sha256:ca1ca037e89e8bc7b782559f3ec5d89c9d0b836f505b2f95e008ed517fd6658f">
+ <patch file="libsoup-auth-Fix-async-authentication-when-flag-SOUP_MESSAGE.patch" strip="1"/>
+ <patch file="libsoup-auth-do-not-use-cached-credentials-in-lookup-method-.patch" strip="1"/>
+ </branch>
</ins><span class="cx"> </autotools>
</span><span class="cx">
</span><span class="cx"> <autotools id="fontconfig"
</span></span></pre></div>
<a id="trunkToolsgtkpatcheslibsoupauthFixasyncauthenticationwhenflagSOUP_MESSAGEpatch"></a>
<div class="addfile"><h4>Added: trunk/Tools/gtk/patches/libsoup-auth-Fix-async-authentication-when-flag-SOUP_MESSAGE.patch (0 => 212358)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/gtk/patches/libsoup-auth-Fix-async-authentication-when-flag-SOUP_MESSAGE.patch (rev 0)
+++ trunk/Tools/gtk/patches/libsoup-auth-Fix-async-authentication-when-flag-SOUP_MESSAGE.patch 2017-02-15 14:22:42 UTC (rev 212358)
</span><span class="lines">@@ -0,0 +1,130 @@
</span><ins>+From afee3002ff45b7a00df3d6804fa7d329b907d361 Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Mon, 30 Jan 2017 13:57:12 +0100
+Subject: [PATCH 1/2] auth: Fix async authentication when flag
+ SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE is used
+
+When the flag SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE is used, it's not possible
+to successfully authenticate, and SOUP_STATUS_UNAUTHORIZED is always
+returned even when soup_auth_autenticate was called with the right
+credentials. This happens because we set the auth on the soup message right
+after emitting the authenticate signal only if it was authenticated. If the
+signal pauses the message, the auth will no longer be associated to the message,
+and not cached either because flag SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE is
+present. Since we always check if the auth returned by
+soup_auth_get_message is ready before trying to use it, we can simply
+always set the auth on the mssage right after emitting the authenticate
+signal even if it was not authenticated yet. If it's eventually
+authenticated then got-body callback will check it's ready to re-queue
+the message as expected.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=777936
+---
+ libsoup/soup-auth-manager.c | 4 +--
+ tests/auth-test.c | 61 +++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 63 insertions(+), 2 deletions(-)
+
+diff --git a/libsoup/soup-auth-manager.c b/libsoup/soup-auth-manager.c
+index 704661bc..9ff446cc 100644
+--- a/libsoup/soup-auth-manager.c
++++ b/libsoup/soup-auth-manager.c
+@@ -625,7 +625,7 @@ auth_got_headers (SoupMessage *msg, gpointer manager)
+ /* If we need to authenticate, try to do it. */
+ authenticate_auth (manager, auth, msg,
+ prior_auth_failed, FALSE, TRUE);
+- soup_message_set_auth (msg, soup_auth_is_ready (auth, msg) ? auth : NULL);
++ soup_message_set_auth (msg, auth);
+ g_object_unref (auth);
+ g_mutex_unlock (&priv->lock);
+ }
+@@ -689,7 +689,7 @@ proxy_auth_got_headers (SoupMessage *msg, gpointer manager)
+ /* If we need to authenticate, try to do it. */
+ authenticate_auth (manager, auth, msg,
+ prior_auth_failed, TRUE, TRUE);
+- soup_message_set_proxy_auth (msg, soup_auth_is_ready (auth, msg) ? auth : NULL);
++ soup_message_set_proxy_auth (msg, auth);
+ g_object_unref (auth);
+ g_mutex_unlock (&priv->lock);
+ }
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index b674c61c..23e22133 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1336,6 +1336,66 @@ do_message_do_not_use_auth_cache_test (void)
+ }
+
+ static void
++async_no_auth_cache_authenticate (SoupSession *session, SoupMessage *msg,
++ SoupAuth *auth, gboolean retrying, SoupAuth **auth_out)
++{
++ debug_printf (1, " async_no_auth_cache_authenticate\n");
++
++ soup_session_pause_message (session, msg);
++ *auth_out = g_object_ref (auth);
++ g_main_loop_quit (loop);
++}
++
++static void
++async_no_auth_cache_finished (SoupSession *session, SoupMessage *msg, gpointer user_data)
++{
++ debug_printf (1, " async_no_auth_cache_finished\n");
++
++ g_main_loop_quit (loop);
++}
++
++static void
++do_async_message_do_not_use_auth_cache_test (void)
++{
++ SoupSession *session;
++ SoupMessage *msg;
++ char *uri;
++ SoupAuth *auth = NULL;
++ SoupMessageFlags flags;
++
++ SOUP_TEST_SKIP_IF_NO_APACHE;
++
++ loop = g_main_loop_new (NULL, TRUE);
++ session = soup_test_session_new (SOUP_TYPE_SESSION_ASYNC, NULL);
++ uri = g_strconcat (base_uri, "Basic/realm1/", NULL);
++
++ msg = soup_message_new ("GET", uri);
++ g_free (uri);
++ g_signal_connect (session, "authenticate",
++ G_CALLBACK (async_no_auth_cache_authenticate), &auth);
++ flags = soup_message_get_flags (msg);
++ soup_message_set_flags (msg, flags | SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE);
++ g_object_ref (msg);
++ soup_session_queue_message (session, msg, async_no_auth_cache_finished, NULL);
++ g_main_loop_run (loop);
++
++ soup_test_assert_message_status (msg, SOUP_STATUS_UNAUTHORIZED);
++
++ soup_test_assert (auth, "msg didn't get authenticate signal");
++ soup_auth_authenticate (auth, "user1", "realm1");
++ g_object_unref (auth);
++
++ soup_session_unpause_message (session, msg);
++ g_main_loop_run (loop);
++
++ soup_test_assert_message_status (msg, SOUP_STATUS_OK);
++
++ soup_test_session_abort_unref (session);
++ g_object_unref (msg);
++ g_main_loop_unref (loop);
++}
++
++static void
+ has_authorization_header_authenticate (SoupSession *session, SoupMessage *msg,
+ SoupAuth *auth, gboolean retrying, gpointer data)
+ {
+@@ -1432,6 +1492,7 @@ main (int argc, char **argv)
+ g_test_add_func ("/auth/disappearing-auth", do_disappearing_auth_test);
+ g_test_add_func ("/auth/clear-credentials", do_clear_credentials_test);
+ g_test_add_func ("/auth/message-do-not-use-auth-cache", do_message_do_not_use_auth_cache_test);
++ g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
+ g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
+
+ ret = g_test_run ();
+--
+2.11.0
+
</ins></span></pre></div>
<a id="trunkToolsgtkpatcheslibsoupauthdonotusecachedcredentialsinlookupmethodpatch"></a>
<div class="addfile"><h4>Added: trunk/Tools/gtk/patches/libsoup-auth-do-not-use-cached-credentials-in-lookup-method-.patch (0 => 212358)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/gtk/patches/libsoup-auth-do-not-use-cached-credentials-in-lookup-method-.patch (rev 0)
+++ trunk/Tools/gtk/patches/libsoup-auth-do-not-use-cached-credentials-in-lookup-method-.patch 2017-02-15 14:22:42 UTC (rev 212358)
</span><span class="lines">@@ -0,0 +1,114 @@
</span><ins>+From c8401c372adc9a9cb11fc870c390affb10379cfa Mon Sep 17 00:00:00 2001
+From: Carlos Garcia Campos <cgarcia@igalia.com>
+Date: Sat, 11 Feb 2017 17:44:46 +0100
+Subject: [PATCH 2/2] auth: do not use cached credentials in lookup method when
+ flag SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE is present
+
+This is causing that a request with flag
+SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE success if a previous request without
+the flag stored the credentials. This patch also fixes another issues
+with the test /auth/message-do-not-use-auth-cache, the case of providing
+the credentials in the url was working because do_digest_nonce_test()
+didn't disconnect the authenticate signal that was actually used. This
+is because soup_uri_to_string removes the password from the uri. The
+test needs to use a custom message created with
+soup_message_new_from_uri() instead of using do_digest_nonce_test().
+
+https://bugzilla.gnome.org/show_bug.cgi?id=778497
+---
+ libsoup/soup-auth-manager.c | 6 ++++++
+ tests/auth-test.c | 29 +++++++++++++++++++++++++----
+ 2 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/libsoup/soup-auth-manager.c b/libsoup/soup-auth-manager.c
+index 9ff446cc..b32ba900 100644
+--- a/libsoup/soup-auth-manager.c
++++ b/libsoup/soup-auth-manager.c
+@@ -472,6 +472,9 @@ lookup_auth (SoupAuthManagerPrivate *priv, SoupMessage *msg)
+ if (auth && soup_auth_is_ready (auth, msg))
+ return auth;
+
++ if (soup_message_get_flags (msg) & SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE)
++ return NULL;
++
+ host = get_auth_host_for_uri (priv, soup_message_get_uri (msg));
+ if (!host->auth_realms && !make_auto_ntlm_auth (priv, host))
+ return NULL;
+@@ -496,6 +499,9 @@ lookup_proxy_auth (SoupAuthManagerPrivate *priv, SoupMessage *msg)
+ if (auth && soup_auth_is_ready (auth, msg))
+ return auth;
+
++ if (soup_message_get_flags (msg) & SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE)
++ return NULL;
++
+ return priv->proxy_auth;
+ }
+
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 23e22133..2d66da9e 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -442,6 +442,12 @@ do_digest_nonce_test (SoupSession *session,
+ got_401 ? "got" : "did not get");
+ soup_test_assert_message_status (msg, SOUP_STATUS_OK);
+
++ if (expect_signal) {
++ g_signal_handlers_disconnect_by_func (session,
++ G_CALLBACK (digest_nonce_authenticate),
++ NULL);
++ }
++
+ g_object_unref (msg);
+ }
+
+@@ -1297,9 +1303,10 @@ do_message_do_not_use_auth_cache_test (void)
+ {
+ SoupSession *session;
+ SoupAuthManager *manager;
++ SoupMessage *msg;
++ SoupMessageFlags flags;
+ SoupURI *soup_uri;
+ char *uri;
+- char *uri_with_credentials;
+
+ SOUP_TEST_SKIP_IF_NO_APACHE;
+
+@@ -1318,18 +1325,32 @@ do_message_do_not_use_auth_cache_test (void)
+ soup_uri = soup_uri_new (uri);
+ soup_uri_set_user (soup_uri, "user1");
+ soup_uri_set_password (soup_uri, "realm1");
+- uri_with_credentials = soup_uri_to_string (soup_uri, FALSE);
++ msg = soup_message_new_from_uri (SOUP_METHOD_GET, soup_uri);
++ flags = soup_message_get_flags (msg);
++ soup_message_set_flags (msg, flags | SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE);
++ soup_session_send_message (session, msg);
++ soup_test_assert_message_status (msg, SOUP_STATUS_OK);
++ g_object_unref (msg);
+ soup_uri_free (soup_uri);
+- do_digest_nonce_test (session, "Fourth", uri_with_credentials, FALSE, TRUE, FALSE);
+- g_free (uri_with_credentials);
+
+ manager = SOUP_AUTH_MANAGER (soup_session_get_feature (session, SOUP_TYPE_AUTH_MANAGER));
++
+ soup_auth_manager_clear_cached_credentials (manager);
+
+ /* Now check that credentials are not stored */
+ do_digest_nonce_test (session, "First", uri, FALSE, TRUE, TRUE);
+ do_digest_nonce_test (session, "Second", uri, TRUE, TRUE, TRUE);
+ do_digest_nonce_test (session, "Third", uri, TRUE, FALSE, FALSE);
++
++ /* Credentials were stored for uri, but if we set SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE flag,
++ * and we don't have the authenticate signal, it should respond with 401
++ */
++ msg = soup_message_new (SOUP_METHOD_GET, uri);
++ flags = soup_message_get_flags (msg);
++ soup_message_set_flags (msg, flags | SOUP_MESSAGE_DO_NOT_USE_AUTH_CACHE);
++ soup_session_send_message (session, msg);
++ soup_test_assert_message_status (msg, SOUP_STATUS_UNAUTHORIZED);
++ g_object_unref (msg);
+ g_free (uri);
+
+ soup_test_session_abort_unref (session);
+--
+2.11.0
+
</ins></span></pre>
</div>
</div>
</body>
</html>