- From: Terje Bless <link@dev.w3.org>
- Date: Sun, 13 Feb 2005 19:13:00 +0000
- To: www-validator-cvs@w3.org
Update of /sources/public/validator/httpd/cgi-bin In directory hutz:/tmp/cvs-serv10246/httpd/cgi-bin Modified Files: check Log Message: Templatify &authenticate(). Index: check =================================================================== RCS file: /sources/public/validator/httpd/cgi-bin/check,v retrieving revision 1.398 retrieving revision 1.399 diff -u -d -r1.398 -r1.399 --- check 13 Feb 2005 18:50:09 -0000 1.398 +++ check 13 Feb 2005 19:12:58 -0000 1.399 @@ -310,9 +310,15 @@ $lang, 'fatal-error.tmpl'), die_on_bad_params => FALSE, ); +my $H = HTML::Template->new( + filename => File::Spec->catfile($CFG->{Paths}->{Templates}, + $lang, 'http_401_authrequired.tmpl'), + die_on_bad_params => FALSE, +); $File->{T} = $T; $File->{E} = $E; +$File->{H} = $H; # Read friendly error message file @@ -1105,7 +1111,7 @@ for my $scheme (keys(%$authHeader)) { my $origrealm = $authHeader->{$scheme}->{realm}; - if (!defined($origrealm) || lc($scheme) !~ /^(?:basic|digest)$/) { + if (not defined $origrealm or lc($scheme) !~ /^(?:basic|digest)$/) { delete($authHeader->{$scheme}); next; } @@ -1113,72 +1119,16 @@ } my $headers = HTTP::Headers->new(Connection => 'close'); - $headers->content_type('text/html; charset=utf-8'); $headers->www_authenticate(%$authHeader); $headers = $headers->as_string(); + chomp($headers); - print <<"EOF"; -Status: 401 Authorization Required -$headers + $File->{H}->param(http_401_headers => $headers); + $File->{H}->param(http_401_url => $resource); -<?xml version="1.0"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> - <head><title>[WMVS] 401 Authorization Required</title></head> - <body> - <h1>Authorization Required</h1> - <p>Sorry, I am not authorized to access the specified URL.</p> - <p> - The URL you specified, <<a href="$resource">$resource</a>>, - returned a 401 "authorization required" response when I tried - to download it. - </p> - <p> - You should have been prompted by your browser for a - username/password pair; if you had supplied this information, I - would have forwarded it to your server for authorization to - access the resource. You can use your browser's "reload" function - to try again, if you wish. - </p> - <p> - Of course, you may not want to trust me with this information, - which is fine. I can tell you that I don't log it or do - anything else nasty with it, and you can <a href="source/">download the - source code for this service</a> to see what it does, but you have no - guarantee that this is actually the code I'm using; you basically have to - decide whether to trust me or not :-) - </p> - <p> - You should also be aware that the way we proxy this authentication - information defeats the normal working of HTTP Authentication. - If you authenticate to server A, your browser may keep sending - the authentication information to us every time you validate - a page, regardless of what server it's on, and we'll happily pass - that on to the server thereby making it possible for a malicious - server operator to capture your credentials. - </p> - <p> - Due to the way HTTP Authentication works there is no way we can - avoid this. We are using some "tricks" to fool your client into - not sending this information in the first place, but there is no - guarantee this will work. If security is a concern to you, you - may wish to avoid validating protected resources or take extra - precautions to prevent your browser from sending authentication - information when validating other servers. - </p> - <p> - Also note that you shouldn't use HTTP Basic Authentication for - anything which really needs to be private, since the password - goes across the network unencrypted. - </p> -EOF + print $File->{H}->output; - # this is needed to avoid that the template code emits additional - # markup which would make the result invalid and look odd; in the - # longer term this should be moved into a template that fits with - # the general validator.w3.org style. - exit; + exit; # Further interaction will be a new HTTP request. }
Received on Sunday, 13 February 2005 19:13:01 UTC