validator/httpd/cgi-bin check,1.398,1.399 from Terje Bless on 2005-02-13 (www-validator-cvs@w3.org from February 2005)

From: Terje Bless <link@dev.w3.org>
Date: Sun, 13 Feb 2005 19:13:00 +0000
To: www-validator-cvs@w3.org
Message-ID: <E1D0PAz-0002oU-0V@lionel-hutz.w3.org>
Update of /sources/public/validator/httpd/cgi-bin
In directory hutz:/tmp/cvs-serv10246/httpd/cgi-bin

Modified Files:
	check 
Log Message:
Templatify &authenticate().


Index: check
===================================================================
RCS file: /sources/public/validator/httpd/cgi-bin/check,v
retrieving revision 1.398
retrieving revision 1.399
diff -u -d -r1.398 -r1.399
--- check	13 Feb 2005 18:50:09 -0000	1.398
+++ check	13 Feb 2005 19:12:58 -0000	1.399
@@ -310,9 +310,15 @@
                                            $lang, 'fatal-error.tmpl'),
   die_on_bad_params => FALSE,
 );
+my $H = HTML::Template->new(
+  filename          => File::Spec->catfile($CFG->{Paths}->{Templates},
+                                           $lang, 'http_401_authrequired.tmpl'),
+  die_on_bad_params => FALSE,
+);
 
 $File->{T} = $T;
 $File->{E} = $E;
+$File->{H} = $H;
 
 
 # Read friendly error message file
@@ -1105,7 +1111,7 @@
 
   for my $scheme (keys(%$authHeader)) {
     my $origrealm = $authHeader->{$scheme}->{realm};
-    if (!defined($origrealm) || lc($scheme) !~ /^(?:basic|digest)$/) {
+    if (not defined $origrealm or lc($scheme) !~ /^(?:basic|digest)$/) {
       delete($authHeader->{$scheme});
       next;
     }
@@ -1113,72 +1119,16 @@
   }
 
   my $headers = HTTP::Headers->new(Connection => 'close');
-  $headers->content_type('text/html; charset=utf-8');
   $headers->www_authenticate(%$authHeader);
   $headers = $headers->as_string();
+  chomp($headers);
 
-  print <<"EOF";
-Status: 401 Authorization Required
-$headers
+  $File->{H}->param(http_401_headers => $headers);
+  $File->{H}->param(http_401_url     => $resource);
 
-<?xml version="1.0"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
-    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-  <head><title>[WMVS] 401 Authorization Required</title></head>
-  <body>
-    <h1>Authorization Required</h1>
-    <p>Sorry, I am not authorized to access the specified URL.</p>
-    <p>
-      The URL you specified, &lt;<a href="$resource">$resource</a>&gt;,
-      returned a 401 "authorization required" response when I tried
-      to download it.
-    </p>
-    <p>
-      You should have been prompted by your browser for a
-      username/password pair; if you had supplied this information, I
-      would have forwarded it to your server for authorization to
-      access the resource. You can use your browser's "reload" function
-      to try again, if you wish.
-    </p>
-    <p>
-      Of course, you may not want to trust me with this information,
-      which is fine. I can tell you that I don't log it or do
-      anything else nasty with it, and you can <a href="source/">download the
-      source code for this service</a> to see what it does, but you have no
-      guarantee that this is actually the code I'm using; you basically have to
-      decide whether to trust me or not :-)
-    </p>
-    <p>
-      You should also be aware that the way we proxy this authentication
-      information defeats the normal working of HTTP Authentication.
-      If you authenticate to server A, your browser may keep sending
-      the authentication information to us every time you validate
-      a page, regardless of what server it's on, and we'll happily pass
-      that on to the server thereby making it possible for a malicious
-      server operator to capture your credentials.
-    </p>
-    <p>
-      Due to the way HTTP Authentication works there is no way we can
-      avoid this. We are using some "tricks" to fool your client into
-      not sending this information in the first place, but there is no
-      guarantee this will work. If security is a concern to you, you
-      may wish to avoid validating protected resources or take extra
-      precautions to prevent your browser from sending authentication
-      information when validating other servers.
-    </p>
-    <p>
-      Also note that you shouldn't use HTTP Basic Authentication for
-      anything which really needs to be private, since the password
-      goes across the network unencrypted.
-    </p>
-EOF
+  print $File->{H}->output;
 
-  # this is needed to avoid that the template code emits additional
-  # markup which would make the result invalid and look odd; in the
-  # longer term this should be moved into a template that fits with
-  # the general validator.w3.org style.
-  exit;
+  exit; # Further interaction will be a new HTTP request.
 }
Received on Sunday, 13 February 2005 19:13:01 UTC