http return code errors problem ?

sean picasso at madflower.com
Fri Mar 11 12:41:47 PST 2005


>
> > Actually, the server checks the invalid credentials; since it is sending
> > a 200 response, the server thinks they are valid since the PAM module
> > has said "these credentials are correct".  Otherwise, it would send
> > another 401 response.
> >
> > Sooo, I would suspect that you are running into a caching problem
> > in your PAM module and not a problem with CUPS.
>
> If your hypothesis is correct, then the old credentials would work (because they are cached) and the job would print, just like when the credentials are correct. yes?
>
> However, since it is not printing, that means the credentials are NOT being checked before the 200 is sent but they are being checked (correctly) _later_ so the next request by the client gives out the 401 error.
>
As a side note, this could actually be used as a DoS style attack.
We found out if you change the return (HTTP_UNAUTHORIZED);
to return (HTTP_NOT_FOUND); in scheduler/auth.c IE from 401 to 404

It disables the print queues in both windows and OS X during a print attempt with a failed password which is better then having them resend print jobs with bad password every 10 seconds.

And it works just fine with passwords that are legit.

It won't prompt for a new password but that isn't supported by the clients anyway. (windows with the new win2K+3 server doesn't do it either.) (so i assume it isn't supported on the client side).







More information about the cups mailing list