http return code errors problem ?

[Anonymous]

Sean,

Did you ever get this problem resolved? Also, where is scheduler/auth.c? I run a debian system with CUPS. I can't find auth.c. Thanks!

> >
> > > Actually, the server checks the invalid credentials; since it is sending
> > > a 200 response, the server thinks they are valid since the PAM module
> > > has said "these credentials are correct".  Otherwise, it would send
> > > another 401 response.
> > >
> > > Sooo, I would suspect that you are running into a caching problem
> > > in your PAM module and not a problem with CUPS.
> >
> > If your hypothesis is correct, then the old credentials would work (because they are cached) and the job would print, just like when the credentials are correct. yes?
> >
> > However, since it is not printing, that means the credentials are NOT being checked before the 200 is sent but they are being checked (correctly) _later_ so the next request by the client gives out the 401 error.
> >
> As a side note, this could actually be used as a DoS style attack.
> We found out if you change the return (HTTP_UNAUTHORIZED);
> to return (HTTP_NOT_FOUND); in scheduler/auth.c IE from 401 to 404
>
> It disables the print queues in both windows and OS X during a print attempt with a failed password which is better then having them resend print jobs with bad password every 10 seconds.
>
> And it works just fine with passwords that are legit.
>
> It won't prompt for a new password but that isn't supported by the clients anyway. (windows with the new win2K+3 server doesn't do it either.) (so i assume it isn't supported on the client side).
>
>
>