From 117880499754b14bbada9646b85feef066d7b959 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Mon, 16 Sep 2013 19:00:40 +0200 Subject: HTTP authentication fails if QUrl contains password with % Default for QUrl::password() and QUrl::userName() is in Qt 5.1 QUrl::PrettyDecoded which means the return value may contain percent-encodings. For authentication we need the real decoded result, and should instead use QUrl::FullyDecoded. Note this bug has already been fixed indirectly in Qt 5.2 since the default for the two methods was changed to QUrl::FullyDecoded. Change-Id: Ia0f38c073cb001e37ad8b3eda40b3db756bec3dc Reviewed-by: Thiago Macieira --- src/network/access/qhttpnetworkconnectionchannel.cpp | 4 ++-- src/network/access/qnetworkaccessmanager.cpp | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'src/network') diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp index e14f426583..56984d144e 100644 --- a/src/network/access/qhttpnetworkconnectionchannel.cpp +++ b/src/network/access/qhttpnetworkconnectionchannel.cpp @@ -222,8 +222,8 @@ bool QHttpNetworkConnectionChannel::sendRequest() QAuthenticator &auth = authenticator; if (url.userName() != auth.user() || (!url.password().isEmpty() && url.password() != auth.password())) { - auth.setUser(url.userName()); - auth.setPassword(url.password()); + auth.setUser(url.userName(QUrl::FullyDecoded)); + auth.setPassword(url.password(QUrl::FullyDecoded)); connection->d_func()->copyCredentials(connection->d_func()->indexOf(socket), &auth, false); } // clear the userinfo, since we use the same request for resending diff --git a/src/network/access/qnetworkaccessmanager.cpp b/src/network/access/qnetworkaccessmanager.cpp index 10d19bb7aa..b86efb21a8 100644 --- a/src/network/access/qnetworkaccessmanager.cpp +++ b/src/network/access/qnetworkaccessmanager.cpp @@ -1229,8 +1229,8 @@ void QNetworkAccessManagerPrivate::authenticationRequired(QAuthenticator *authen // if credentials are included in the url, then use them if (!url.userName().isEmpty() && !url.password().isEmpty()) { - authenticator->setUser(url.userName()); - authenticator->setPassword(url.password()); + authenticator->setUser(url.userName(QUrl::FullyDecoded)); + authenticator->setPassword(url.password(QUrl::FullyDecoded)); *urlForLastAuthentication = url; authenticationManager->cacheCredentials(url, authenticator); return; -- cgit v1.2.3 From a23ff58d716f62b02ec825a3ea3c6b07616ee3f0 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Tue, 17 Sep 2013 16:01:52 +0200 Subject: OAuth over XMLHttpRequest fails We currently always generate our own Authorization header, which overrides any Authorization headers set the by user application. Change-Id: I3b11c8dd0bc708e795ff697262a383ce28cae2f3 Reviewed-by: Peter Hartmann --- src/network/access/qhttpnetworkconnection.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/network') diff --git a/src/network/access/qhttpnetworkconnection.cpp b/src/network/access/qhttpnetworkconnection.cpp index a279990f4c..0222b36c7d 100644 --- a/src/network/access/qhttpnetworkconnection.cpp +++ b/src/network/access/qhttpnetworkconnection.cpp @@ -507,7 +507,7 @@ void QHttpNetworkConnectionPrivate::createAuthorization(QAbstractSocket *socket, // Send "Authorization" header, but not if it's NTLM and the socket is already authenticated. if (channels[i].authMethod != QAuthenticatorPrivate::None) { - if (!(channels[i].authMethod == QAuthenticatorPrivate::Ntlm && channels[i].lastStatus != 401)) { + if ((channels[i].authMethod != QAuthenticatorPrivate::Ntlm && request.headerField("Authorization").isEmpty()) || channels[i].lastStatus == 401) { QAuthenticatorPrivate *priv = QAuthenticatorPrivate::getPrivate(channels[i].authenticator); if (priv && priv->method != QAuthenticatorPrivate::None) { QByteArray response = priv->calculateResponse(request.d->methodName(), request.d->uri(false)); -- cgit v1.2.3