eb2d2d726825942e7438acabf7db1c6d0e071382 galt Fri Jun 22 17:54:32 2018 -0700 Attempt to allow net.c code to process cdwGetFiles url by passing through the basic auth from the browser. However, even with this change, because cdwGetFiles does not support byte ranges, bigDataUrl customTracks in cirm that use cdwGetFiles will not work. diff --git src/hg/lib/wikiLink.c src/hg/lib/wikiLink.c index 33f27e0..6d580db 100644 --- src/hg/lib/wikiLink.c +++ src/hg/lib/wikiLink.c @@ -336,45 +336,55 @@ exit(0); } boolean isValidUsername(char *s) /* Return TRUE if s is a valid username: only contains alpha chars, @, _ or - */ { char c = *s; while ((c = *s++) != 0) { if (!(isalnum(c) || (c == '_') || (c=='@') || (c=='-'))) return FALSE; } return TRUE; } -char *basicAuthUser(char *token) +void basicAuthUserPassword(char *token, char **pUser, char **pPassword) /* get the HTTP Header 'Authorization', which is just the b64 encoded username:password, - * and return the username. Result has to be freed. */ + * and return the username and password. Results should be freed. */ { - // username:password is b64 encrypted char *tokenPlain = base64Decode(token, 0); // plain text is in format username:password char *words[2]; int wordCount = chopString(tokenPlain, ":", words, ArraySize(words)); if (wordCount!=2) errAbort("wikiLink/basicAuthUser: got illegal basic auth token"); -char *user = words[0]; +if (pUser) + *pUser = cloneString(words[0]); +if (pPassword) + *pPassword = cloneString(words[1]); +freeMem(tokenPlain); +} +char *basicAuthUser(char *token) +/* get the HTTP Header 'Authorization', which is just the b64 encoded username:password, + * and return the username. Result should be freed. */ +{ +char *user = NULL; +basicAuthUserPassword(token, &user, NULL); return user; } char *wikiLinkUserName() /* Return the user name specified in cookies from the browser, or NULL if * the user doesn't appear to be logged in. */ { if (loginUseBasicAuth()) { char *token = getHttpBasicToken(); //XX The following should be uncommented for security reasons //if (!token) //printTokenErrorAndExit(); // May 2017: Allowing normal login even when HTTP Basic is enabled. This may be insecure. // Keeping it insecure pending Jim's/Clay's approval, for backwards compatibility.