Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-5469

Artifactory does not send HTTP 401 challenge when accessing folders in repository without permissions anonymously

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 2.6.5, 3.5.3
    • Fix Version/s: 3.5.3
    • Component/s: Downloader, Security
    • Labels:
      None
    • Environment:
      • Artifactory on CentOS 6.2 installed via RPM
      • Artifactory Pro on RHEL 6.1 installed via RPM
    • Severity:
      Medium

      Description

      When

      • anonymous access to Artifactory is enabled (e.g. to allow unauthenticated access to cached public repositories)
      • the request does not send credentials
      • and a folder (not a file/actual artifact) is requested

      ... then Artifactory does not send an HTTP 401 auth challenge, but returns an empty directory listing.

      Example as anonymous: Empty directory listing

      $ curl http://repo.example.org/ext-release-local/group/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of ext-release-local/group</title>
</head>
<body>
<h1>Index of ext-release-local/group</h1>
<pre>Name  Last modified      Size</pre>
<hr/>
<pre><a href="../">../</a>
</pre>
<hr/>
<address style="font-size:small;">Artifactory/2.6.5 Server at repo.example.org Port 80</address>
</body> 
</html>

      Example as authorized user: Non-empty directory listing

      $ curl --user 'authorized_user:password' http://repo.example.org/ext-release-local/group/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of ext-release-local/group</title>
</head>
<body>
<h1>Index of ext-release-local/group</h1>
<pre>Name      Last modified      Size</pre>
<hr/>
<pre><a href="../">../</a>
<a href="artifact/"">artifact/</a>  11-Feb-2013 22:07    -
</pre>
<hr/>
<address style="font-size:small;">Artifactory/2.6.5 Server at repo.example.org Port 80</address>
</body>
</html>

      This is a problem for build systems that need to read directory listings to determine the version to use for a given dependency (e.g. Gradle using Artifactory as an Ivy repository for dependencies like acme:widget:1.0.+) and don't eagerly send HTTP authentication headers without being challenged by HTTP 401.

      This only happens when the last path character is a /. http://repo.example.org/ext-releases-local/group properly returns HTTP 401.

        Attachments

          Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product RTFACT-629 BASIC HTTP Authorization is not requested when anonymous login is enabled

          • Done
          triggered

          Bug - A problem which impairs or prevents the functions of the product RTFACT-7291 Virtual file listing on non existing folder returns 401

          • Done

            Activity

                People

                Assignee:
                chenk Chen Keinan (Inactive)
                Reporter:
                daniel.beck Daniel Beck (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Sync Status

                    Connection: RTFACT Sync
                    RTMID-5469 -
                    SYNCHRONIZED
                    • Last Sync Date: