Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-5469

Artifactory does not send HTTP 401 challenge when accessing folders in repository without permissions anonymously

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 2.6.5, 3.5.3
    • Fix Version/s: 3.5.3
    • Component/s: Downloader, Security
    • Labels:
      None
    • Environment:
      • Artifactory on CentOS 6.2 installed via RPM
      • Artifactory Pro on RHEL 6.1 installed via RPM
    • Severity:
      Medium

      Description

      When

      • anonymous access to Artifactory is enabled (e.g. to allow unauthenticated access to cached public repositories)
      • the request does not send credentials
      • and a folder (not a file/actual artifact) is requested

      ... then Artifactory does not send an HTTP 401 auth challenge, but returns an empty directory listing.

      Example as anonymous: Empty directory listing

      $ curl http://repo.example.org/ext-release-local/group/
      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
      <html>
      <head>
      <title>Index of ext-release-local/group</title>
      </head>
      <body>
      <h1>Index of ext-release-local/group</h1>
      <pre>Name  Last modified      Size</pre>
      <hr/>
      <pre><a href="../">../</a>
      </pre>
      <hr/>
      <address style="font-size:small;">Artifactory/2.6.5 Server at repo.example.org Port 80</address>
      </body> 
      </html>
      

      Example as authorized user: Non-empty directory listing

      $ curl --user 'authorized_user:password' http://repo.example.org/ext-release-local/group/
      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
      <html>
      <head>
      <title>Index of ext-release-local/group</title>
      </head>
      <body>
      <h1>Index of ext-release-local/group</h1>
      <pre>Name      Last modified      Size</pre>
      <hr/>
      <pre><a href="../">../</a>
      <a href="artifact/"">artifact/</a>  11-Feb-2013 22:07    -
      </pre>
      <hr/>
      <address style="font-size:small;">Artifactory/2.6.5 Server at repo.example.org Port 80</address>
      </body>
      </html>
      

      This is a problem for build systems that need to read directory listings to determine the version to use for a given dependency (e.g. Gradle using Artifactory as an Ivy repository for dependencies like acme:widget:1.0.+) and don't eagerly send HTTP authentication headers without being challenged by HTTP 401.

      This only happens when the last path character is a /. http://repo.example.org/ext-releases-local/group properly returns HTTP 401.

        Attachments

          Issue Links

            Activity

                People

                Assignee:
                chenk Chen Keinan (Inactive)
                Reporter:
                daniel.beck Daniel Beck (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Sync Status

                    Connection: RTFACT Sync
                    RTMID-5469 -
                    SYNCHRONIZED
                    • Last Sync Date: