2189919 - CGI scripts don't work with local Negotiate authentication

Resolves: rhbz#2189919

cups-local-negotiate.patch

@@ -0,0 +1,115 @@
+diff --git a/cups/auth.c b/cups/auth.c
+index db45bbb..b6fec6b 100644
+--- a/cups/auth.c
++++ b/cups/auth.c
+@@ -90,6 +90,7 @@ static void	cups_gss_printf(OM_uint32 major_status, OM_uint32 minor_status,
+ #    define	cups_gss_printf(major, minor, message)
+ #  endif /* DEBUG */
+ #endif /* HAVE_GSSAPI */
++static int	cups_is_local_connection(http_t *http);
+ static int	cups_local_auth(http_t *http);
+ 
+ 
+@@ -174,10 +175,10 @@ cupsDoAuthentication(
+     DEBUG_printf(("2cupsDoAuthentication: Trying scheme \"%s\"...", scheme));
+ 
+ #ifdef HAVE_GSSAPI
+-    if (!_cups_strcasecmp(scheme, "Negotiate"))
++    if (!_cups_strcasecmp(scheme, "Negotiate") && !cups_is_local_connection(http))
+     {
+      /*
+-      * Kerberos authentication...
++      * Kerberos authentication to remote server...
+       */
+ 
+       int gss_status;			/* Auth status */
+@@ -201,7 +202,9 @@ cupsDoAuthentication(
+     }
+     else
+ #endif /* HAVE_GSSAPI */
+-    if (_cups_strcasecmp(scheme, "Basic") && _cups_strcasecmp(scheme, "Digest"))
++    if (_cups_strcasecmp(scheme, "Basic") &&
++	_cups_strcasecmp(scheme, "Digest") &&
++	_cups_strcasecmp(scheme, "Negotiate"))
+     {
+      /*
+       * Other schemes not yet supported...
+@@ -215,7 +218,7 @@ cupsDoAuthentication(
+     * See if we should retry the current username:password...
+     */
+ 
+-    if ((http->digest_tries > 1 || !http->userpass[0]) && (!_cups_strcasecmp(scheme, "Basic") || (!_cups_strcasecmp(scheme, "Digest"))))
++    if (http->digest_tries > 1 || !http->userpass[0])
+     {
+      /*
+       * Nope - get a new password from the user...
+@@ -295,7 +298,7 @@ cupsDoAuthentication(
+     }
+   }
+ 
+-  if (http->authstring)
++  if (http->authstring && http->authstring[0])
+   {
+     DEBUG_printf(("1cupsDoAuthentication: authstring=\"%s\".", http->authstring));
+ 
+@@ -916,6 +919,14 @@ cups_gss_printf(OM_uint32  major_status,/* I - Major status code */
+ #  endif /* DEBUG */
+ #endif /* HAVE_GSSAPI */
+ 
++static int				/* O - 0 if not a local connection */
++					/*     1  if local connection */
++cups_is_local_connection(http_t *http)	/* I - HTTP connection to server */
++{
++  if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
++    return 0;
++  return 1;
++}
+ 
+ /*
+  * 'cups_local_auth()' - Get the local authorization certificate if
+@@ -958,7 +969,7 @@ cups_local_auth(http_t *http)		/* I - HTTP connection to server */
+   * See if we are accessing localhost...
+   */
+ 
+-  if (!httpAddrLocalhost(http->hostaddr) && _cups_strcasecmp(http->hostname, "localhost") != 0)
++  if (!cups_is_local_connection(http))
+   {
+     DEBUG_puts("8cups_local_auth: Not a local connection!");
+     return (1);
+@@ -1032,11 +1043,6 @@ cups_local_auth(http_t *http)		/* I - HTTP connection to server */
+   }
+ #  endif /* HAVE_AUTHORIZATION_H */
+ 
+-#  ifdef HAVE_GSSAPI
+-  if (cups_auth_find(www_auth, "Negotiate"))
+-    return (1);
+-#  endif /* HAVE_GSSAPI */
+-
+ #  if defined(SO_PEERCRED) && defined(AF_LOCAL)
+  /*
+   * See if we can authenticate using the peer credentials provided over a
+diff --git a/scheduler/client.c b/scheduler/client.c
+index 89c76bf..40708d9 100644
+--- a/scheduler/client.c
++++ b/scheduler/client.c
+@@ -2244,18 +2244,13 @@ cupsdSendHeader(
+     }
+     else if (auth_type == CUPSD_AUTH_NEGOTIATE)
+     {
+-#if defined(SO_PEERCRED) && defined(AF_LOCAL)
+-      if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+-	strlcpy(auth_str, "PeerCred", sizeof(auth_str));
+-      else
+-#endif /* SO_PEERCRED && AF_LOCAL */
+       strlcpy(auth_str, "Negotiate", sizeof(auth_str));
+     }
+ 
+-    if (con->best && auth_type != CUPSD_AUTH_NEGOTIATE && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
++    if (con->best && !con->is_browser && !_cups_strcasecmp(httpGetHostname(con->http, NULL, 0), "localhost"))
+     {
+      /*
+-      * Add a "trc" (try root certification) parameter for local non-Kerberos
++      * Add a "trc" (try root certification) parameter for local
+       * requests when the request requires system group membership - then the
+       * client knows the root certificate can/should be used.
+       *

cups.spec

@@ -17,7 +17,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: ASL 2.0
 Url: http://www.cups.org/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@@ -103,6 +103,8 @@ Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
 Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
 # CVE-2022-26691 cups: authorization bypass when using "local" authorization
 Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
+# 2189919 - CGI scripts don't work with local Negotiate authentication
+Patch30: cups-local-negotiate.patch
 
 
 ##### Patches removed because IMHO they aren't no longer needed
@@ -337,6 +339,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 %patch28 -p1 -b .manpage-update
 # CVE-2022-26691 cups: authorization bypass when using "local" authorization
 %patch29 -p1 -b .cve26691
+# 2189919 - CGI scripts don't work with local Negotiate authentication
+%patch30 -p1 -b .local-negotiate
 
 %if %{lspp}
 # LSPP support.
@@ -760,6 +764,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz
 
 %changelog
+* Wed Apr 26 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-18
+- 2189919 - CGI scripts don't work with local Negotiate authentication
+
 * Mon Apr 03 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-17
 - RHEL-314 - Enable fmf tests in centos stream