Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75089

Moodle returns 407 Proxy Authentication Required when guest visitors pass HTTP_RANGE header



    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 3.11.7, 4.0.1
    • None
    • Authentication



      The issue is observed when a guest user tries to access a page that requires authentication (such as a private course, for example) and the request contains HTTP_RANGE header. Regardless if the user is using a proxy or not, a '407 Proxy Authentication Required' error is returned to the browser instead of informing the visitor they need to login or redirecting them to the login page.

      Steps to reproduce:

      • Make sure you are not logged-in Moodle system.
      • Modify your request to include any HTTP_RANGE header
      • Visit a course that is not public and requires authentication
      • Observe the 407 Proxy Authentication Required error being returned

      Technical Details/Information:

      This is happening because we have the following code added to lib/moodlelib.php, inside require_login() function body:

      // Must not redirect when byteserving already started. 
      if (!empty($_SERVER['HTTP_RANGE'])) 
          $preventredirect = true; 

      and later in the file, because $preventredirect is true, the code throws an exception instead of performing a  redirect:


      if ($preventredirect) {
           throw new require_login_exception('You are not logged in');

      which is eventually catched by the error handler in lib/outputrenderers.php which returns the 407 error page, because it detects there is an HTTP_RANGE header in the request.

      Even though the comment in lib/moodlelib.php suggests that there is already byteserving in progress, this is not really the case and the client should be able to handle redirects on that point (unless the response is returned with a 206 Partial Content code, in which case it cannot do a proper redirect).  Tested with both Firefox and Chrome latest versions and both clients were able to pickup and execute the redirect with an HTTP_RANGE header in place.

      A possible, easy solution to the problem would be to either remove the HTTP_RANGE 'if' in the lib/moodlelib.php file or modify it and check if it is an initial request (i.e. the value of HTTP_RANGE header starts with 0). 






            Unassigned Unassigned
            valsg Valeri Markov
            David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
            0 Vote for this issue
            2 Start watching this issue