From fed991d6979769dce6c54cc4896b24e6d60b901c Mon Sep 17 00:00:00 2001
From: Lauri Kasanen <cand@gmx.com>
Date: Thu, 4 Mar 2021 13:49:52 +0200
Subject: [PATCH] Return 401 unauth for non-owner trying /api/

---
 common/network/websocket.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/common/network/websocket.c b/common/network/websocket.c
index 422fd50..a035426 100644
--- a/common/network/websocket.c
+++ b/common/network/websocket.c
@@ -1252,9 +1252,23 @@ ws_ctx_t *do_handshake(int sock) {
     if (!parse_handshake(ws_ctx, handshake)) {
         handler_emsg("Invalid WS request, maybe a HTTP one\n");
 
-        if (strstr(handshake, "/api/") && owner)
-            if (ownerapi(ws_ctx, handshake))
+        if (strstr(handshake, "/api/")) {
+            handler_emsg("HTTP request under /api/\n");
+
+            if (owner) {
+                if (ownerapi(ws_ctx, handshake))
+                    goto done;
+            } else {
+                sprintf(response, "HTTP/1.1 401 Unauthorized\r\n"
+                        "Server: KasmVNC/4.0\r\n"
+                        "Connection: close\r\n"
+                        "Content-type: text/plain\r\n"
+                        "\r\n"
+                        "401 Unauthorized");
+                ws_send(ws_ctx, response, strlen(response));
                 goto done;
+            }
+        }
 
         if (settings.httpdir && settings.httpdir[0])
             servefile(ws_ctx, handshake);