Fix http2 use after free bug

In the below code, we move out of Response, then use it to set
unauthorized, which never gets returned to the user.  This results in
the browser showing an empty 200 ok request, because while the request
was propagated rejected, the 401 error code didn't get propagated to the
user.

Tested: If not logged in on a chrome browser:
/redfish/v1 -> Returns the UI
/refish/v1/AccountService -> returns a forward to the webui login page.

If logged into the webui.
/redfish/v1/AccountService now returns the expected HTML redfish
representation of the json response.

Change-Id: I2c906f818367ebb253b3e6097e6787ba4c215e0a
Signed-off-by: Ed Tanous <ed@tanous.net>

1 files changed, 2 insertions, 2 deletions

diff --git a/http/http2_connection.hpp b/http/http2_connection.hpp
index 7e8224eedf..4b2d186f07 100644
--- a/http/http2_connection.hpp
+++ b/http/http2_connection.hpp
@@ -265,7 +265,7 @@ class HTTP2Connection :
             std::make_shared<bmcweb::AsyncResp>(std::move(it->second.res));
 #ifndef BMCWEB_INSECURE_DISABLE_AUTHX
         thisReq.session = crow::authentication::authenticate(
-            {}, thisRes, thisReq.method(), thisReq.req, nullptr);
+            {}, asyncResp->res, thisReq.method(), thisReq.req, nullptr);
         if (!crow::authentication::isOnAllowlist(thisReq.url().path(),
                                                  thisReq.method()) &&
             thisReq.session == nullptr)
@@ -274,7 +274,7 @@ class HTTP2Connection :
             forward_unauthorized::sendUnauthorized(
                 thisReq.url().encoded_path(),
                 thisReq.getHeaderValue("X-Requested-With"),
-                thisReq.getHeaderValue("Accept"), thisRes);
+                thisReq.getHeaderValue("Accept"), asyncResp->res);
         }
         else
 #endif // BMCWEB_INSECURE_DISABLE_AUTHX