You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2015/03/01 15:37:11 UTC
svn commit: r1663123 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml
docs/manual/mod/mod_authn_core.xml modules/aaa/mod_authn_core.c
Author: minfrin
Date: Sun Mar 1 14:37:11 2015
New Revision: 1663123
URL: http://svn.apache.org/r1663123
Log:
mod_authn_core: Add expression support to AuthName and AuthType.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/expr.xml
httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
httpd/httpd/trunk/modules/aaa/mod_authn_core.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1663123&r1=1663122&r2=1663123&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Mar 1 14:37:11 2015
@@ -6,6 +6,9 @@ Changes with Apache 2.5.0
calls r:wsupgrade() can cause a child process crash.
[Edward Lu <Chaosed0 gmail.com>]
+ *) mod_authn_core: Add expression support to AuthName and AuthType.
+ [Graham Leggett]
+
*) mod_deflate: A misplaced check prevents limiting small bodies with the
new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
Modified: httpd/httpd/trunk/docs/manual/expr.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/expr.xml?rev=1663123&r1=1663122&r2=1663123&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/expr.xml (original)
+++ httpd/httpd/trunk/docs/manual/expr.xml Sun Mar 1 14:37:11 2015
@@ -48,6 +48,8 @@
<seealso><directive module="mod_auth_form">AuthFormLoginRequiredLocation</directive></seealso>
<seealso><directive module="mod_auth_form">AuthFormLoginSuccessLocation</directive></seealso>
<seealso><directive module="mod_auth_form">AuthFormLogoutLocation</directive></seealso>
+<seealso><directive module="mod_authn_core">AuthName</directive></seealso>
+<seealso><directive module="mod_authn_core">AuthType</directive></seealso>
<seealso><directive module="mod_rewrite">RewriteCond</directive></seealso>
<seealso><directive module="mod_setenvif">SetEnvIfExpr</directive></seealso>
<seealso><directive module="mod_headers">Header</directive></seealso>
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml?rev=1663123&r1=1663122&r2=1663123&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml Sun Mar 1 14:37:11 2015
@@ -144,6 +144,16 @@ authentication</description>
<p>The string provided for the <code>AuthName</code> is what will
appear in the password dialog provided by most browsers.</p>
+
+ <p>From 2.4.13, <a href="../expr.html">expression syntax</a> can be
+ used inside the directive to produce the name dynamically.</p>
+
+ <p>For example:</p>
+
+ <highlight language="config">
+ AuthName "%{HTTP_HOST}"
+ </highlight>
+
</usage>
<seealso><a
href="../howto/auth.html">Authentication, Authorization, and
@@ -198,6 +208,9 @@ authentication</description>
</Directory>
</highlight>
+ <p>From 2.4.13, <a href="../expr.html">expression syntax</a> can be
+ used inside the directive to specify the type dynamically.</p>
+
<note>When disabling authentication, note that clients which have
already authenticated against another portion of the server's document
tree will typically continue to send authentication HTTP headers
Modified: httpd/httpd/trunk/modules/aaa/mod_authn_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authn_core.c?rev=1663123&r1=1663122&r2=1663123&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authn_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authn_core.c Sun Mar 1 14:37:11 2015
@@ -34,6 +34,7 @@
#include "http_log.h"
#include "http_request.h"
#include "http_protocol.h"
+#include "ap_expr.h"
#include "ap_provider.h"
#include "mod_auth.h"
@@ -52,9 +53,9 @@
*/
typedef struct {
- const char *ap_auth_type;
+ ap_expr_info_t *ap_auth_type;
int auth_type_set;
- const char *ap_auth_name;
+ ap_expr_info_t *ap_auth_name;
} authn_core_dir_conf;
typedef struct provider_alias_rec {
@@ -298,8 +299,16 @@ static const char *set_authname(cmd_parm
const char *word1)
{
authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
+ const char *expr_err = NULL;
+
+ aconfig->ap_auth_name = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+ if (expr_err) {
+ return apr_pstrcat(cmd->temp_pool,
+ "Cannot parse expression '", word1, "' in AuthName: ",
+ expr_err, NULL);
+ }
- aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1);
return NULL;
}
@@ -307,9 +316,17 @@ static const char *set_authtype(cmd_parm
const char *word1)
{
authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
+ const char *expr_err = NULL;
+
+ aconfig->ap_auth_type = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+ if (expr_err) {
+ return apr_pstrcat(cmd->temp_pool,
+ "Cannot parse expression '", word1, "' in AuthType: ",
+ expr_err, NULL);
+ }
aconfig->auth_type_set = 1;
- aconfig->ap_auth_type = strcasecmp(word1, "None") ? word1 : NULL;
return NULL;
}
@@ -318,20 +335,44 @@ static const char *authn_ap_auth_type(re
{
authn_core_dir_conf *conf;
- conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
- &authn_core_module);
+ conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config,
+ &authn_core_module);
+
+ if (conf->ap_auth_type) {
+ const char *err = NULL, *type;
+ type = ap_expr_str_exec(r, conf->ap_auth_type, &err);
+ if (err) {
+ ap_log_rerror(
+ APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO() "AuthType expression could not be evaluated: %s", err);
+ return NULL;
+ }
+
+ return strcasecmp(type, "None") ? type : NULL;
+ }
- return conf->ap_auth_type;
+ return NULL;
}
static const char *authn_ap_auth_name(request_rec *r)
{
authn_core_dir_conf *conf;
+ const char *err = NULL, *name;
- conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
- &authn_core_module);
+ conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config,
+ &authn_core_module);
+
+ if (conf->ap_auth_name) {
+ name = ap_expr_str_exec(r, conf->ap_auth_name, &err);
+ if (err) {
+ ap_log_rerror(
+ APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO() "AuthName expression could not be evaluated: %s", err);
+ return NULL;
+ }
- return apr_pstrdup(r->pool, conf->ap_auth_name);
+ return ap_escape_quotes(r->pool, name);
+ }
+
+ return NULL;
}
static const command_rec authn_cmds[] =
Re: svn commit: r1663123 - in /httpd/httpd/trunk: CHANGES
docs/manual/expr.xml docs/manual/mod/mod_authn_core.xml
modules/aaa/mod_authn_core.c
Posted by Ruediger Pluem <rp...@apache.org>.
On 03/01/2015 03:37 PM, minfrin@apache.org wrote:
> Author: minfrin
> Date: Sun Mar 1 14:37:11 2015
> New Revision: 1663123
>
> URL: http://svn.apache.org/r1663123
> Log:
> mod_authn_core: Add expression support to AuthName and AuthType.
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/expr.xml
> httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
> httpd/httpd/trunk/modules/aaa/mod_authn_core.c
This causes a test case in the framework to fail. I guess just the test case is wrong, but it should be fixed:
# Running under perl version 5.010001 for linux
# Current time local: Fri Mar 6 16:32:45 2015
# Current time GMT: Fri Mar 6 15:32:45 2015
# Using Test.pm version 1.25_02
# Using Apache/Test.pm version 1.38
# testing : CAN-2004-0747 ap_resolve_env test case
# expected: 200
# received: '500'
not ok 1
# Failed test 1 in t/security/CVE-2004-0747.t at line 14
Failed 1/1 subtests
Test Summary Report
-------------------
t/security/CVE-2004-0747.t (Wstat: 0 Tests: 1 Failed: 1)
Failed test: 1
Files=1, Tests=1, 0 wallclock secs ( 0.01 usr 0.01 sys + 0.36 cusr 0.07 csys = 0.45 CPU)
Result: FAIL
Failed 1/1 test programs. 1/1 subtests failed.
error_log:
[Fri Mar 06 15:32:45.428836 2015] [core:alert] [pid 10177:tid 140546563634944] [client 127.0.0.1:40823]
/usr/src/apache/perl-framework-trunk/t/htdocs/security/CAN-2004-0747/.htaccess: Cannot parse expression '
This is also reminds me that this could slow down .htaccess processing considerably since we need to parse the
expression for each request where we have a .htaccess with this directive in place. Furthermore do we open up any stuff
that malicious users with access to .htaccess could do with expressions that they are not expected to do?
If so is it possible to limit expression support just to the case the directive is not in .htaccess?
Regards
RĂ¼diger