You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2015/03/01 15:37:11 UTC

svn commit: r1663123 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authn_core.xml modules/aaa/mod_authn_core.c

Author: minfrin
Date: Sun Mar  1 14:37:11 2015
New Revision: 1663123

URL: http://svn.apache.org/r1663123
Log:
mod_authn_core: Add expression support to AuthName and AuthType.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/expr.xml
    httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
    httpd/httpd/trunk/modules/aaa/mod_authn_core.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1663123&r1=1663122&r2=1663123&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Mar  1 14:37:11 2015
@@ -6,6 +6,9 @@ Changes with Apache 2.5.0
      calls r:wsupgrade() can cause a child process crash. 
      [Edward Lu <Chaosed0 gmail.com>]
 
+  *) mod_authn_core: Add expression support to AuthName and AuthType.
+     [Graham Leggett]
+
   *) mod_deflate: A misplaced check prevents limiting small bodies with the
      new inflate limits. PR56872. [Edward Lu, Eric Covener, Yann Ylavic]
 

Modified: httpd/httpd/trunk/docs/manual/expr.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/expr.xml?rev=1663123&r1=1663122&r2=1663123&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/expr.xml (original)
+++ httpd/httpd/trunk/docs/manual/expr.xml Sun Mar  1 14:37:11 2015
@@ -48,6 +48,8 @@
 <seealso><directive module="mod_auth_form">AuthFormLoginRequiredLocation</directive></seealso>
 <seealso><directive module="mod_auth_form">AuthFormLoginSuccessLocation</directive></seealso>
 <seealso><directive module="mod_auth_form">AuthFormLogoutLocation</directive></seealso>
+<seealso><directive module="mod_authn_core">AuthName</directive></seealso>
+<seealso><directive module="mod_authn_core">AuthType</directive></seealso>
 <seealso><directive module="mod_rewrite">RewriteCond</directive></seealso>
 <seealso><directive module="mod_setenvif">SetEnvIfExpr</directive></seealso>
 <seealso><directive module="mod_headers">Header</directive></seealso>

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml?rev=1663123&r1=1663122&r2=1663123&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml Sun Mar  1 14:37:11 2015
@@ -144,6 +144,16 @@ authentication</description>
 
     <p>The string provided for the <code>AuthName</code> is what will
     appear in the password dialog provided by most browsers.</p>
+
+    <p>From 2.4.13, <a href="../expr.html">expression syntax</a> can be
+    used inside the directive to produce the name dynamically.</p>
+
+   <p>For example:</p>
+
+   <highlight language="config">
+     AuthName "%{HTTP_HOST}"
+   </highlight>
+
 </usage>
 <seealso><a
     href="../howto/auth.html">Authentication, Authorization, and
@@ -198,6 +208,9 @@ authentication</description>
 &lt;/Directory&gt;
     </highlight>
 
+    <p>From 2.4.13, <a href="../expr.html">expression syntax</a> can be
+    used inside the directive to specify the type dynamically.</p>
+
     <note>When disabling authentication, note that clients which have
     already authenticated against another portion of the server's document
     tree will typically continue to send authentication HTTP headers

Modified: httpd/httpd/trunk/modules/aaa/mod_authn_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authn_core.c?rev=1663123&r1=1663122&r2=1663123&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authn_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authn_core.c Sun Mar  1 14:37:11 2015
@@ -34,6 +34,7 @@
 #include "http_log.h"
 #include "http_request.h"
 #include "http_protocol.h"
+#include "ap_expr.h"
 #include "ap_provider.h"
 
 #include "mod_auth.h"
@@ -52,9 +53,9 @@
 */
 
 typedef struct {
-    const char *ap_auth_type;
+    ap_expr_info_t *ap_auth_type;
     int auth_type_set;
-    const char *ap_auth_name;
+    ap_expr_info_t *ap_auth_name;
 } authn_core_dir_conf;
 
 typedef struct provider_alias_rec {
@@ -298,8 +299,16 @@ static const char *set_authname(cmd_parm
                                 const char *word1)
 {
     authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
+    const char *expr_err = NULL;
+
+    aconfig->ap_auth_name = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT,
+            &expr_err, NULL);
+    if (expr_err) {
+        return apr_pstrcat(cmd->temp_pool,
+                "Cannot parse expression '", word1, "' in AuthName: ",
+                      expr_err, NULL);
+    }
 
-    aconfig->ap_auth_name = ap_escape_quotes(cmd->pool, word1);
     return NULL;
 }
 
@@ -307,9 +316,17 @@ static const char *set_authtype(cmd_parm
                                 const char *word1)
 {
     authn_core_dir_conf *aconfig = (authn_core_dir_conf *)mconfig;
+    const char *expr_err = NULL;
+
+    aconfig->ap_auth_type = ap_expr_parse_cmd(cmd, word1, AP_EXPR_FLAG_STRING_RESULT,
+            &expr_err, NULL);
+    if (expr_err) {
+        return apr_pstrcat(cmd->temp_pool,
+                "Cannot parse expression '", word1, "' in AuthType: ",
+                      expr_err, NULL);
+    }
 
     aconfig->auth_type_set = 1;
-    aconfig->ap_auth_type = strcasecmp(word1, "None") ? word1 : NULL;
 
     return NULL;
 }
@@ -318,20 +335,44 @@ static const char *authn_ap_auth_type(re
 {
     authn_core_dir_conf *conf;
 
-    conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
-        &authn_core_module);
+    conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config,
+            &authn_core_module);
+
+    if (conf->ap_auth_type) {
+        const char *err = NULL, *type;
+        type = ap_expr_str_exec(r, conf->ap_auth_type, &err);
+        if (err) {
+            ap_log_rerror(
+                    APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO() "AuthType expression could not be evaluated: %s", err);
+            return NULL;
+        }
+
+        return strcasecmp(type, "None") ? type : NULL;
+    }
 
-    return conf->ap_auth_type;
+    return NULL;
 }
 
 static const char *authn_ap_auth_name(request_rec *r)
 {
     authn_core_dir_conf *conf;
+    const char *err = NULL, *name;
 
-    conf = (authn_core_dir_conf *)ap_get_module_config(r->per_dir_config,
-        &authn_core_module);
+    conf = (authn_core_dir_conf *) ap_get_module_config(r->per_dir_config,
+            &authn_core_module);
+
+    if (conf->ap_auth_name) {
+        name = ap_expr_str_exec(r, conf->ap_auth_name, &err);
+        if (err) {
+            ap_log_rerror(
+                    APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, APLOGNO() "AuthName expression could not be evaluated: %s", err);
+            return NULL;
+        }
 
-    return apr_pstrdup(r->pool, conf->ap_auth_name);
+        return ap_escape_quotes(r->pool, name);
+    }
+
+    return NULL;
 }
 
 static const command_rec authn_cmds[] =

Re: svn commit: r1663123 - in /httpd/httpd/trunk: CHANGES docs/manual/expr.xml docs/manual/mod/mod_authn_core.xml modules/aaa/mod_authn_core.c

Posted by Ruediger Pluem <rp...@apache.org>.

On 03/01/2015 03:37 PM, minfrin@apache.org wrote:
> Author: minfrin
> Date: Sun Mar  1 14:37:11 2015
> New Revision: 1663123
> 
> URL: http://svn.apache.org/r1663123
> Log:
> mod_authn_core: Add expression support to AuthName and AuthType.
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/docs/manual/expr.xml
>     httpd/httpd/trunk/docs/manual/mod/mod_authn_core.xml
>     httpd/httpd/trunk/modules/aaa/mod_authn_core.c


This causes a test case in the framework to fail. I guess just the test case is wrong, but it should be fixed:

# Running under perl version 5.010001 for linux
# Current time local: Fri Mar  6 16:32:45 2015
# Current time GMT:   Fri Mar  6 15:32:45 2015
# Using Test.pm version 1.25_02
# Using Apache/Test.pm version 1.38
# testing : CAN-2004-0747 ap_resolve_env test case
# expected: 200
# received: '500'
not ok 1
# Failed test 1 in t/security/CVE-2004-0747.t at line 14
Failed 1/1 subtests

Test Summary Report
-------------------
t/security/CVE-2004-0747.t (Wstat: 0 Tests: 1 Failed: 1)
  Failed test:  1
Files=1, Tests=1,  0 wallclock secs ( 0.01 usr  0.01 sys +  0.36 cusr  0.07 csys =  0.45 CPU)
Result: FAIL
Failed 1/1 test programs. 1/1 subtests failed.


error_log:

[Fri Mar 06 15:32:45.428836 2015] [core:alert] [pid 10177:tid 140546563634944] [client 127.0.0.1:40823]
/usr/src/apache/perl-framework-trunk/t/htdocs/security/CAN-2004-0747/.htaccess: Cannot parse expression '

This is also reminds me that this could slow down .htaccess processing considerably since we need to parse the
expression for each request where we have a .htaccess with this directive in place. Furthermore do we open up any stuff
that malicious users with access to .htaccess could do with expressions that they are not expected to do?
If so is it possible to limit expression support just to the case the directive is not in .htaccess?

Regards

RĂ¼diger