You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2017/05/26 21:29:59 UTC
svn commit: r1796348 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h
include/http_protocol.h server/protocol.c server/request.c
Author: covener
Date: Fri May 26 21:29:59 2017
New Revision: 1796348
URL: http://svn.apache.org/viewvc?rev=1796348&view=rev
Log:
core: deprecate and replace ap_get_basic_auth_pw
*) core: Deprecate ap_get_basic_auth_pw() and add
ap_get_basic_auth_components().
Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/include/ap_mmn.h
httpd/httpd/trunk/include/http_protocol.h
httpd/httpd/trunk/server/protocol.c
httpd/httpd/trunk/server/request.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1796348&r1=1796347&r2=1796348&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri May 26 21:29:59 2017
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) core: Deprecate ap_get_basic_auth_pw() and add
+ ap_get_basic_auth_components().
+ [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
+
*) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error(). [Yann Ylavic]
Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1796348&r1=1796347&r2=1796348&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Fri May 26 21:29:59 2017
@@ -552,6 +552,8 @@
* 20161018.2 (2.5.0-dev) add ap_set_conn_count()
* 20161018.3 (2.5.0-dev) add ap_exists_directive()
* 20161018.4 (2.5.0-dev) Add taint to request_rec and ap_request_tainted()
+ * 20161018.5 (2.5.0-dev) Add ap_get_basic_auth_components() and deprecate
+ * ap_get_basic_auth_pw()
*/
#define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
@@ -559,7 +561,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20161018
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 4 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 5 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Modified: httpd/httpd/trunk/include/http_protocol.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_protocol.h?rev=1796348&r1=1796347&r2=1796348&view=diff
==============================================================================
--- httpd/httpd/trunk/include/http_protocol.h (original)
+++ httpd/httpd/trunk/include/http_protocol.h Fri May 26 21:29:59 2017
@@ -576,7 +576,11 @@ AP_DECLARE(void) ap_note_digest_auth_fai
AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type))
/**
- * Get the password from the request headers
+ * Get the password from the request headers. This function has multiple side
+ * effects due to its prior use in the old authentication framework.
+ * ap_get_basic_auth_components() should be preferred.
+ *
+ * @deprecated @see ap_get_basic_auth_components
* @param r The current request
* @param pw The password as set in the headers
* @return 0 (OK) if it set the 'pw' argument (and assured
@@ -589,6 +593,25 @@ AP_DECLARE_HOOK(int, note_auth_failure,
*/
AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw);
+#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE"
+
+/**
+ * Get the username and/or password from the request's Basic authentication
+ * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side
+ * effects on the passed request_rec.
+ *
+ * @param r The current request
+ * @param username If not NULL, set to the username sent by the client
+ * @param password If not NULL, set to the password sent by the client
+ * @return APR_SUCCESS if the credentials were successfully parsed and returned;
+ * APR_EINVAL if there was no authentication header sent or if the
+ * client was not using the Basic authentication scheme. username and
+ * password are unchanged on failure.
+ */
+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
+ const char **username,
+ const char **password);
+
/**
* parse_uri: break apart the uri
* @warning Side Effects:
Modified: httpd/httpd/trunk/server/protocol.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?rev=1796348&r1=1796347&r2=1796348&view=diff
==============================================================================
--- httpd/httpd/trunk/server/protocol.c (original)
+++ httpd/httpd/trunk/server/protocol.c Fri May 26 21:29:59 2017
@@ -1627,6 +1627,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(req
t = ap_pbase64decode(r->pool, auth_line);
r->user = ap_getword_nulls (r->pool, &t, ':');
+ apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1");
r->ap_auth_type = "Basic";
*pw = t;
@@ -1634,6 +1635,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(req
return OK;
}
+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
+ const char **username,
+ const char **password)
+{
+ const char *auth_header;
+ const char *credentials;
+ const char *decoded;
+ const char *user;
+
+ auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
+ : "Authorization";
+ credentials = apr_table_get(r->headers_in, auth_header);
+
+ if (!credentials) {
+ /* No auth header. */
+ return APR_EINVAL;
+ }
+
+ if (ap_cstr_casecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) {
+ /* These aren't Basic credentials. */
+ return APR_EINVAL;
+ }
+
+ while (*credentials == ' ' || *credentials == '\t') {
+ credentials++;
+ }
+
+ /* XXX Our base64 decoding functions don't actually error out if the string
+ * we give it isn't base64; they'll just silently stop and hand us whatever
+ * they've parsed up to that point.
+ *
+ * Since this function is supposed to be a drop-in replacement for the
+ * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x.
+ */
+ decoded = ap_pbase64decode(r->pool, credentials);
+ user = ap_getword_nulls(r->pool, &decoded, ':');
+
+ if (username) {
+ *username = user;
+ }
+ if (password) {
+ *password = decoded;
+ }
+
+ return APR_SUCCESS;
+}
+
struct content_length_ctx {
int data_sent; /* true if the C-L filter has already sent at
* least one bucket on to the next output filter
Modified: httpd/httpd/trunk/server/request.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/request.c?rev=1796348&r1=1796347&r2=1796348&view=diff
==============================================================================
--- httpd/httpd/trunk/server/request.c (original)
+++ httpd/httpd/trunk/server/request.c Fri May 26 21:29:59 2017
@@ -124,6 +124,8 @@ static int decl_die(int status, const ch
AP_DECLARE(int) ap_some_authn_required(request_rec *r)
{
int access_status;
+ char *olduser = r->user;
+ int rv = FALSE;
switch (ap_satisfies(r)) {
case SATISFY_ALL:
@@ -134,7 +136,7 @@ AP_DECLARE(int) ap_some_authn_required(r
access_status = ap_run_access_checker_ex(r);
if (access_status == DECLINED) {
- return TRUE;
+ rv = TRUE;
}
break;
@@ -145,13 +147,14 @@ AP_DECLARE(int) ap_some_authn_required(r
access_status = ap_run_access_checker_ex(r);
if (access_status == DECLINED) {
- return TRUE;
+ rv = TRUE;
}
break;
}
- return FALSE;
+ r->user = olduser;
+ return rv;
}
/* This is the master logic for processing requests. Do NOT duplicate
@@ -263,6 +266,14 @@ AP_DECLARE(int) ap_process_request_inter
r->ap_auth_type = r->main->ap_auth_type;
}
else {
+ /* A module using a confusing API (ap_get_basic_auth_pw) caused
+ ** r->user to be filled out prior to check_authn hook. We treat
+ ** it is inadvertent.
+ */
+ if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) {
+ r->user = NULL;
+ }
+
switch (ap_satisfies(r)) {
case SATISFY_ALL:
case SATISFY_NOSPEC: