You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/04/02 19:40:56 UTC
DO NOT REPLY [Bug 42690] realm is not set for each configured
directory when digest authentication is used
https://issues.apache.org/bugzilla/show_bug.cgi?id=42690
--- Comment #1 from Troy Stanger <st...@sourcegear.com> 2012-04-02 17:40:56 UTC ---
Ran into the same stack trace in a deployment I am currently working on. This
setup involves mod_auth_digest, mod_authn_dbd and mod_vhost_alias. The
abbreviated relevant portions of my config are:
VirtualDocumentRoot /vhosts/%0
<Directory /vhosts>
AllowOverride AuthConfig
</Directory>
<LocationMatch "^(/private/).*">
AuthType Digest
AuthDigestProvider dbd
# core authorization configuration
Require valid-user
AuthDBDUserRealmQuery \
"SELECT password FROM apache_users WHERE username = %s AND realm = %s"
</LocationMatch>
In the Document Root for each virtual host is an .htaccess file that defines
the AuthName for that virtual host
AuthName "some_realm"
I have a patch that fixes two issues this segfault exposes.
1) (Obviously) Apache shouldn't segfault when either the expected or provided
auth realm is null. The if() statement that calls strcmp on those two values
should also ensure neither is null. Additionally, this check should probably
be done on all calls to strcmp in the module.
2) For some reason the realm mod_auth_digest and mod_authn_core are reporting
different realms for the same request. This is due to different merge rules on
dir_config struct members ap_auth_name/realm in the mod_authn_core and
mod_auth_digest modules.
The patch I've included performs NULL checks before calling strcmp and it adds
a dir_config merge function that matches the merge rules in mod_authn_core.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org