You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/04/02 19:40:56 UTC

DO NOT REPLY [Bug 42690] realm is not set for each configured directory when digest authentication is used

https://issues.apache.org/bugzilla/show_bug.cgi?id=42690

--- Comment #1 from Troy Stanger <st...@sourcegear.com> 2012-04-02 17:40:56 UTC ---
Ran into the same stack trace in a deployment I am currently working on.  This
setup involves mod_auth_digest, mod_authn_dbd and mod_vhost_alias.  The
abbreviated relevant portions of my config are:

    VirtualDocumentRoot /vhosts/%0

    <Directory /vhosts>
        AllowOverride AuthConfig
    </Directory>

    <LocationMatch "^(/private/).*">
        AuthType Digest
        AuthDigestProvider dbd

        # core authorization configuration
        Require valid-user

        AuthDBDUserRealmQuery \
        "SELECT password FROM apache_users WHERE username = %s AND realm = %s"
    </LocationMatch>

In the Document Root for each virtual host is an .htaccess file that defines
the AuthName for that virtual host

    AuthName "some_realm"

I have a patch that fixes two issues this segfault exposes.

1) (Obviously) Apache shouldn't segfault when either the expected or provided
auth realm is null.  The if() statement that calls strcmp on those two values
should also ensure neither is null.  Additionally, this check should probably
be done on all calls to strcmp in the module.

2)  For some reason the realm mod_auth_digest and mod_authn_core are reporting
different realms for the same request.  This is due to different merge rules on
dir_config struct members ap_auth_name/realm in the mod_authn_core and
mod_auth_digest modules.  

The patch I've included performs NULL checks before calling strcmp and it adds
a dir_config merge function that matches the merge rules in mod_authn_core.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org