You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Paul Henson <he...@acm.org> on 1999/09/17 20:41:53 UTC

general/5034: when using mod_auth_dce, get_path_info() can return incorrect results

>Number:         5034
>Category:       general
>Synopsis:       when using mod_auth_dce, get_path_info() can return incorrect results
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Fri Sep 17 11:50:00 PDT 1999
>Last-Modified:
>Originator:     henson@acm.org
>Organization:
apache
>Release:        1.3.9
>Environment:
DCE/DFS
>Description:
in http_request.c, get_path_info() calls stat() as it tries to determine
which part of the request is actually a file, and which part should be passed
as path_info. if the call to stat() returns EACCES, the last component
of the request is chopped off.

mod_auth_dce it is rather unique in that I believe it is the only
authentication module that actually changes the access level of
the server during a request. get_path_info assumes  that the
server has the same privileges to the filesystem at all times.
However, using mod_auth_dce,  this assumption is inaccurate,
resulting in failure to split the request correctly.
>How-To-Repeat:
<NA>
>Fix:
I distribute a patch with my module such that get_path_info()
 simply returns OK  when it encounters EACCES, and then I
call the function again within my module.

I do not think this patch is generally advisable, but I cannot think
of any other way to fix the problem without a larger redesign.

at this point, I would just like the development team to consider
the possibility that the server could potentially have  different access
privileges before and after the authentication phase, and think about
how that impacts current and future designs.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]