You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1996/06/25 01:23:08 UTC

notes on 1.1b4 authorization and table_set() function calls. (fwd)

not acked.



Message-Id: <19...@kci.kciLink.com>
To: Apache Bugs <ap...@mail.apache.org>
Subject: notes on 1.1b4 authorization and table_set() function calls.
Date: Mon, 24 Jun 1996 18:53:12 -0400
From: Vivek Khera <kh...@kci.kciLink.com>

I was just playing around trying to make some more optimizations to my msql
authorization module, and noticed this interesting effect.

Given a directory protected only by group authorization, fetching the
directory name (forcing use of the implied index.html file) the group
authorization check is called twice for the index.html file.  For example:

Given the directory a2 in document root.  htaccess says to authenticate using
group ``admin'':

<Limit GET POST>
require group admin
</Limit>


And the srm.conf has this search list:

DirectoryIndex index.html index.shtml index.phtml index.cgi index.htm

When fetcing http://www.govcon.com/a2/ Apache will request the group list for:

 /a2/
 /a2/index.html
 /a2/index.html

then serve up the document.  Note that it requests the group list twice for
the document it does find.  I printed out the URI (r->uri) of the request in
the check_auth handler function -- this is how many times that function is
called in my module by Apache per HTTP request.

If index.html does not exist, it will use index.shtml, in which case the
server calls check_auth with the URI set to each of:

 /a2/
 /a2/index.html
 /a2/index.shtml
 /a2/index.shtml

However, if I request /a2/index.shtml directly, it only calls check_auth
exactly once as expected for that URI.

I haven't looked into the complexity of this just yet, but it would seem to me
it makes more sense to test for the existence of the file *before* testing for
authorization of access to the file.  I'm sure people who rely heavily on
authorization would agree, too.  This would greatly reduce the number of hits
on the authorization database for access to a file that doesn't exist.



Secondly, I notice that at many places you call table_set() with the third
parameter as pstrdup(...) when table_set() does that for you already.  Not a
big deal as the space will be reclaimed rather quickly, but it does seem to be
an expensive operation to do given that it will just be pstrdup()'d again
immediately.

Thanks for your attention.

								v.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D.                        Khera Communications, Inc.
Internet: khera@kciLink.com               Rockville, MD       +1-301-258-8292
PGP/MIME spoken here                      http://www.kciLink.com/home/khera/

----- End of forwarded message from Vivek Khera -----

-- 
Rob Hartill (robh@imdb.com)
The Internet Movie Database (IMDb)  http://www.imdb.com/
           ...more movie info than you can poke a stick at.

Re: notes on 1.1b4 authorization and table_set() function calls. (fwd)

Posted by Alexei Kosut <ak...@organic.com>.
On Mon, 24 Jun 1996, Vivek Khera wrote:

[snip]

> I haven't looked into the complexity of this just yet, but it would seem to me
> it makes more sense to test for the existence of the file *before* testing for
> authorization of access to the file.  I'm sure people who rely heavily on
> authorization would agree, too.  This would greatly reduce the number of hits
> on the authorization database for access to a file that doesn't exist.

It might seem to make sense, indeed, it would, as you say, reduce load on
the authorization database. However, it would be a security hole: If the
server returned a Not Found error prior to returning an Authentication
Required error, a potential hacker might be able to get a map of all the
filenames on the server, without actually having access to the server, by
noting when the server returned Not Found, versus when it asked for
authentication.

Apache, when finding directory indexes internally, uses the exact same
mechanism that it uses when a file is requested by a user, except that it
does not actually serve the file. Since this request includes the
authentication stage, it is therefore neccessary to check authorization
for each index file checked.

> Secondly, I notice that at many places you call table_set() with the third
> parameter as pstrdup(...) when table_set() does that for you already.  Not a
> big deal as the space will be reclaimed rather quickly, but it does seem to be
> an expensive operation to do given that it will just be pstrdup()'d again
> immediately.

pstrdup() is not a particuarly expensive operation, due to the way
Apache's memory-pool allocation code works (not nearly as much as it would
be for the corresponding malloc() and strcpy()), but you are correct,
there is a lot of this sort of thing. Probably the best explanation is
that it makes people feel safer, knowing for sure that their strings.
won't be mangled.

Perhaps in a future version of Apache, we will clean up this sort of
thing. It might not be a bad idea.

> Thanks for your attention.

Thanks for using Apache!

-- Alexei Kosut <ak...@organic.com>            The Apache HTTP Server 
   http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/