You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2012/06/17 10:39:46 UTC
svn commit: r1351072 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_authz_core.xml modules/aaa/mod_authz_core.c
Author: sf
Date: Sun Jun 17 08:39:45 2012
New Revision: 1351072
URL: http://svn.apache.org/viewvc?rev=1351072&view=rev
Log:
If an expression in "Require expr" returns denied and
references %{REMOTE_USER}, trigger authentication and retry
PR: 5289
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
httpd/httpd/trunk/modules/aaa/mod_authz_core.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1351072&r1=1351071&r2=1351072&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Jun 17 08:39:45 2012
@@ -6,6 +6,10 @@ Changes with Apache 2.5.0
possible XSS for a site where untrusted users can upload files to
a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
+ *) mod_authz_core: If an expression in "Require expr" returns denied and
+ references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
+ [Stefan Fritsch]
+
*) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
authorization provider in lua. [Stefan Fritsch]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml?rev=1351072&r1=1351071&r2=1351072&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Sun Jun 17 08:39:45 2012
@@ -224,6 +224,11 @@ SetEnvIf User-Agent ^KnockKnock/2\.0 let
<p>The syntax is described in the <a href="../expr.html">ap_expr</a>
documentation.</p>
+ <p>Normally, the expression is evaluated before authentication. However, if
+ the expression returns false and references the variable
+ <code>%{REMOTE_USER}</code>, authentication will be performed and
+ the expression will be re-evaluated.</p>
+
</section>
Modified: httpd/httpd/trunk/modules/aaa/mod_authz_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c?rev=1351072&r1=1351071&r2=1351072&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_core.c Sun Jun 17 08:39:45 2012
@@ -1037,13 +1037,54 @@ static const authz_provider authz_method
&method_parse_config,
};
+/*
+ * expr authz provider
+ */
+
+#define REQUIRE_EXPR_NOTE "Require_expr_info"
+struct require_expr_info {
+ ap_expr_info_t *expr;
+ int want_user;
+};
+
+static int expr_lookup_fn(ap_expr_lookup_parms *parms)
+{
+ if (parms->type == AP_EXPR_FUNC_VAR
+ && strcasecmp(parms->name, "REMOTE_USER") == 0) {
+ struct require_expr_info *info;
+ apr_pool_userdata_get((void**)&info, REQUIRE_EXPR_NOTE, parms->ptemp);
+ AP_DEBUG_ASSERT(info != NULL);
+ info->want_user = 1;
+ }
+ return ap_expr_lookup_default(parms);
+}
+
+static const char *expr_parse_config(cmd_parms *cmd, const char *require_line,
+ const void **parsed_require_line)
+{
+ const char *expr_err = NULL;
+ struct require_expr_info *info = apr_pcalloc(cmd->pool, sizeof(*info));
+
+ apr_pool_userdata_setn(info, REQUIRE_EXPR_NOTE, apr_pool_cleanup_null,
+ cmd->temp_pool);
+ info->expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err,
+ expr_lookup_fn);
+
+ if (expr_err)
+ return "Cannot parse expression in require line";
+
+ *parsed_require_line = info;
+
+ return NULL;
+}
+
static authz_status expr_check_authorization(request_rec *r,
const char *require_line,
const void *parsed_require_line)
{
const char *err = NULL;
- const ap_expr_info_t *expr = parsed_require_line;
- int rc = ap_expr_exec(r, expr, &err);
+ const struct require_expr_info *info = parsed_require_line;
+ int rc = ap_expr_exec(r, info->expr, &err);
if (rc < 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02320)
@@ -1052,28 +1093,16 @@ static authz_status expr_check_authoriza
return AUTHZ_GENERAL_ERROR;
}
else if (rc == 0) {
- return AUTHZ_DENIED;
+ if (info->want_user)
+ return AUTHZ_DENIED_NO_USER;
+ else
+ return AUTHZ_DENIED;
}
else {
return AUTHZ_GRANTED;
}
}
-static const char *expr_parse_config(cmd_parms *cmd, const char *require_line,
- const void **parsed_require_line)
-{
- const char *expr_err = NULL;
- ap_expr_info_t *expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err,
- NULL);
-
- if (expr_err)
- return "Cannot parse expression in require line";
-
- *parsed_require_line = expr;
-
- return NULL;
-}
-
static const authz_provider authz_expr_provider =
{
&expr_check_authorization,