You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2012/06/17 10:39:46 UTC

svn commit: r1351072 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_authz_core.xml modules/aaa/mod_authz_core.c

Author: sf
Date: Sun Jun 17 08:39:45 2012
New Revision: 1351072

URL: http://svn.apache.org/viewvc?rev=1351072&view=rev
Log:
If an expression in "Require expr" returns denied and
references %{REMOTE_USER}, trigger authentication and retry

PR: 5289

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
    httpd/httpd/trunk/modules/aaa/mod_authz_core.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1351072&r1=1351071&r2=1351072&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Jun 17 08:39:45 2012
@@ -6,6 +6,10 @@ Changes with Apache 2.5.0
      possible XSS for a site where untrusted users can upload files to
      a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
 
+  *) mod_authz_core: If an expression in "Require expr" returns denied and
+     references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
+     [Stefan Fritsch]
+
   *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
      authorization provider in lua. [Stefan Fritsch]
 

Modified: httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml?rev=1351072&r1=1351071&r2=1351072&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_authz_core.xml Sun Jun 17 08:39:45 2012
@@ -224,6 +224,11 @@ SetEnvIf User-Agent ^KnockKnock/2\.0 let
   <p>The syntax is described in the <a href="../expr.html">ap_expr</a>
   documentation.</p>
 
+  <p>Normally, the expression is evaluated before authentication. However, if
+  the expression returns false and references the variable
+  <code>%{REMOTE_USER}</code>, authentication will be performed and
+  the expression will be re-evaluated.</p>
+
   </section>
 
 

Modified: httpd/httpd/trunk/modules/aaa/mod_authz_core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authz_core.c?rev=1351072&r1=1351071&r2=1351072&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_authz_core.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_authz_core.c Sun Jun 17 08:39:45 2012
@@ -1037,13 +1037,54 @@ static const authz_provider authz_method
     &method_parse_config,
 };
 
+/*
+ * expr authz provider
+ */
+
+#define REQUIRE_EXPR_NOTE "Require_expr_info"
+struct require_expr_info {
+    ap_expr_info_t *expr;
+    int want_user;
+};
+
+static int expr_lookup_fn(ap_expr_lookup_parms *parms)
+{
+    if (parms->type == AP_EXPR_FUNC_VAR
+        && strcasecmp(parms->name, "REMOTE_USER") == 0) {
+        struct require_expr_info *info;
+        apr_pool_userdata_get((void**)&info, REQUIRE_EXPR_NOTE, parms->ptemp);
+        AP_DEBUG_ASSERT(info != NULL);
+        info->want_user = 1;
+    }
+    return ap_expr_lookup_default(parms);
+}
+
+static const char *expr_parse_config(cmd_parms *cmd, const char *require_line,
+                                     const void **parsed_require_line)
+{
+    const char *expr_err = NULL;
+    struct require_expr_info *info = apr_pcalloc(cmd->pool, sizeof(*info));
+
+    apr_pool_userdata_setn(info, REQUIRE_EXPR_NOTE, apr_pool_cleanup_null,
+                          cmd->temp_pool);
+    info->expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err,
+                                   expr_lookup_fn);
+
+    if (expr_err)
+        return "Cannot parse expression in require line";
+
+    *parsed_require_line = info;
+
+    return NULL;
+}
+
 static authz_status expr_check_authorization(request_rec *r,
                                              const char *require_line,
                                              const void *parsed_require_line)
 {
     const char *err = NULL;
-    const ap_expr_info_t *expr = parsed_require_line;
-    int rc = ap_expr_exec(r, expr, &err);
+    const struct require_expr_info *info = parsed_require_line;
+    int rc = ap_expr_exec(r, info->expr, &err);
 
     if (rc < 0) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02320)
@@ -1052,28 +1093,16 @@ static authz_status expr_check_authoriza
         return AUTHZ_GENERAL_ERROR;
     }
     else if (rc == 0) {
-        return AUTHZ_DENIED;
+        if (info->want_user)
+            return AUTHZ_DENIED_NO_USER;
+        else
+            return AUTHZ_DENIED;
     }
     else {
         return AUTHZ_GRANTED;
     }
 }
 
-static const char *expr_parse_config(cmd_parms *cmd, const char *require_line,
-                                     const void **parsed_require_line)
-{
-    const char *expr_err = NULL;
-    ap_expr_info_t *expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err,
-                                             NULL);
-
-    if (expr_err)
-        return "Cannot parse expression in require line";
-
-    *parsed_require_line = expr;
-
-    return NULL;
-}
-
 static const authz_provider authz_expr_provider =
 {
     &expr_check_authorization,