svn commit: r1799374 - /httpd/httpd/trunk/include/http_protocol.h

[jc...@apache.org]

Author: jchampion
Date: Tue Jun 20 23:08:18 2017
New Revision: 1799374

URL: http://svn.apache.org/viewvc?rev=1799374&view=rev
Log:
CVE-2017-3167: add documentation to ap_get_basic_auth_pw()

Now that we've released, add clarifying comments to the now-deprecated
API.

Modified:
    httpd/httpd/trunk/include/http_protocol.h

Modified: httpd/httpd/trunk/include/http_protocol.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_protocol.h?rev=1799374&r1=1799373&r2=1799374&view=diff
==============================================================================
--- httpd/httpd/trunk/include/http_protocol.h (original)
+++ httpd/httpd/trunk/include/http_protocol.h Tue Jun 20 23:08:18 2017
@@ -577,8 +577,15 @@ AP_DECLARE_HOOK(int, note_auth_failure,
 
 /**
  * Get the password from the request headers. This function has multiple side
- * effects due to its prior use in the old authentication framework.
- * ap_get_basic_auth_components() should be preferred.
+ * effects due to its prior use in the old authentication framework, including
+ * setting r->user (which is supposed to indicate that the user in question has
+ * been authenticated for the current request).
+ *
+ * Modules which call ap_get_basic_auth_pw() during the authentication phase
+ * MUST either immediately authenticate the user after the call, or else stop
+ * the request immediately with an error response, to avoid incorrectly
+ * authenticating the current request. (See CVE-2017-3167.) The replacement
+ * ap_get_basic_auth_components() API should be preferred.
  *
  * @deprecated @see ap_get_basic_auth_components
  * @param r The current request