You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Cliff Skolnick <cl...@organic.com> on 1996/05/30 00:38:48 UTC

WWW Form Bug Report: "check auth routines and requires directives" on Solaris 2.x (fwd)

Should we ask this guy to join the group?  Patch number 4 from him :)

--
Cliff Skolnick                                      cliff@organic.com

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759

---------- Forwarded message ----------
Date: Wed May 29 12:30:31 1996
From: jk@tools.de
To: cliff@organic.com
Subject: WWW Form Bug Report: "check auth routines and requires directives" on Solaris 2.x

Submitter: jk@tools.de
Operating system: Solaris 2.x, version: 
Version of Apache Used: 1.1b3-dev
Extra Modules used: 
URL exhibiting problem: 

Symptoms:
--
mod_auth.c already accepts any user id, if there are
no "requires" directives found for a directory or
location.

Since "requires" directives can occur inside a
<Limit> directive it should also accept any 
user id if there are "requires" directives, but
done matches the actual request method.

The same problem exists in mod_digest.c

*** mod_auth.c~ Wed May 29 21:21:31 1996
--- mod_auth.c  Wed May 29 21:22:27 1996
***************
*** 205,210 ****
--- 205,211 ----
        (auth_config_rec *)get_module_config (r->per_dir_config, &auth_module);
      char *user = r->connection->user;
      int m = r->method_number;
+     int method_restricted = 0;
      register int x;
      char *t, *w;
      table *grpstatus;
***************
*** 232,237 ****
--- 233,240 ----
        
        if (! (reqs[x].method_mask & (1 << m))) continue;
         
+       method_restricted = 1;
+ 
          t = reqs[x].requirement;
          w = getword(r->pool, &t, ' ');
          if(!strcmp(w,"valid-user"))
***************
*** 257,262 ****
--- 260,268 ----
          }
      }
  
+     if (!method_restricted)
+       return OK;
+ 
      note_basic_auth_failure (r);
      return AUTH_REQUIRED;
  }
leo 53% diff -c mod_digest.c{~,}
*** mod_digest.c~       Wed May 29 21:21:46 1996
--- mod_digest.c        Wed May 29 21:22:32 1996
***************
*** 290,295 ****
--- 290,296 ----
  int digest_check_auth (request_rec *r) {
      char *user = r->connection->user;
      int m = r->method_number;
+     int method_restricted = 0;    
      register int x;
      char *t, *w;
      array_header *reqs_arr;
***************
*** 310,315 ****
--- 311,318 ----
        
        if (! (reqs[x].method_mask & (1 << m))) continue;
         
+       method_restricted = 1;
+ 
          t = reqs[x].requirement;
          w = getword(r->pool, &t, ' ');
          if(!strcmp(w,"valid-user"))
***************
*** 325,330 ****
--- 328,336 ----
          return DECLINED;
      }
      
+     if (!method_restricted)
+       return OK;
+ 
      note_digest_auth_failure(r);
      return AUTH_REQUIRED;
  }

--

Backtrace:
--

--