You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Cliff Skolnick <cl...@organic.com> on 1996/05/30 00:38:48 UTC
WWW Form Bug Report: "check auth routines and requires directives" on Solaris 2.x (fwd)
Should we ask this guy to join the group? Patch number 4 from him :)
--
Cliff Skolnick cliff@organic.com
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759
---------- Forwarded message ----------
Date: Wed May 29 12:30:31 1996
From: jk@tools.de
To: cliff@organic.com
Subject: WWW Form Bug Report: "check auth routines and requires directives" on Solaris 2.x
Submitter: jk@tools.de
Operating system: Solaris 2.x, version:
Version of Apache Used: 1.1b3-dev
Extra Modules used:
URL exhibiting problem:
Symptoms:
--
mod_auth.c already accepts any user id, if there are
no "requires" directives found for a directory or
location.
Since "requires" directives can occur inside a
<Limit> directive it should also accept any
user id if there are "requires" directives, but
done matches the actual request method.
The same problem exists in mod_digest.c
*** mod_auth.c~ Wed May 29 21:21:31 1996
--- mod_auth.c Wed May 29 21:22:27 1996
***************
*** 205,210 ****
--- 205,211 ----
(auth_config_rec *)get_module_config (r->per_dir_config, &auth_module);
char *user = r->connection->user;
int m = r->method_number;
+ int method_restricted = 0;
register int x;
char *t, *w;
table *grpstatus;
***************
*** 232,237 ****
--- 233,240 ----
if (! (reqs[x].method_mask & (1 << m))) continue;
+ method_restricted = 1;
+
t = reqs[x].requirement;
w = getword(r->pool, &t, ' ');
if(!strcmp(w,"valid-user"))
***************
*** 257,262 ****
--- 260,268 ----
}
}
+ if (!method_restricted)
+ return OK;
+
note_basic_auth_failure (r);
return AUTH_REQUIRED;
}
leo 53% diff -c mod_digest.c{~,}
*** mod_digest.c~ Wed May 29 21:21:46 1996
--- mod_digest.c Wed May 29 21:22:32 1996
***************
*** 290,295 ****
--- 290,296 ----
int digest_check_auth (request_rec *r) {
char *user = r->connection->user;
int m = r->method_number;
+ int method_restricted = 0;
register int x;
char *t, *w;
array_header *reqs_arr;
***************
*** 310,315 ****
--- 311,318 ----
if (! (reqs[x].method_mask & (1 << m))) continue;
+ method_restricted = 1;
+
t = reqs[x].requirement;
w = getword(r->pool, &t, ' ');
if(!strcmp(w,"valid-user"))
***************
*** 325,330 ****
--- 328,336 ----
return DECLINED;
}
+ if (!method_restricted)
+ return OK;
+
note_digest_auth_failure(r);
return AUTH_REQUIRED;
}
--
Backtrace:
--
--