You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1996/07/01 22:50:50 UTC
Re: cvs commit: apache/src mod_auth_msql.c
Can someone please make an argument for _why_ we do a general release
with known bugs? Let alone bugs in authorization code?
> You can't win. Either you decide to release something this decade, or you
> ship something with known bugs. We can always point people to the newer,
> though less thoroughly tested, versions of mod_auth_msql and
> mod_cern_meta.
>
> Brian, whose head cold is making him irascible
>
> On Mon, 1 Jul 1996, Randy Terbush wrote:
> > I think it is a bad idea to reverse these changes since they
> > fix real bugs. Without these changes, it will likely break
> > all existing sites using this module.
> >
> >
> > > brian 96/07/01 12:04:11
> > >
> > > Modified: src mod_auth_msql.c
> > > Log:
> > > Reverse mod_auth_msql.c changes, back to version 1.0.
> > >
> > > Revision Changes Path
> > > 1.10 +19 -25 apache/src/mod_auth_msql.c
> > >
> > > Index: mod_auth_msql.c
> > > ===================================================================
> > > RCS file: /export/home/cvs/apache/src/mod_auth_msql.c,v
> > > retrieving revision 1.9
> > > retrieving revision 1.10
> > > diff -C3 -r1.9 -r1.10
> > > *** mod_auth_msql.c 1996/06/30 22:36:57 1.9
> > > --- mod_auth_msql.c 1996/07/01 19:04:08 1.10
> > > ***************
> > > *** 284,295 ****
> > > * Replaced some MAX_STRING_LENGTH claims.
> > > * 1.0 removed some error check as they where already done elsehwere
> > > * NumFields -> NumRows (Thanks Vitek). More stack memory.
> > > - * 1.1 no logging of empty password strings.
> > > - * 1.2 Problem with the Backward vitek which cause it to check
> > > - * even if msql_auth was not configured; Also more carefull
> > > - * with the authorative stuff; caught by thomas@marvin.calvacom.fr.
> > > - * 1.3 Even more changes to get it right; that BACKWARD thing was a bad
> > > - * idea.
> > > */
> > >
> > >
> > > --- 284,289 ----
> > > ***************
> > > *** 398,404 ****
> > > --- 392,400 ----
> > > #include "http_log.h"
> > > #include "http_protocol.h"
> > > #include <msql.h>
> > > + #ifdef HAVE_CRYPT_H
> > > #include <crypt.h>
> > > + #endif
> > >
> > > typedef struct {
> > >
> > > ***************
> > > *** 782,791 ****
> > > * We do not check on dbase, group, userid or host name, as it is
> > > * perfectly possible to only do group control with mSQL and leave
> > > * user control to the next (dbm) guy in line.
> > > - * We no longer check on the user field name; to avoid problems
> > > - * with Backward VITEK.
> > > */
> > > ! if (!sec->auth_msql_pwd_table) return DECLINED;
> > >
> > > if(!(real_pw = get_msql_pw(r, c->user, sec,msql_errstr ))) {
> > > if ( msql_errstr[0] ) {
> > > --- 778,788 ----
> > > * We do not check on dbase, group, userid or host name, as it is
> > > * perfectly possible to only do group control with mSQL and leave
> > > * user control to the next (dbm) guy in line.
> > > */
> > > ! if (
> > > ! (!sec->auth_msql_pwd_table) &&
> > > ! (!sec->auth_msql_pwd_field)
> > > ! ) return DECLINED;
> > >
> > > if(!(real_pw = get_msql_pw(r, c->user, sec,msql_errstr ))) {
> > > if ( msql_errstr[0] ) {
> > > ***************
> > > *** 812,821 ****
> > > */
> > >
> > > if ((sec->auth_msql_nopasswd) && (!strlen(real_pw))) {
> > > - /*
> > > sprintf(msql_errstr,"mSQL: user %s: Empty/'any' password accepted",c->user);
> > > log_reason (msql_errstr, r->uri, r);
> > > - */
> > > return OK;
> > > };
> > >
> > > --- 809,816 ----
> > > ***************
> > > *** 867,875 ****
> > > char *t, *w;
> > > msql_errstr[0]='\0';
> > >
> > > - /* If we are not configured, ignore */
> > > - if (!sec->auth_msql_pwd_table) return DECLINED;
> > > -
> > > if (!reqs_arr) {
> > > if (sec->auth_msql_authorative) {
> > > sprintf(msql_errstr,"user %s denied, no access rules specified (MSQL-Authorative) ",user);
> > > --- 862,867 ----
> > > ***************
> > > *** 937,959 ****
> > > };
> > > }
> > >
> > > ! /* Get serious if we are authorative, previous
> > > ! * returns are only if msql yielded a correct result.
> > > ! * This really is not needed.
> > > */
> > > ! if (((group_result == AUTH_REQUIRED) || (user_result == AUTH_REQUIRED)) && (sec->auth_msql_authorative) ) {
> > > ! sprintf(msql_errstr,"mSQL-Authorative: Access denied on %s %s rule(s) ",
> > > ! (group_result == AUTH_REQUIRED) ? "USER" : "",
> > > ! (user_result == AUTH_REQUIRED) ? "GROUP" : ""
> > > ! );
> > > log_reason (msql_errstr, r->uri, r);
> > > return AUTH_REQUIRED;
> > > };
> > >
> > > - if ( (user_result == OK) || (group_result == OK))
> > > - return OK;
> > >
> > > ! return DECLINED;
> > > }
> > >
> > >
> > > --- 929,953 ----
> > > };
> > > }
> > >
> > > ! /* we do not have to check the valid-ness of the group result as
> > > ! * have not (yet) a 'valid-group' token
> > > */
> > > ! if ( (user_result != OK) && (sec->auth_msql_authorative) ) {
> > > ! sprintf(msql_errstr,"User %s denied, no access rules applied (MSQL-Authorative) ",user);
> > > log_reason (msql_errstr, r->uri, r);
> > > + note_basic_auth_failure(r);
> > > return AUTH_REQUIRED;
> > > };
> > >
> > >
> > > ! /* if the user is DECLINED, it is up to the group_result to tip
> > > ! * the balance. But if the group result is AUTH_REQUIRED it should
> > > ! * always override. A SERVER_ERROR should not get here.
> > > ! */
> > > ! if ( (user_result == DECLINED) || (group_result == AUTH_REQUIRED))
> > > ! return group_result;
> > > !
> > > ! return user_result;
> > > }
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >