You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by st...@apache.org on 2003/08/07 03:53:11 UTC

cvs commit: httpd-2.0/modules/ssl ssl_engine_kernel.c

striker     2003/08/06 18:53:11

  Modified:    modules/ssl ssl_engine_kernel.c
  Log:
  Fix FakeBasicAuth for subrequests.  This was reported via issue
  #1364 in Subversion:
  
    http://subversion.tigris.org/issues/show_bug.cgi?id=1364
  
  The fix is to make mod_ssl's check_user_id hook stop tripping
  over it's own checks in case of a subrequest.  That is, it
  should DECLINE in case of a subrequest.
  
  Revision  Changes    Path
  1.97      +8 -0      httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.96
  retrieving revision 1.97
  diff -u -r1.96 -r1.97
  --- ssl_engine_kernel.c	21 Jul 2003 12:02:39 -0000	1.96
  +++ ssl_engine_kernel.c	7 Aug 2003 01:53:11 -0000	1.97
  @@ -856,6 +856,14 @@
       }
   
       /*
  +     * We decline when we are in a subrequest.  The Authorization header
  +     * would already be present if it was added in the main request.
  +     */
  +    if (!ap_is_initial_req(r)) {
  +        return DECLINED;
  +    }
  +
  +    /*
        * Make sure the user is not able to fake the client certificate
        * based authentication by just entering an X.509 Subject DN
        * ("/XX=YYY/XX=YYY/..") as the username and "password" as the