You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2005/08/24 14:42:07 UTC
svn commit: r239641 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS
modules/experimental/mod_auth_ldap.c
Author: jim
Date: Wed Aug 24 05:42:03 2005
New Revision: 239641
URL: http://svn.apache.org/viewcvs?rev=239641&view=rev
Log:
Fold in approved, 2.1/2.2-like behavior which prevents core
dump when doing LDAP auth even if the check_user_id didn't
succeed.
Modified:
httpd/httpd/branches/2.0.x/CHANGES
httpd/httpd/branches/2.0.x/STATUS
httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c
Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?rev=239641&r1=239640&r2=239641&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Wed Aug 24 05:42:03 2005
@@ -1,6 +1,11 @@
-*- coding: utf-8 -*-
Changes with Apache 2.0.55
+ *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
+ was called even if mod_auth_ldap_check_user_id() was not
+ (or if it didn't succeed) for non-authoritative cases.
+ [Jim Jagielski]
+
*) Fix cases where the byterange filter would buffer responses
into memory. PR 29962. [Joe Orton]
Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/STATUS?rev=239641&r1=239640&r2=239641&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Wed Aug 24 05:42:03 2005
@@ -201,13 +201,6 @@
2.0 version: http://people.apache.org/~trawick/179704-20.txt
+1: trawick, jorton, wrowe
- *) Prevent bad dereferencing of non-existent req struct in
- mod_auth_ldap's mod_auth_ldap_auth_checker() if
- mod_auth_ldap_check_user_id() was never (fully) called.
- Similar behavior to that in 2.1/2.2.
- http://people.apache.org/~jim/mod_auth_ldap-2.0.patch
- +1: jim, minfrin, bnicholes
-
*) Add httxt2dbm for creating RewriteMap DBM Files.
http://svn.apache.org/viewcvs.cgi?rev=209539&view=rev
+1: pquerna, jorton, trawick
Modified: httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c?rev=239641&r1=239640&r2=239641&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c (original)
+++ httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c Wed Aug 24 05:42:03 2005
@@ -460,6 +460,26 @@
return DECLINED;
}
+ /*
+ * It is possible that we've skipped mod_auth_ldap's
+ * check_user_id hook, but still get here. In that
+ * case, the req request_config struct hasn't been initialized
+ * causing problems when we try to use req->dn and/or req->name
+ * below. So we simply create one.
+ *
+ * Unlike 2.2, we don't try to search or populate it.
+ */
+ if (!req) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authorise: "
+ "no req struct - skipped mod_auth_ldap_check_user_id?",
+ getpid());
+
+ req = (mod_auth_ldap_request_t *)apr_pcalloc(r->pool,
+ sizeof(mod_auth_ldap_request_t));
+ ap_set_module_config(r->request_config, &auth_ldap_module, req);
+ }
+
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
@@ -657,6 +677,13 @@
}
}
else if (strcmp(w, "ldap-attribute") == 0) {
+ if (req->dn == NULL || strlen(req->dn) == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authorise: "
+ "require ldap-attribute: user's DN has not been defined; failing authorisation",
+ getpid());
+ return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ }
while (t[0]) {
w = ap_getword(r->pool, &t, '=');
value = ap_getword_conf(r->pool, &t);