You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by "roderich.schupp@googlemail.com" <ro...@googlemail.com> on 2011/07/22 13:17:54 UTC

[PATCH] Apache w/o authentication + AuthzForceUsernameCase crashes Apache

Hi,

if you have an Apache configuration that doesn't request
authentication,
but still uses AuthzForceUsernameCase, this will crash Apache on each
request:

<Location /svn/no-auth>
    DAV svn
    SVNPath /repos/no-auth
    AuthzSVNAccessFile /admin/no-auth.txt
    AuthzForceUsernameCase lower
</Location>

(and no "require ..." stuff in any enclosing Location either).
I know, it's a silly configuration - I stumbled upon it by accident.

Reason is that get_username_to_authorize() tries to lowercase a NULL r-
>user string.
Suggested patch (against 1.7.0-beta1, but that code hasn't changed in
a long time):


--- subversion/mod_authz_svn/mod_authz_svn.c.orig       2011-07-21
16:00:39.663920000 +0200
+++ subversion/mod_authz_svn/mod_authz_svn.c    2011-07-21
16:00:55.006891000 +0200
@@ -245,7 +245,7 @@
 get_username_to_authorize(request_rec *r, authz_svn_config_rec *conf)
 {
   char *username_to_authorize = r->user;
-  if (conf->force_username_case)
+  if (username_to_authorize && conf->force_username_case)
     {
       username_to_authorize = apr_pstrdup(r->pool, r->user);
       convert_case(username_to_authorize,


Cheers, Roderich

Re: [PATCH] Apache w/o authentication + AuthzForceUsernameCase crashes Apache

Posted by Philip Martin <ph...@wandisco.com>.

"roderich.schupp@googlemail.com" <ro...@googlemail.com>
writes:

> 16:00:39.663920000 +0200
> +++ subversion/mod_authz_svn/mod_authz_svn.c    2011-07-21
> 16:00:55.006891000 +0200
> @@ -245,7 +245,7 @@
>  get_username_to_authorize(request_rec *r, authz_svn_config_rec *conf)
>  {
>    char *username_to_authorize = r->user;
> -  if (conf->force_username_case)
> +  if (username_to_authorize && conf->force_username_case)
>      {
>        username_to_authorize = apr_pstrdup(r->pool, r->user);
>        convert_case(username_to_authorize,

Thanks!  I've put it on trunk and proposed it for 1.7.

-- 
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com