You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by "roderich.schupp@googlemail.com" <ro...@googlemail.com> on 2011/07/22 13:17:54 UTC
[PATCH] Apache w/o authentication + AuthzForceUsernameCase crashes Apache
Hi,
if you have an Apache configuration that doesn't request
authentication,
but still uses AuthzForceUsernameCase, this will crash Apache on each
request:
<Location /svn/no-auth>
DAV svn
SVNPath /repos/no-auth
AuthzSVNAccessFile /admin/no-auth.txt
AuthzForceUsernameCase lower
</Location>
(and no "require ..." stuff in any enclosing Location either).
I know, it's a silly configuration - I stumbled upon it by accident.
Reason is that get_username_to_authorize() tries to lowercase a NULL r-
>user string.
Suggested patch (against 1.7.0-beta1, but that code hasn't changed in
a long time):
--- subversion/mod_authz_svn/mod_authz_svn.c.orig 2011-07-21
16:00:39.663920000 +0200
+++ subversion/mod_authz_svn/mod_authz_svn.c 2011-07-21
16:00:55.006891000 +0200
@@ -245,7 +245,7 @@
get_username_to_authorize(request_rec *r, authz_svn_config_rec *conf)
{
char *username_to_authorize = r->user;
- if (conf->force_username_case)
+ if (username_to_authorize && conf->force_username_case)
{
username_to_authorize = apr_pstrdup(r->pool, r->user);
convert_case(username_to_authorize,
Cheers, Roderich
Re: [PATCH] Apache w/o authentication + AuthzForceUsernameCase crashes Apache
Posted by Philip Martin <ph...@wandisco.com>.
"roderich.schupp@googlemail.com" <ro...@googlemail.com>
writes:
> 16:00:39.663920000 +0200
> +++ subversion/mod_authz_svn/mod_authz_svn.c 2011-07-21
> 16:00:55.006891000 +0200
> @@ -245,7 +245,7 @@
> get_username_to_authorize(request_rec *r, authz_svn_config_rec *conf)
> {
> char *username_to_authorize = r->user;
> - if (conf->force_username_case)
> + if (username_to_authorize && conf->force_username_case)
> {
> username_to_authorize = apr_pstrdup(r->pool, r->user);
> convert_case(username_to_authorize,
Thanks! I've put it on trunk and proposed it for 1.7.
--
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com