You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jesper Krogh <je...@gmail.com> on 2006/02/28 22:40:30 UTC
[users@httpd] Case insensitive username in htaccess.
Hi.
Is it possible to make apache match the username "case-insensitive"
against lists in AuthUserFile /AuthGroupFile?
We're using mod_ntlm and it generally works fine, but the different
platforms tend to send usernames in mixed cases.
Thanks
Jesper - Sorry if you have seen this allready. I didn't get the first
copy back from the list.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Case insensitive username in htaccess.
Posted by Nick Kew <ni...@webthing.com>.
On Wednesday 01 March 2006 09:05, Jesper Krogh wrote:
> "fold"? ..
Bah. That's exactly what you do in your patch.
/me needs to wake up.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Case insensitive username in htaccess.
Posted by Jesper Krogh <je...@gmail.com>.
On 3/1/06, Nick Kew <ni...@webthing.com> wrote:
> On Wednesday 01 March 2006 07:45, Jesper Krogh wrote:
> > > Hmmm. Don't you get that behaviour if you use a case-insensitive
> > > filesystem?
> >
> > No. That would give me flexibillity in the names of the files
> > containing the user-list, not the
> > usernames.
>
> It's a fair cop - I misread your question. It seems you found
> your own answer anyway:-)
>
> Actually your patch looks puzzling: you're introducing a new variable
> but not using it. Why not just fold r->user?
"fold"? ..
I belive that r->user is a char * if I modify that directly with
r->user++ the the next
user of the string would start at the end position.
Well.. I'm usually coding Perl, so this is very far from what I
usually do so I might
be very wrong. :-/
--
Jesper
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Case insensitive username in htaccess.
Posted by Nick Kew <ni...@webthing.com>.
On Wednesday 01 March 2006 07:45, Jesper Krogh wrote:
> > Hmmm. Don't you get that behaviour if you use a case-insensitive
> > filesystem?
>
> No. That would give me flexibillity in the names of the files
> containing the user-list, not the
> usernames.
It's a fair cop - I misread your question. It seems you found
your own answer anyway:-)
Actually your patch looks puzzling: you're introducing a new variable
but not using it. Why not just fold r->user?
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Case insensitive username in htaccess.
Posted by Jesper Krogh <je...@gmail.com>.
On 3/1/06, Jesper Krogh <je...@gmail.com> wrote:
> On 3/1/06, Nick Kew <ni...@webthing.com> wrote:
> > On Tuesday 28 February 2006 21:40, Jesper Krogh wrote:
> > > Is it possible to make apache match the username "case-insensitive"
> > > against lists in AuthUserFile /AuthGroupFile?
> >
> > That would potentially be a security hole.
>
> Yes if it could be done without people knowing it. If it were
> configurable, it would be a feature :-)
>
> If I didn't explain the problem well enough, then an example would work:
> I just would like apache to assume that Jesper, JESPER, jesper, and so
> on, was the same user
> when matching up agaings the lists.
>
> > > We're using mod_ntlm and it generally works fine, but the different
> > > platforms tend to send usernames in mixed cases.
> >
> > Hmmm. Don't you get that behaviour if you use a case-insensitive filesystem?
>
> No. That would give me flexibillity in the names of the files
> containing the user-list, not the
> usernames.
>
> I have got the mod_ntlm C-code, so if anyone could give me directions
> on how to modify
> the REMOTE_USER stuff from a C-apache module, then I could probably do
> it that way.
Sometimes "fresh eyes" in the morning helps a lot. This patch against
mod_ntlm2 makes
the usernames in lowercase:
diff -Nur mod_ntlm2-0.1/mod_ntlm.c mod_ntlm2-0.1-mod/mod_ntlm.c
--- mod_ntlm2-0.1/mod_ntlm.c 2003-02-23 16:58:02.000000000 +0100
+++ mod_ntlm2-0.1-mod/mod_ntlm.c 2006-03-01 09:06:13.000000000 +0100
@@ -522,6 +522,12 @@
/* silently accept login with same credentials */
r->user = apr_pstrdup(r->connection->pool,
ntlm_connection->user);
+
+ char *user= r->user;
+ while(*user){
+ *user = tolower(*user);
+ user++;
+ }
r->ap_auth_type = apr_pstrdup(r->connection->pool,
NTLM_AUTH_NAME);
return OK;
@@ -557,6 +563,11 @@
* NULL; */
r->user = apr_pstrdup(r->connection->pool,
ntlm_connection->user);
+ char *user= r->user;
+ while(*user){
+ *user = tolower(*user);
+ user++;
+ }
r->ap_auth_type = apr_pstrdup(r->connection->pool,
NTLM_AUTH_NAME);
@@ -664,6 +675,11 @@
* connection. The other allocations are temporary and can be
* tossed away any time. */
r->user = apr_pstrcat(r->connection->pool, sent_user, NULL);
+ char *user= r->user;
+ while(*user){
+ *user = tolower(*user);
+ user++;
+ }
r->ap_auth_type = "Basic";
Jesper
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Case insensitive username in htaccess.
Posted by Jesper Krogh <je...@gmail.com>.
On 3/1/06, Nick Kew <ni...@webthing.com> wrote:
> On Tuesday 28 February 2006 21:40, Jesper Krogh wrote:
> > Is it possible to make apache match the username "case-insensitive"
> > against lists in AuthUserFile /AuthGroupFile?
>
> That would potentially be a security hole.
Yes if it could be done without people knowing it. If it were
configurable, it would be a feature :-)
If I didn't explain the problem well enough, then an example would work:
I just would like apache to assume that Jesper, JESPER, jesper, and so
on, was the same user
when matching up agaings the lists.
> > We're using mod_ntlm and it generally works fine, but the different
> > platforms tend to send usernames in mixed cases.
>
> Hmmm. Don't you get that behaviour if you use a case-insensitive filesystem?
No. That would give me flexibillity in the names of the files
containing the user-list, not the
usernames.
I have got the mod_ntlm C-code, so if anyone could give me directions
on how to modify
the REMOTE_USER stuff from a C-apache module, then I could probably do
it that way.
Jesper
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Case insensitive username in htaccess.
Posted by Nick Kew <ni...@webthing.com>.
On Tuesday 28 February 2006 21:40, Jesper Krogh wrote:
> Hi.
>
>
> Is it possible to make apache match the username "case-insensitive"
> against lists in AuthUserFile /AuthGroupFile?
That would potentially be a security hole.
> We're using mod_ntlm and it generally works fine, but the different
> platforms tend to send usernames in mixed cases.
Hmmm. Don't you get that behaviour if you use a case-insensitive filesystem?
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org