You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rodent of Unusual Size <Ke...@Golux.Com> on 2002/07/02 16:31:53 UTC
Re: [patch] mod_negotiation and authorization
Did anyone check this one out? (I haven't) It sounds
as though it would scratch some itches..
> My specific intention was to be able to require authentication for
> the file "thing.cgi" while advertising the url "thing", without
> requiring authentication for the directory in which "thing.cgi"
> resided. MultiViews doesn't work the way I want it to in directories
> in which only some files require authentication.
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"Millennium hand and shrimp!"
Re: [patch] mod_negotiation and authorization
Posted by Francis Daly <de...@daoine.org>.
On Tue, Jul 02, 2002 at 10:31:53AM -0400, Rodent of Unusual Size wrote:
> Did anyone check this one out? (I haven't) It sounds
> as though it would scratch some itches..
Not many other itches, by the looks of things :-(
On the assumption that it would be convenient to make available a
version of the patch that actually applies to the current CVS HEAD,
I'm including an updated version below.
Background and docs are available at, for example,
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=102190232502173&q=raw
-- if reposting that would be useful, let me know and I'll get on to
it.
Possibly this should be adapted to include some of the other
400-series status codes -- 402, 407, or perhaps 411 or 412 might be
useful (longer term) to be handled similarly. I'll wait to copy from
the mod_autoindex code on that count, though. For now, it's 401 only.
Build and tested against 2.0.39, which appears to still be the current
version (1.102) of mod_negotiation.c
Comments and criticisms welcome.
f
--
Francis Daly deva@daoine.org
--- modules/mappers/mod_negotiation.c.2039 Fri May 17 12:24:16 2002
+++ modules/mappers/mod_negotiation.c Mon Jul 8 22:27:45 2002
@@ -88,10 +88,17 @@
*/
typedef struct {
+ int reveal_secret_url;
int forcelangpriority;
apr_array_header_t *language_priority;
} neg_dir_config;
+/* reveal_secret_url flags
+ */
+#define RSU_UNDEF 2 /* this means "no explicit config" */
+#define RSU_ON 1 /* "config on" */
+#define RSU_OFF 0 /* "config off" */
+
/* forcelangpriority flags
*/
#define FLP_UNDEF 0 /* Same as FLP_DEFAULT, but base overrides */
@@ -107,6 +114,7 @@
{
neg_dir_config *new = (neg_dir_config *) apr_palloc(p, sizeof(neg_dir_config));
+ new->reveal_secret_url = RSU_UNDEF;
new->forcelangpriority = FLP_UNDEF;
new->language_priority = NULL;
return new;
@@ -119,6 +127,9 @@
neg_dir_config *new = (neg_dir_config *) apr_palloc(p, sizeof(neg_dir_config));
/* give priority to the config in the subdirectory */
+ new->reveal_secret_url = (add->reveal_secret_url != RSU_UNDEF)
+ ? add->reveal_secret_url
+ : base->reveal_secret_url;
new->forcelangpriority = (add->forcelangpriority != FLP_UNDEF)
? add->forcelangpriority
: base->forcelangpriority;
@@ -128,6 +139,22 @@
return new;
}
+static const char *reveal_secret_url(cmd_parms *cmd, void *n_, int arg)
+{
+ neg_dir_config *n = n_;
+ const char *err = ap_check_cmd_context(cmd, NOT_IN_FILES);
+
+ if (err != NULL) {
+ return err;
+ }
+ n->reveal_secret_url = arg == RSU_OFF ? RSU_OFF : RSU_ON;
+/* that is functionally equivalent to
+ n->reveal_secret_url = arg != 0;
+ for the RSU_* values #defined'd above. Clarity vs efficiency?
+*/
+ return NULL;
+}
+
static const char *set_language_priority(cmd_parms *cmd, void *n_,
const char *lang)
{
@@ -188,6 +215,8 @@
{
AP_INIT_FLAG("CacheNegotiatedDocs", cache_negotiated_docs, NULL, RSRC_CONF,
"Either 'on' or 'off' (default)"),
+ AP_INIT_FLAG("MultiviewsRevealSecretURL", reveal_secret_url, NULL, RSRC_CONF|OR_AUTHCFG,
+ "Either 'on' or 'off' (default)"),
AP_INIT_ITERATE("LanguagePriority", set_language_priority, NULL, OR_FILEINFO,
"space-delimited list of MIME language abbreviations"),
AP_INIT_ITERATE("ForceLanguagePriority", set_force_priority, NULL, OR_FILEINFO,
@@ -1045,6 +1074,7 @@
struct accept_rec accept_info;
void *new_var;
int anymatch = 0;
+ int secretmatch = 0;
clean_var_rec(&mime_info);
@@ -1110,6 +1140,13 @@
if (sub_req->finfo.filetype != APR_REG)
continue;
+ /* Note if it failed UNAUTHORIZED. We may want to return this
+ * status, eventually
+ */
+ if (sub_req->status == HTTP_UNAUTHORIZED) {
+ secretmatch = 1;
+ }
+
/* If it has a handler, we'll pretend it's a CGI script,
* since that's a good indication of the sort of thing it
* might be doing.
@@ -1232,6 +1269,9 @@
* request must die.
*/
if (anymatch && !neg->avail_vars->nelts) {
+ if (secretmatch && neg->conf->reveal_secret_url == RSU_ON) {
+ return HTTP_UNAUTHORIZED;
+ }
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Negotiation: discovered file(s) matching request: %s"
" (None could be negotiated).",