You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rodent of Unusual Size <Ke...@Golux.Com> on 2002/07/02 16:31:53 UTC

Re: [patch] mod_negotiation and authorization

Did anyone check this one out?  (I haven't)  It sounds
as though it would scratch some itches..

> My specific intention was to be able to require authentication for
> the file "thing.cgi" while advertising the url "thing", without
> requiring authentication for the directory in which "thing.cgi"
> resided.  MultiViews doesn't work the way I want it to in directories
> in which only some files require authentication.
-- 
#ken	P-)}

Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
Author, developer, opinionist      http://Apache-Server.Com/

"Millennium hand and shrimp!"

Re: [patch] mod_negotiation and authorization

Posted by Francis Daly <de...@daoine.org>.
On Tue, Jul 02, 2002 at 10:31:53AM -0400, Rodent of Unusual Size wrote:
> Did anyone check this one out?  (I haven't)  It sounds
> as though it would scratch some itches..

Not many other itches, by the looks of things :-(

On the assumption that it would be convenient to make available a
version of the patch that actually applies to the current CVS HEAD,
I'm including an updated version below.

Background and docs are available at, for example,

http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=102190232502173&q=raw

-- if reposting that would be useful, let me know and I'll get on to
it.

Possibly this should be adapted to include some of the other
400-series status codes -- 402, 407, or perhaps 411 or 412 might be
useful (longer term) to be handled similarly.  I'll wait to copy from
the mod_autoindex code on that count, though.  For now, it's 401 only.

Build and tested against 2.0.39, which appears to still be the current
version (1.102) of mod_negotiation.c

Comments and criticisms welcome.

	f
-- 
Francis Daly        deva@daoine.org

--- modules/mappers/mod_negotiation.c.2039	Fri May 17 12:24:16 2002
+++ modules/mappers/mod_negotiation.c	Mon Jul  8 22:27:45 2002
@@ -88,10 +88,17 @@
  */
 
 typedef struct {
+    int reveal_secret_url;
     int forcelangpriority;
     apr_array_header_t *language_priority;
 } neg_dir_config;
 
+/* reveal_secret_url flags
+ */
+#define RSU_UNDEF    2    /* this means "no explicit config" */
+#define RSU_ON       1    /* "config on" */
+#define RSU_OFF      0    /* "config off" */
+
 /* forcelangpriority flags 
  */
 #define FLP_UNDEF    0    /* Same as FLP_DEFAULT, but base overrides */
@@ -107,6 +114,7 @@
 {
     neg_dir_config *new = (neg_dir_config *) apr_palloc(p, sizeof(neg_dir_config));
 
+    new->reveal_secret_url = RSU_UNDEF;
     new->forcelangpriority = FLP_UNDEF;
     new->language_priority = NULL;
     return new;
@@ -119,6 +127,9 @@
     neg_dir_config *new = (neg_dir_config *) apr_palloc(p, sizeof(neg_dir_config));
 
     /* give priority to the config in the subdirectory */
+    new->reveal_secret_url = (add->reveal_secret_url != RSU_UNDEF)
+				? add->reveal_secret_url 
+                                : base->reveal_secret_url;
     new->forcelangpriority = (add->forcelangpriority != FLP_UNDEF)
 				? add->forcelangpriority 
 				: base->forcelangpriority;
@@ -128,6 +139,22 @@
     return new;
 }
 
+static const char *reveal_secret_url(cmd_parms *cmd, void *n_, int arg)
+{
+    neg_dir_config *n = n_;
+    const char *err = ap_check_cmd_context(cmd, NOT_IN_FILES);
+
+    if (err != NULL) {
+        return err;
+    }
+    n->reveal_secret_url = arg == RSU_OFF ? RSU_OFF : RSU_ON;
+/* that is functionally equivalent to
+    n->reveal_secret_url = arg != 0;
+   for the RSU_* values #defined'd above. Clarity vs efficiency?
+*/
+    return NULL;
+}
+
 static const char *set_language_priority(cmd_parms *cmd, void *n_,
 					 const char *lang)
 {
@@ -188,6 +215,8 @@
 {
     AP_INIT_FLAG("CacheNegotiatedDocs", cache_negotiated_docs, NULL, RSRC_CONF, 
                  "Either 'on' or 'off' (default)"),
+    AP_INIT_FLAG("MultiviewsRevealSecretURL", reveal_secret_url, NULL, RSRC_CONF|OR_AUTHCFG, 
+                 "Either 'on' or 'off' (default)"),
     AP_INIT_ITERATE("LanguagePriority", set_language_priority, NULL, OR_FILEINFO, 
                     "space-delimited list of MIME language abbreviations"),
     AP_INIT_ITERATE("ForceLanguagePriority", set_force_priority, NULL, OR_FILEINFO,
@@ -1045,6 +1074,7 @@
     struct accept_rec accept_info;
     void *new_var;
     int anymatch = 0;
+    int secretmatch = 0;
 
     clean_var_rec(&mime_info);
 
@@ -1110,6 +1140,13 @@
         if (sub_req->finfo.filetype != APR_REG)
             continue;
 
+        /* Note if it failed UNAUTHORIZED. We may want to return this
+         * status, eventually
+         */
+        if (sub_req->status == HTTP_UNAUTHORIZED) {
+            secretmatch = 1;
+        }
+
         /* If it has a handler, we'll pretend it's a CGI script,
          * since that's a good indication of the sort of thing it
          * might be doing.
@@ -1232,6 +1269,9 @@
      * request must die.
      */
     if (anymatch && !neg->avail_vars->nelts) {
+        if (secretmatch && neg->conf->reveal_secret_url == RSU_ON) {
+            return HTTP_UNAUTHORIZED;
+        }
 	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 		      "Negotiation: discovered file(s) matching request: %s"
                       " (None could be negotiated).",