You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Brian Havard <br...@kheldar.apana.org.au> on 1999/05/17 10:30:09 UTC

[PATCH] mod_auth_dbm requires mod_auth (PR#2598)

This patch fixes the problem where mod_auth_dbm generates internal server 
errors if mod_auth isn't also loaded.

As this is a critical, security related module and some of you may think it's 
better to just document the dependency (and it's not really my area of 
expertise), I won't commit without 3 tested +1's.



Index: modules/standard/mod_auth_dbm.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/standard/mod_auth_dbm.c,v
retrieving revision 1.45
diff -u -r1.45 mod_auth_dbm.c
--- mod_auth_dbm.c	1999/02/03 16:22:32	1.45
+++ mod_auth_dbm.c	1999/05/17 06:35:19
@@ -251,6 +251,7 @@
 					      &dbm_auth_module);
     char *user = r->connection->user;
     int m = r->method_number;
+    int method_restricted = 0;
 
     const array_header *reqs_arr = ap_requires(r);
     require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
@@ -259,20 +260,27 @@
     const char *t;
     char *w;
 
-    if (!sec->auth_dbmgrpfile)
-	return DECLINED;
     if (!reqs_arr)
-	return DECLINED;
+	return OK;
 
     for (x = 0; x < reqs_arr->nelts; x++) {
 
 	if (!(reqs[x].method_mask & (1 << m)))
 	    continue;
 
+        method_restricted = 1;
 	t = reqs[x].requirement;
 	w = ap_getword_white(r->pool, &t);
 
-	if (!strcmp(w, "group") && sec->auth_dbmgrpfile) {
+	if (!strcmp(w, "valid-user"))
+	    return OK;
+	if (!strcmp(w, "user")) {
+	    while (t[0]) {
+		w = ap_getword_conf(r->pool, &t);
+		if (!strcmp(user, w))
+		    return OK;
+	    }
+	} else if (!strcmp(w, "group") && sec->auth_dbmgrpfile) {
 	    const char *orig_groups, *groups;
 	    char *v;
 
@@ -300,10 +308,31 @@
 			user, r->filename);
 	    ap_note_basic_auth_failure(r);
 	    return AUTH_REQUIRED;
+	} else if (sec->auth_dbmauthoritative) {
+	    /* if we aren't authoritative, any require directive could be
+	     * valid even if we don't grok it.  However, if we are 
+	     * authoritative, we can warn the user they did something wrong.
+	     * That something could be a missing "AuthAuthoritative off", but
+	     * more likely is a typo in the require directive.
+	     */
+	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+		"access to %s failed, reason: unknown require directive:"
+		"\"%s\"", r->uri, reqs[x].requirement);
 	}
     }
+
+    if (!method_restricted)
+	return OK;
+
+    if (!(sec->auth_dbmauthoritative))
+	return DECLINED;
 
-    return DECLINED;
+    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+	"access to %s failed, reason: user %s not allowed access",
+	r->uri, user);
+	
+    ap_note_basic_auth_failure(r);
+    return AUTH_REQUIRED;
 }
 
 

--
 ______________________________________________________________________________
 |  Brian Havard                 |  "He is not the messiah!                   |
 |  brianh@kheldar.apana.org.au  |  He's a very naughty boy!" - Life of Brian |
 ------------------------------------------------------------------------------