httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 11602] New: - REMOTE_USER variable lost in conjunction with Script directive
Date Sat, 10 Aug 2002 01:41:45 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11602>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11602

REMOTE_USER variable lost in conjunction with Script directive

           Summary: REMOTE_USER variable lost in conjunction with Script
                    directive
           Product: Apache httpd-2.0
           Version: 2.0.39
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: Minor
          Priority: Other
         Component: mod_actions
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mjd-apache-bugzilla+@plover.com
                CC: mjd-apache-bugzilla+@plover.com


My httpd.conf contains the following section:

   <Directory "/usr/local/apache/htdocs/skatersupport">
        AuthType Basic
        AuthName  "Skater Support File Depository"
        AuthUserFile /home/jen/passwords
         Script PUT /cgi-bin/Put
        <Limit PUT>
          require valid-user
        </Limit>
   </Directory>

As a belt-and-suspenders measure, the PUT method handler script
checks to make sure that the REMOTE_USER environment variable
has been populated by the server.  This is to protect 
against the possibility of misconfiguration; if someone managed
somehow to invoke the PUT handler script without having authenticated
themselves, the script would abort.  This worked with Apache 
1.3.12, 1.3.19, and 1.3.22.

However, beginning with at least Apache 2.0.36, the REMOTE_USER
variable is not set when the handler script is invoked, regardless
of whether the request included valid credentials.  The AuthUserFile
is correctly checked, and the script is only run when the credentials are valid,
but the script itself cannot determine the identity of 
the remote user.  The problem persists in 2.0.39.  

To test this, I first instrumented the script so that it would dump
out its environment to the file /tmp/Put.err.  I then used a Perl utility
to send a PUT request to the server:

PUT -C mjd:badpassword  http://www.plover.com/skatersupport/TESTFILE < /dev/null

The Put.err file did not appear, and PUT reported that the server's response
was a 401 Authorization Required.  Then I tried sending the same request
with the correct password:

PUT -C mjd:goodpassword  http://www.plover.com/skatersupport/TESTFILE <
/dev/null

Again, PUT reported a 401 error, but this time the 401 was artificially
generated by the PUT handler script.  The Put.err file did appear, and
contained a listing of the environment:


	CONTENT_LENGTH: 0
	CONTENT_TYPE: text/plain
	DOCUMENT_ROOT: /usr/local/apache/htdocs
	...
	REMOTE_PORT: 4106
	REQUEST_METHOD: PUT
	...
	SERVER_PROTOCOL: HTTP/1.1
	SERVER_SIGNATURE: <address>Apache/2.0.39 Server at www.plover.com Port
80</address>

	SERVER_SOFTWARE: Apache/2.0.39 (Unix)

As you can see, the REMOTE_USER variable is missing.  The Put.err file ended
with 

	REMOTE_USER missing; generating authorization failure response.

indicating that the 401 response was from the handler script and not
from the httpd.

This may be the same bug as #10678.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message