httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 21533] - Apache may crash with digest authentication if sub-DocumentRoot .htaccess files override DocumentRoot .htaccess file's "Require valid-user" directive with "Require group testgroup" and the authenticated username is not listed as a member of the "testgroup" group
Date Fri, 08 Aug 2003 19:00:45 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21533>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21533

Apache may crash with digest authentication if sub-DocumentRoot .htaccess files override DocumentRoot
.htaccess file's "Require valid-user" directive with "Require group testgroup" and the authenticated
username is not listed as a member of the "testgroup" group





------- Additional Comments From truk@optonline.net  2003-08-08 19:00 -------
This bug also exists in 1.3.28. I've encounterd it without using groups, just 
requre user in the sub-DocumentRoot will cause apache to crash. It occurs if 
the sub-DocumentRoot is restricted using .htaccess or via httpd.conf.

I've debugged this somewhat and found that it is related to FancyIndexing 
combined with auth digest. Here's a stack trace:

note_digest_auth_failure(request_rec * 0x00860dc0, const digest_config_struct * 
0x007c5e30, digest_header_struct * 0x00000000, int 0) line 1210 + 3 bytes
digest_check_auth(request_rec * 0x00860dc0) line 1861 + 33 bytes
run_method(request_rec * 0x00860dc0, int 7, int 0) line 370 + 7 bytes
ap_check_auth(request_rec * 0x00860dc0) line 427 + 17 bytes
ap_sub_req_lookup_file(const char * 0x00864f9e, const request_rec * 0x0085dad8) 
line 1027 + 186 bytes
make_autoindex_entry(char * 0x00864f9e, int 1, autoindex_config_struct * 
0x007b7478, request_rec * 0x0085dad8, char 78, char 65) line 1281 + 13 bytes
index_directory(request_rec * 0x0085dad8, autoindex_config_struct * 0x007b7478) 
line 1762 + 32 bytes
handle_autoindex(request_rec * 0x0085dad8) line 1822 + 13 bytes
ap_invoke_handler(request_rec * 0x0085dad8) line 518 + 10 bytes
process_request_internal(request_rec * 0x0085dad8) line 1324 + 9 bytes
ap_process_request(request_rec * 0x0085dad8) line 1340 + 9 bytes
child_sub_main(int 0) line 5992
child_main(int 0) line 6062 + 9 bytes
_threadstartex(void * 0x007f3a48) line 212 + 13 bytes
KERNEL32! 77e8b2d8()

note_digest_auth_failure bombs because the third parameter (digest_header_rec 
*resp) is null. Here's the call to note_digest_auth_failure from 
digest_check_auth:

    note_digest_auth_failure(r, conf,
	(digest_header_rec *) ap_get_module_config(r->request_config,
						   &digest_auth_module),
	0);

The third parameter is passed via ap_get_module_config which returns 0.

This is as far as I got. I don't know enough about  
apache/mod_autoindex/mod_auth_digest to suggest a patch. I do have some 
questions though. Why is FancyIndexing checking auth for sub directories while 
building the index for the parrent? If this this valid, why would 
mod_auth_digest log an error in this case? The user hasn't even selected the 
sub directory, but the log file records it like they did:

Digest: access to /webfolder/Kurt failed, reason: user kurt not allowed access

Hope this helps somewhat. I will help testing any proposed patches.

-Kurt

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message