Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Apache HTTPD Bugs Notification List" <bugs@httpd.apache.org>
Date: 11 Aug 2003 03:49:39 -0000
Message-ID: <20030811034939.19407.qmail@nagoya.betaversion.org>
From: bugzilla@apache.org
To: bugs@httpd.apache.org
Cc: 
Subject: DO NOT REPLY [Bug 21533]  -
    Apache may crash with digest authentication if sub-DocumentRoot .htaccess
 files override DocumentRoot .htaccess file's "Require valid-user" directive
 with "Require group testgroup" and the authenticated username is not listed
 as a member of the "testgroup" group

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21533>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21533

Apache may crash with digest authentication if sub-DocumentRoot .htaccess files override DocumentRoot .htaccess file's "Require valid-user" directive with "Require group testgroup" and the authenticated username is not listed as a member of the "testgroup" group


------- Additional Comments From truk@optonline.net  2003-08-11 03:49 -------
I reviewed the 1.3.28 code some more and have a proposed patch (should I have 
opened a separate bug report for 1.3.28?). If I understand things correctly the 
following is happening... request_req.request_config is being intialized in 
update_nonce_count. update_nonce_count appears to be called when the client 
sends authorization records. Since the call to digest_check_auth is comming 
from mod_autoindex's call to ap_sub_req_lookup_file and not from a browser 
request with authorization records, update_nonce_count is not being called and 
thus request_config is not being initialized. 

The following patch assumes that if request_config is NULL then the call to 
digest_check_auth must be coming from a non user request. If this is not true 
then maybe another solution may be better. However, if the assumption is 
correct then we know when a call to digest_check_auth has been initiated not by 
a user, so we don't need to log and note the failure. 

--- mod_auth_digest.c.orig	Sat Feb 15 22:42:24 2003
+++ mod_auth_digest.c	Sun Aug 10 23:03:16 2003
@@ -1788,6 +1788,7 @@
     const digest_config_rec *conf =
 		(digest_config_rec *) ap_get_module_config(r->per_dir_config,
 							   &digest_auth_module);
+    digest_header_rec *resp;
     const char *user = r->connection->user;
     int m = r->method_number;
     int method_restricted = 0;
@@ -1851,15 +1852,21 @@
     if (!method_restricted)
 	return OK;
 
-    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
-	"Digest: access to %s failed, reason: user %s not allowed access",
-	r->uri, user);
+	resp = (digest_header_rec *) ap_get_module_config(r->request_config,
+								  
&digest_auth_module);
 
-    note_digest_auth_failure(r, conf,
-	(digest_header_rec *) ap_get_module_config(r->request_config,
-						   &digest_auth_module),
-	0);
-    return AUTH_REQUIRED;
+	/* if there isn't a resp initalized then this check auth
+	didn't come from a user request (i.e. FancyIndexing) 
+	so don't log it */
+	if (resp != NULL) {
+		ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+		"Digest: access to %s failed, reason: user %s not allowed 
access",
+		r->uri, user);
+
+		note_digest_auth_failure(r, conf, resp,	0);
+	}
+
+	return AUTH_REQUIRED;
 }

Please excuse any white space style errors, I wasn't sure what the style was 
from the existing code and didn't take the time to see if there was a published 
style for apache.

-Kurt

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org