httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57868] New: SIGSEV when lacking correct DB access permissions
Date Tue, 28 Apr 2015 17:15:30 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=57868

            Bug ID: 57868
           Summary: SIGSEV when lacking correct DB access permissions
           Product: Apache httpd-2
           Version: 2.4.10
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_dbd
          Assignee: bugs@httpd.apache.org
          Reporter: jose@w3.org

Created attachment 32696
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=32696&action=edit
Fixes sigsev in mod_authz_dbd when server lacks access rights to the db table

If the dbd handle preparation fails due to a misconfiguration of the database
server or the access rights to the table, the server logs something along these
lines:

   AH00632: failed to prepare SQL statements: UPDATE command denied to 
   user 'foo'@'exampleorg' for table 'bar'

As a consequence, the call to dbd_handle(r) returns NULL. However, in
mod_authz_dbd, there was no control for the value of dbd before its being used
in both authz_dbd_login() and authzdbd_group():

       ap_dbd_t *dbd = dbd_handle(r);
       ...
        query = apr_hash_get(dbd->prepared, <--- SIGSEV

I'm attaching a patch that solves this issue. I didn't check to see if it also
occurs in other nz modules based on mod_dbd.c

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message