httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ron...@hyperreal.org
Subject cvs commit: apache-1.3/src CHANGES
Date Sun, 19 Sep 1999 21:28:37 GMT
ronald      99/09/19 14:28:37

  Modified:    src/modules/experimental mod_auth_digest.c
               src      CHANGES
  Log:
  - Use unix-io instead of stdio to read /dev/random (fixes problems
    on FreeBSD)
  - Correctly unescape all parts of the request uri and the uri
    attribute of the Authorization header before doing comparison
  - Fixes for MD5-sess
  - Don't send a domain attribute in Proxy-Authenticate
  
  PR: 4967
  Submitted by:	 Joe Orton <joe@orton.demon.co.uk>, Kano <tomo@crane-inc.co.jp>
  
  Revision  Changes    Path
  1.10      +36 -21    apache-1.3/src/modules/experimental/mod_auth_digest.c
  
  Index: mod_auth_digest.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/modules/experimental/mod_auth_digest.c,v
  retrieving revision 1.9
  retrieving revision 1.10
  diff -u -r1.9 -r1.10
  --- mod_auth_digest.c	1999/09/13 13:53:54	1.9
  +++ mod_auth_digest.c	1999/09/19 21:28:34	1.10
  @@ -166,7 +166,7 @@
   
   
   #define NONCE_TIME_LEN	(((sizeof(time_t)+2)/3)*4)
  -#define NONCE_HASH_LEN	40
  +#define NONCE_HASH_LEN	(2*SHA_DIGESTSIZE)
   #define NONCE_LEN	(NONCE_TIME_LEN + NONCE_HASH_LEN)
   
   #define	SECRET_LEN	20
  @@ -178,7 +178,7 @@
       unsigned long      key;			/* the key for this entry    */
       struct hash_entry *next;			/* next entry in the bucket  */
       unsigned long      nonce_count;		/* for nonce-count checking  */
  -    char               ha1[17];			/* for algorithm=MD5-sess    */
  +    char               ha1[2*MD5_DIGESTSIZE+1];	/* for algorithm=MD5-sess    */
       char               last_nonce[NONCE_LEN+1];	/* for one-time nonce's      */
   } client_entry;
   
  @@ -222,7 +222,7 @@
   
   typedef union time_union {
       time_t	  time;
  -    unsigned char arr[sizeof(time_t)+1]; /* leave room for the NULL terminator */
  +    unsigned char arr[sizeof(time_t)];
   } time_rec;
   
   
  @@ -304,7 +304,7 @@
   static void initialize_secret(server_rec *s)
   {
   #ifdef	DEV_RANDOM
  -    FILE *rnd;
  +    int rnd;
       size_t got, tot;
   #else
       extern int randbyte(void);	/* from the truerand library */
  @@ -317,24 +317,19 @@
   #ifdef	DEV_RANDOM
   #define	XSTR(x)	#x
   #define	STR(x)	XSTR(x)
  -    if ((rnd = fopen(STR(DEV_RANDOM), "rb")) == NULL) {
  +    if ((rnd = open(STR(DEV_RANDOM), O_RDONLY)) == NULL) {
   	ap_log_error(APLOG_MARK, APLOG_CRIT, s,
   		     "Digest: Couldn't open " STR(DEV_RANDOM));
   	exit(EXIT_FAILURE);
       }
  -    if (setvbuf(rnd, NULL, _IONBF, 0) != 0) {
  -	ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_CRIT, s,
  -		     "Digest: Error trying to disable buffering for " STR(DEV_RANDOM));
  -	exit(EXIT_FAILURE);
  -    }
       for (tot=0; tot<sizeof(secret); tot += got) {
  -	if ((got = fread(secret+tot, 1, sizeof(secret)-tot, rnd)) < 1) {
  +	if ((got = read(rnd, secret+tot, sizeof(secret)-tot)) < 0) {
   	    ap_log_error(APLOG_MARK, APLOG_CRIT, s,
   			 "Digest: Error reading " STR(DEV_RANDOM));
   	    exit(EXIT_FAILURE);
   	}
       }
  -    fclose(rnd);
  +    close(rnd);
   #undef	STR
   #undef	XSTR
   #else	/* use truerand */
  @@ -1106,12 +1101,12 @@
       if (ha1 == NULL || ha1[0] == '\0') {
   	urp = get_userpw_hash(r, resp, conf);
   	ha1 = ap_md5(r->pool,
  -		     (unsigned char *) ap_pstrcat(r->pool, ha1, ":", resp->nonce,
  +		     (unsigned char *) ap_pstrcat(r->pool, urp, ":", resp->nonce,
   						  ":", resp->cnonce, NULL));
   	if (!resp->client)
   	    resp->client = gen_client(r);
   	if (resp->client)
  -	    memcpy(resp->client->ha1, ha1, 17);
  +	    memcpy(resp->client->ha1, ha1, sizeof(resp->client->ha1));
       }
   
       return ha1;
  @@ -1272,14 +1267,16 @@
        * unneccessarily (it's usually > 200 bytes!).
        */
   
  -    if (conf->uri_list)
  +    if (r->proxyreq)
  +	domain = NULL;	/* don't send domain for proxy requests */
  +    else if (conf->uri_list)
   	domain = conf->uri_list;
       else {
   	/* They didn't specify any domain, so let's guess at it */
   	domain = guess_domain(r->pool, resp->request_uri->path, r->filename,
   			      conf->dir_name);
   	if (domain[0] == '/' && domain[1] == '\0')
  -	    domain = "";	/* "/" is the default, so no need to send it */
  +	    domain = NULL;	/* "/" is the default, so no need to send it */
   	else
   	    domain = ap_pstrcat(r->pool, ", domain=\"", domain, "\"", NULL);
       }
  @@ -1539,13 +1536,31 @@
   
       if (strcmp(resp->uri, resp->request_uri->path)) {
   	uri_components *r_uri = resp->request_uri, d_uri;
  -	ap_parse_uri_components(r->pool, resp->uri, &d_uri);
  +	int port;
  +
  +	if (ap_parse_uri_components(r->pool, resp->uri, &d_uri) != HTTP_OK) {
  +	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
  +			  "Digest: invalid uri <%s> in Authorization header",
  +			  resp->uri);
  +	    return BAD_REQUEST;
  +	}
  +
  +	if (d_uri.hostname)
  +	    ap_unescape_url(d_uri.hostname);
  +	if (d_uri.path)
  +	    ap_unescape_url(d_uri.path);
  +	if (d_uri.query)
  +	    ap_unescape_url(d_uri.query);
  +	if (r_uri->query)
  +	    ap_unescape_url(r_uri->query);
  +	port = ap_get_server_port(r);
   
   	if ((d_uri.hostname && d_uri.hostname[0] != '\0'
  -	     && strcasecmp(d_uri.hostname, r->server->server_hostname))
  -	    || (d_uri.port_str && d_uri.port != r->server->port)
  -	    || (!d_uri.port_str && r->server->port != 80)
  -	    || strcmp(d_uri.path, r_uri->path)
  +	     && strcasecmp(d_uri.hostname, ap_get_server_name(r)))
  +	    || (d_uri.port_str && d_uri.port != port)
  +	    || (d_uri.hostname && d_uri.hostname[0] != '\0'
  +		&& !d_uri.port_str && port != ap_default_port(r))
  +	    || !d_uri.path || strcmp(d_uri.path, r_uri->path)
   	    || (d_uri.query != r_uri->query
   		&& (!d_uri.query || !r_uri->query
   		    || strcmp(d_uri.query, r_uri->query)))
  
  
  
  1.1431    +12 -0     apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1430
  retrieving revision 1.1431
  diff -u -r1.1430 -r1.1431
  --- CHANGES	1999/09/11 07:58:27	1.1430
  +++ CHANGES	1999/09/19 21:28:35	1.1431
  @@ -1,5 +1,17 @@
   Changes with Apache 1.3.10
   
  +  *) mod_auth_digest fixes:
  +     - Use unix-io instead of stdio to read /dev/random (fixes problems
  +       on FreeBSD)
  +       [Kano <tomo@crane-inc.co.jp>] PR#4967
  +     - Correctly unescape all parts of the request uri and the uri
  +       attribute of the Authorization header before doing comparison
  +       [Joe Orton <joe@orton.demon.co.uk>, Ronald Tschalär]
  +     - Fixes for MD5-sess
  +       [Joe Orton <joe@orton.demon.co.uk>]
  +     - Don't send a domain attribute in Proxy-Authenticate
  +       [Ronald Tschalär]
  +
     *) ap_base64decode_binary does not null-terminate the output anymore
        [Bill Stoddard, Ronald Tschalär]
   
  
  
  

Mime
View raw message