httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ron...@hyperreal.org
Subject cvs commit: apache-1.3/src/modules/experimental mod_auth_digest.c
Date Thu, 09 Dec 1999 05:21:03 GMT
ronald      99/12/08 21:21:02

  Modified:    src      CHANGES
               src/modules/experimental mod_auth_digest.c
  Log:
  mod_auth_digest fixes:
  - better comparing of request-uri with uri parameter in Authorization
    header
  - added a check for a MUST condition in the spec
  - fixed SEGV
  
  Revision  Changes    Path
  1.1475    +7 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1474
  retrieving revision 1.1475
  diff -u -r1.1474 -r1.1475
  --- CHANGES	1999/12/08 23:01:46	1.1474
  +++ CHANGES	1999/12/09 05:20:52	1.1475
  @@ -1,5 +1,12 @@
   Changes with Apache 1.3.10
   
  +  *) more fixes to mod_auth_digest:
  +     - better comparing of request-uri with uri parameter in Authorization
  +       header
  +     - added a check for a MUST condition in the spec
  +     - fixed SEGV
  +     [Ronald Tschalär]
  +
     *) mod_proxy now works on TPF.
        [Joe Moenich <moenich@us.ibm.com>]
   
  
  
  
  1.12      +81 -28    apache-1.3/src/modules/experimental/mod_auth_digest.c
  
  Index: mod_auth_digest.c
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/modules/experimental/mod_auth_digest.c,v
  retrieving revision 1.11
  retrieving revision 1.12
  diff -u -r1.11 -r1.12
  --- mod_auth_digest.c	1999/11/28 12:41:59	1.11
  +++ mod_auth_digest.c	1999/12/09 05:21:00	1.12
  @@ -212,7 +212,8 @@
       /* the following fields are not (directly) from the header */
       time_t                nonce_time;
       enum hdr_sts          auth_hdr_sts;
  -    uri_components       *request_uri;
  +    const char           *raw_request_uri;
  +    uri_components       *psd_request_uri;
       int                   needed_auth;
       client_entry         *client;
   } digest_header_rec;
  @@ -498,9 +499,9 @@
        * and directives outside a virtual host section)
        */
       ap_SHA1Init(&conf->nonce_ctx);
  +    ap_SHA1Update_binary(&conf->nonce_ctx, secret, sizeof(secret));
       ap_SHA1Update_binary(&conf->nonce_ctx, (const unsigned char *) realm,
   			 strlen(realm));
  -    ap_SHA1Update_binary(&conf->nonce_ctx, secret, sizeof(secret));
   
       return DECLINE_CMD;
   }
  @@ -911,7 +912,8 @@
       }
   
       if (!resp->username || !resp->realm || !resp->nonce || !resp->uri
  -	|| !resp->digest) {
  +	|| !resp->digest
  +	|| (resp->message_qop && (!resp->cnonce || !resp->nonce_count))) {
   	resp->auth_hdr_sts = INVALID;
   	return !OK;
       }
  @@ -944,7 +946,8 @@
   	return DECLINED;
   
       resp = ap_pcalloc(r->pool, sizeof(digest_header_rec));
  -    resp->request_uri = &r->parsed_uri;
  +    resp->raw_request_uri = r->unparsed_uri;
  +    resp->psd_request_uri = &r->parsed_uri;
       resp->needed_auth = 0;
       ap_set_module_config(r->request_config, &digest_auth_module, resp);
   
  @@ -1273,7 +1276,7 @@
   	domain = conf->uri_list;
       else {
   	/* They didn't specify any domain, so let's guess at it */
  -	domain = guess_domain(r->pool, resp->request_uri->path, r->filename,
  +	domain = guess_domain(r->pool, resp->psd_request_uri->path, r->filename,
   			      conf->dir_name);
   	if (domain[0] == '/' && domain[1] == '\0')
   	    domain = NULL;	/* "/" is the default, so no need to send it */
  @@ -1460,6 +1463,36 @@
   }
   
   
  +static void copy_uri_components(uri_components *dst, uri_components *src,
  +				request_rec *r) {
  +    if (src->scheme && src->scheme[0] != '\0')
  +	dst->scheme = src->scheme;
  +    else
  +	dst->scheme = (char *) "http";
  +
  +    if (src->hostname && src->hostname[0] != '\0') {
  +	dst->hostname = ap_pstrdup(r->pool, src->hostname);
  +	ap_unescape_url(dst->hostname);
  +    }
  +    else
  +	dst->hostname = (char *) ap_get_server_name(r);
  +
  +    if (src->port_str && src->port_str[0] != '\0')
  +	dst->port = src->port;
  +    else
  +	dst->port = ap_get_server_port(r);
  +
  +    if (src->path && src->path[0] != '\0') {
  +	dst->path = ap_pstrdup(r->pool, src->path);
  +	ap_unescape_url(dst->path);
  +    }
  +
  +    if (src->query && src->query[0] != '\0') {
  +	dst->query = ap_pstrdup(r->pool, src->query);
  +	ap_unescape_url(dst->query);
  +    }
  +}
  +
   /* These functions return 0 if client is OK, and proper error status
    * if not... either AUTH_REQUIRED, if we made a check, and it failed, or
    * SERVER_ERROR, if things are so totally confused that we couldn't
  @@ -1521,8 +1554,9 @@
   			  "`%s': %s", resp->scheme, r->uri);
   	else if (resp->auth_hdr_sts == INVALID)
   	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
  -			  "Digest: missing user, realm, nonce, uri, or digest "
  -			  "in authorization header: %s", r->uri);
  +			  "Digest: missing user, realm, nonce, uri, digest, "
  +			  "cnonce, or nonce_count in authorization header: %s",
  +			  r->uri);
   	/* else (resp->auth_hdr_sts == NO_HEADER) */
   	note_digest_auth_failure(r, conf, resp, 0);
   	return AUTH_REQUIRED;
  @@ -1534,10 +1568,13 @@
   
       /* check the auth attributes */
   
  -    if (strcmp(resp->uri, resp->request_uri->path)) {
  -	uri_components *r_uri = resp->request_uri, d_uri;
  -	int port;
  +    if (strcmp(resp->uri, resp->raw_request_uri)) {
  +	/* Hmm, the simple match didn't work (probably a proxy modified the
  +	 * request-uri), so lets do a more sophisticated match
  +	 */
  +	uri_components r_uri, d_uri;
   
  +	copy_uri_components(&r_uri, resp->psd_request_uri, r);
   	if (ap_parse_uri_components(r->pool, resp->uri, &d_uri) != HTTP_OK) {
   	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
   			  "Digest: invalid uri <%s> in Authorization header",
  @@ -1551,24 +1588,40 @@
   	    ap_unescape_url(d_uri.path);
   	if (d_uri.query)
   	    ap_unescape_url(d_uri.query);
  -	if (r_uri->query)
  -	    ap_unescape_url(r_uri->query);
  -	port = ap_get_server_port(r);
  -
  -	if ((d_uri.hostname && d_uri.hostname[0] != '\0'
  -	     && strcasecmp(d_uri.hostname, ap_get_server_name(r)))
  -	    || (d_uri.port_str && d_uri.port != port)
  +
  +	if (r->method_number == M_CONNECT) {
  +	    if (strcmp(resp->uri, r_uri.hostinfo)) {
  +		ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
  +			      "Digest: uri mismatch - <%s> does not match "
  +			      "request-uri <%s>", resp->uri, r_uri.hostinfo);
  +		return BAD_REQUEST;
  +	    }
  +	}
  +	else if (
  +	    /* check hostname matches, if present */
  +	    (d_uri.hostname && d_uri.hostname[0] != '\0'
  +	      && strcasecmp(d_uri.hostname, r_uri.hostname))
  +	    /* check port matches, if present */
  +	    || (d_uri.port_str && d_uri.port != r_uri.port)
  +	    /* check that server-port is default port if no port present */
   	    || (d_uri.hostname && d_uri.hostname[0] != '\0'
  -		&& !d_uri.port_str && port != ap_default_port(r))
  -	    || !d_uri.path || strcmp(d_uri.path, r_uri->path)
  -	    || (d_uri.query != r_uri->query
  -		&& (!d_uri.query || !r_uri->query
  -		    || strcmp(d_uri.query, r_uri->query)))
  +		&& !d_uri.port_str && r_uri.port != ap_default_port(r))
  +	    /* check that path matches */
  +	    || (d_uri.path != r_uri.path
  +		/* either exact match */
  +	        && (!d_uri.path || !r_uri.path
  +		    || strcmp(d_uri.path, r_uri.path))
  +		/* or '*' matches empty path in scheme://host */
  +	        && !(d_uri.path && !r_uri.path && resp->psd_request_uri->hostname
  +		    && d_uri.path[0] == '*' && d_uri.path[1] == '\0'))
  +	    /* check that query matches */
  +	    || (d_uri.query != r_uri.query
  +		&& (!d_uri.query || !r_uri.query
  +		    || strcmp(d_uri.query, r_uri.query)))
   	    ) {
   	    ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
   			  "Digest: uri mismatch - <%s> does not match "
  -			  "request-uri <%s>", resp->uri,
  -			  ap_unparse_uri_components(r->pool, r_uri, 0));
  +			  "request-uri <%s>", resp->uri, resp->raw_request_uri);
   	    return BAD_REQUEST;
   	}
       }
  @@ -1831,9 +1884,8 @@
   	 */
   	char *entity_info =
   	    ap_md5(r->pool,
  -		   (unsigned char *) ap_pstrcat(r->pool,
  -		       ap_unparse_uri_components(r->pool,
  -						 resp->request_uri, 0), ":",
  +		   (unsigned char *) ap_pstrcat(r->pool, resp->raw_request_uri,
  +		       ":",
   		       r->content_type ? r->content_type : ap_default_type(r), ":",
   		       hdr(r->headers_out, "Content-Length"), ":",
   		       r->content_encoding ? r->content_encoding : "", ":",
  @@ -1864,7 +1916,8 @@
   				   gen_nonce(r->pool, r->request_time,
   					     resp->opaque, r->server, conf),
   				   "\"", NULL);
  -	    resp->client->nonce_count = 0;
  +	    if (resp->client)
  +		resp->client->nonce_count = 0;
   	}
       }
       else if (conf->nonce_lifetime == 0 && resp->client) {
  
  
  

Mime
View raw message