httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stri...@apache.org
Subject cvs commit: httpd-2.0/modules/ssl ssl_engine_kernel.c
Date Fri, 08 Aug 2003 09:37:54 GMT
striker     2003/08/08 02:37:54

  Modified:    .        Tag: APACHE_2_0_BRANCH CHANGES STATUS
               modules/ssl Tag: APACHE_2_0_BRANCH ssl_engine_kernel.c
  Log:
  Backports:
  
   * mod_ssl: Fix FakeBasicAuth for subrequests, by declining check_user_id.
     Otherwise it would run into the check that was to protect from externally
     fabricated Authorization headers, which would choke on the one added
     by mod_ssl itself.
  
   * mod_ssl: Add error msg for the case when FakeBasicAuth is tried to be
     tricked.  IOW, when someone tries to spoof his identity.
  
  Reviewed by: Jeff Trawick, Greg Stein
  
  Revision  Changes    Path
  No                   revision
  No                   revision
  1.988.2.145 +4 -0      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.988.2.144
  retrieving revision 1.988.2.145
  diff -u -r1.988.2.144 -r1.988.2.145
  --- CHANGES	31 Jul 2003 22:58:57 -0000	1.988.2.144
  +++ CHANGES	8 Aug 2003 09:37:53 -0000	1.988.2.145
  @@ -1,5 +1,9 @@
   Changes with Apache 2.0.48
   
  +  *) mod_ssl: Fix FakeBasicAuth for subrequest.  Log an error when an
  +     identity spoof is encountered.
  +     [Sander Striker]
  +
     *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
        containing the .htaccess file is requested without a trailing slash.
        PR 20195.  [André Malo]
  
  
  
  1.751.2.419 +1 -13     httpd-2.0/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/STATUS,v
  retrieving revision 1.751.2.418
  retrieving revision 1.751.2.419
  diff -u -r1.751.2.418 -r1.751.2.419
  --- STATUS	8 Aug 2003 07:38:39 -0000	1.751.2.418
  +++ STATUS	8 Aug 2003 09:37:53 -0000	1.751.2.419
  @@ -293,18 +293,6 @@
         +1: nd, trawick
         (gstein likes the concept, but needs to review...)
   
  -    * mod_ssl: Fix FakeBasicAuth for subrequests, by declining check_user_id.
  -      Otherwise it would run into the check that was to protect from externally
  -      fabricated Authorization headers, which would choke on the one added
  -      by mod_ssl itself.
  -        modules/ssl/ssl_engine_kernel.c: r1.97
  -      +1: striker, trawick, gstein
  -    
  -    * mod_ssl: Add error msg for the case when FakeBasicAuth is tried to be
  -      tricked.  IOW, when someone tries to spoof his identity.
  -        modules/ssl/ssl_engine_kernel.c: r1.98
  -      +1: striker, gstein, trawick
  -
       * fix extern "C" declaration of util_ebcdic.h. PR: 22203
           include/util_ebcdic.h: r1.15
         +1: nd, trawick
  
  
  
  No                   revision
  No                   revision
  1.82.2.8  +10 -0     httpd-2.0/modules/ssl/ssl_engine_kernel.c
  
  Index: ssl_engine_kernel.c
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
  retrieving revision 1.82.2.7
  retrieving revision 1.82.2.8
  diff -u -r1.82.2.7 -r1.82.2.8
  --- ssl_engine_kernel.c	9 Jul 2003 11:07:37 -0000	1.82.2.7
  +++ ssl_engine_kernel.c	8 Aug 2003 09:37:54 -0000	1.82.2.8
  @@ -840,6 +840,14 @@
       }
   
       /*
  +     * We decline when we are in a subrequest.  The Authorization header
  +     * would already be present if it was added in the main request.
  +     */
  +    if (!ap_is_initial_req(r)) {
  +        return DECLINED;
  +    }
  +
  +    /*
        * Make sure the user is not able to fake the client certificate
        * based authentication by just entering an X.509 Subject DN
        * ("/XX=YYY/XX=YYY/..") as the username and "password" as the
  @@ -856,6 +864,8 @@
               password = auth_line;
   
               if ((username[0] == '/') && strEQ(password, "password")) {
  +                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
  +                    "Encountered FakeBasicAuth spoof: %s", username);
                   return HTTP_FORBIDDEN;
               }
           }
  
  
  

Mime
View raw message