httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j..@apache.org
Subject svn commit: r239641 - in /httpd/httpd/branches/2.0.x: CHANGES STATUS modules/experimental/mod_auth_ldap.c
Date Wed, 24 Aug 2005 12:42:07 GMT
Author: jim
Date: Wed Aug 24 05:42:03 2005
New Revision: 239641

URL: http://svn.apache.org/viewcvs?rev=239641&view=rev
Log:
Fold in approved, 2.1/2.2-like behavior which prevents core
dump when doing LDAP auth even if the check_user_id didn't
succeed.

Modified:
    httpd/httpd/branches/2.0.x/CHANGES
    httpd/httpd/branches/2.0.x/STATUS
    httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c

Modified: httpd/httpd/branches/2.0.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/CHANGES?rev=239641&r1=239640&r2=239641&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Wed Aug 24 05:42:03 2005
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.55
 
+  *) Fix core dump if mod_auth_ldap's mod_auth_ldap_auth_checker()
+     was called even if mod_auth_ldap_check_user_id() was not
+     (or if it didn't succeed) for non-authoritative cases.
+     [Jim Jagielski]
+
   *) Fix cases where the byterange filter would buffer responses
      into memory.  PR 29962.  [Joe Orton]
 

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/STATUS?rev=239641&r1=239640&r2=239641&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Wed Aug 24 05:42:03 2005
@@ -201,13 +201,6 @@
         2.0 version: http://people.apache.org/~trawick/179704-20.txt
         +1: trawick, jorton, wrowe
 
-    *) Prevent bad dereferencing of non-existent req struct in
-       mod_auth_ldap's mod_auth_ldap_auth_checker() if
-       mod_auth_ldap_check_user_id() was never (fully) called.
-       Similar behavior to that in 2.1/2.2.
-         http://people.apache.org/~jim/mod_auth_ldap-2.0.patch
-       +1: jim, minfrin, bnicholes
-
      *) Add httxt2dbm for creating RewriteMap DBM Files.
         http://svn.apache.org/viewcvs.cgi?rev=209539&view=rev
         +1: pquerna, jorton, trawick

Modified: httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c?rev=239641&r1=239640&r2=239641&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c (original)
+++ httpd/httpd/branches/2.0.x/modules/experimental/mod_auth_ldap.c Wed Aug 24 05:42:03 2005
@@ -460,6 +460,26 @@
         return DECLINED;
     }
 
+    /*
+     * It is possible that we've skipped mod_auth_ldap's
+     * check_user_id hook, but still get here. In that
+     * case, the req request_config struct hasn't been initialized
+     * causing problems when we try to use req->dn and/or req->name
+     * below. So we simply create one.
+     *
+     * Unlike 2.2, we don't try to search or populate it.
+     */
+    if (!req) {
+        ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r, 
+                      "[%d] auth_ldap authorise: "
+                      "no req struct - skipped mod_auth_ldap_check_user_id?",
+                      getpid());
+
+        req = (mod_auth_ldap_request_t *)apr_pcalloc(r->pool,
+                                                     sizeof(mod_auth_ldap_request_t));
+        ap_set_module_config(r->request_config, &auth_ldap_module, req);
+    }
+
     if (sec->host) {
         ldc = util_ldap_connection_find(r, sec->host, sec->port,
                                        sec->binddn, sec->bindpw, sec->deref,
@@ -657,6 +677,13 @@
             }
         }
         else if (strcmp(w, "ldap-attribute") == 0) {
+            if (req->dn == NULL || strlen(req->dn) == 0) {
+	        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+                              "[%d] auth_ldap authorise: "
+                              "require ldap-attribute: user's DN has not been defined; failing
authorisation", 
+                              getpid());
+                return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+            }
             while (t[0]) {
                 w = ap_getword(r->pool, &t, '=');
                 value = ap_getword_conf(r->pool, &t);



Mime
View raw message