Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 776389203 for ; Sun, 22 Jul 2012 11:44:46 +0000 (UTC) Received: (qmail 4206 invoked by uid 500); 22 Jul 2012 11:44:46 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 4152 invoked by uid 500); 22 Jul 2012 11:44:45 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 4121 invoked by uid 99); 22 Jul 2012 11:44:44 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 22 Jul 2012 11:44:44 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 22 Jul 2012 11:44:43 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 2CFD723888FE; Sun, 22 Jul 2012 11:44:24 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1364266 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/mod/mod_authz_core.xml modules/aaa/mod_authz_core.c Date: Sun, 22 Jul 2012 11:44:23 -0000 To: cvs@httpd.apache.org From: rjung@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120722114424.2CFD723888FE@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: rjung Date: Sun Jul 22 11:44:23 2012 New Revision: 1364266 URL: http://svn.apache.org/viewvc?rev=1364266&view=rev Log: If an expression in "Require expr" returns denied and references %{REMOTE_USER}, trigger authentication and retry. Log error if 'Require expr' fails. PR: 52892 Backport of r1351071, r1351072 and r1351074 from trunk. Submitted by: sf Reviewed by: rjung, trawick Backported by: rjung Modified: httpd/httpd/branches/2.4.x/ (props changed) httpd/httpd/branches/2.4.x/CHANGES httpd/httpd/branches/2.4.x/STATUS httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml httpd/httpd/branches/2.4.x/modules/aaa/mod_authz_core.c Propchange: httpd/httpd/branches/2.4.x/ ------------------------------------------------------------------------------ Merged /httpd/httpd/trunk:r1351071-1351072,1351074 Modified: httpd/httpd/branches/2.4.x/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1364266&r1=1364265&r2=1364266&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original) +++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sun Jul 22 11:44:23 2012 @@ -8,6 +8,10 @@ Changes with Apache 2.4.3 possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. [Niels Heinen ] + *) mod_authz_core: If an expression in "Require expr" returns denied and + references %{REMOTE_USER}, trigger authentication and retry. PR 52892. + [Stefan Fritsch] + *) core: Always log if LimitRequestFieldSize triggers. [Stefan Fritsch] *) mod_deflate: Skip compression if compression is enabled at SSL level. Modified: httpd/httpd/branches/2.4.x/STATUS URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1364266&r1=1364265&r2=1364266&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/STATUS (original) +++ httpd/httpd/branches/2.4.x/STATUS Sun Jul 22 11:44:23 2012 @@ -88,15 +88,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_authz_core: Allow to use %{REMOTE_USER} in Require expr. Improve - logging. - PR: 52892 - trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1351071 - http://svn.apache.org/viewvc?view=revision&revision=1351072 - http://svn.apache.org/viewvc?view=revision&revision=1351074 - 2.4.x patch: trunk patch works (ex. CHANGES) - +1: sf, rjung, trawick - * mpm_event: Fix MaxConnectionsPerChild trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1343085 http://svn.apache.org/viewvc?view=revision&revision=1343087 Modified: httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml?rev=1364266&r1=1364265&r2=1364266&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml (original) +++ httpd/httpd/branches/2.4.x/docs/manual/mod/mod_authz_core.xml Sun Jul 22 11:44:23 2012 @@ -224,6 +224,11 @@ SetEnvIf User-Agent ^KnockKnock/2\.0 let

The syntax is described in the ap_expr documentation.

+

Normally, the expression is evaluated before authentication. However, if + the expression returns false and references the variable + %{REMOTE_USER}, authentication will be performed and + the expression will be re-evaluated.

+ Modified: httpd/httpd/branches/2.4.x/modules/aaa/mod_authz_core.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/aaa/mod_authz_core.c?rev=1364266&r1=1364265&r2=1364266&view=diff ============================================================================== --- httpd/httpd/branches/2.4.x/modules/aaa/mod_authz_core.c (original) +++ httpd/httpd/branches/2.4.x/modules/aaa/mod_authz_core.c Sun Jul 22 11:44:23 2012 @@ -1031,36 +1031,74 @@ static const authz_provider authz_method &method_parse_config, }; -static authz_status expr_check_authorization(request_rec *r, - const char *require_line, - const void *parsed_require_line) -{ - const char *err = NULL; - const ap_expr_info_t *expr = parsed_require_line; - int rc = ap_expr_exec(r, expr, &err); +/* + * expr authz provider + */ + +#define REQUIRE_EXPR_NOTE "Require_expr_info" +struct require_expr_info { + ap_expr_info_t *expr; + int want_user; +}; - if (rc <= 0) - /* XXX: real error handling? */ - return AUTHZ_DENIED; - else - return AUTHZ_GRANTED; +static int expr_lookup_fn(ap_expr_lookup_parms *parms) +{ + if (parms->type == AP_EXPR_FUNC_VAR + && strcasecmp(parms->name, "REMOTE_USER") == 0) { + struct require_expr_info *info; + apr_pool_userdata_get((void**)&info, REQUIRE_EXPR_NOTE, parms->ptemp); + AP_DEBUG_ASSERT(info != NULL); + info->want_user = 1; + } + return ap_expr_lookup_default(parms); } static const char *expr_parse_config(cmd_parms *cmd, const char *require_line, const void **parsed_require_line) { const char *expr_err = NULL; - ap_expr_info_t *expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err, - NULL); + struct require_expr_info *info = apr_pcalloc(cmd->pool, sizeof(*info)); + + apr_pool_userdata_setn(info, REQUIRE_EXPR_NOTE, apr_pool_cleanup_null, + cmd->temp_pool); + info->expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err, + expr_lookup_fn); if (expr_err) - return "Cannot parse expression in require line"; + return apr_pstrcat(cmd->temp_pool, + "Cannot parse expression in require line: ", + expr_err, NULL); - *parsed_require_line = expr; + *parsed_require_line = info; return NULL; } +static authz_status expr_check_authorization(request_rec *r, + const char *require_line, + const void *parsed_require_line) +{ + const char *err = NULL; + const struct require_expr_info *info = parsed_require_line; + int rc = ap_expr_exec(r, info->expr, &err); + + if (rc < 0) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02320) + "Error evaluating expression in 'Require expr': %s", + err); + return AUTHZ_GENERAL_ERROR; + } + else if (rc == 0) { + if (info->want_user) + return AUTHZ_DENIED_NO_USER; + else + return AUTHZ_DENIED; + } + else { + return AUTHZ_GRANTED; + } +} + static const authz_provider authz_expr_provider = { &expr_check_authorization,