httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r1642847 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/core.xml include/ap_mmn.h include/http_core.h server/core.c server/util_script.c
Date Tue, 02 Dec 2014 12:20:21 GMT
Author: trawick
Date: Tue Dec  2 12:20:21 2014
New Revision: 1642847

URL: http://svn.apache.org/r1642847
Log:
core: Add CGIPassAuth directive to control whether HTTP authorization
headers are passed to scripts as CGI variables.

PR: 56855

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/core.xml
    httpd/httpd/trunk/include/ap_mmn.h
    httpd/httpd/trunk/include/http_core.h
    httpd/httpd/trunk/server/core.c
    httpd/httpd/trunk/server/util_script.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1642847&r1=1642846&r2=1642847&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Dec  2 12:20:21 2014
@@ -6,6 +6,10 @@ Changes with Apache 2.5.0
      used in multiple Require directives with different arguments.
      PR57204 [Edward Lu <Chaosed0 gmail.com>]
 
+  *) core: Add CGIPassAuth directive to control whether HTTP authorization
+     headers are passed to scripts as CGI variables.  PR 56855.  [Jeff 
+     Trawick]
+
   *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
      context for directories found by mod_userdir and mod_alias.  These no
      loner require RewriteBase to be specified. [Eric Covener]

Modified: httpd/httpd/trunk/docs/manual/mod/core.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/core.xml?rev=1642847&r1=1642846&r2=1642847&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/core.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/core.xml Tue Dec  2 12:20:21 2014
@@ -565,6 +565,43 @@ scripts</description>
 </directivesynopsis>
 
 <directivesynopsis>
+<name>CGIPassAuth</name>
+<description>Enables passing HTTP authorization headers to scripts as CGI
+variables</description>
+<syntax>CGIPassAuth On|Off</syntax>
+<default>CGIPassAuth Off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+<compatibility>Available in Apache HTTP Server 2.5.0 and later</compatibility>
+
+<usage>
+    <p><directive>CGIPassAuth</directive> allows scripts access to HTTP
+    authorization headers such as <code>Authorization</code>, which is
+    required for scripts that implement HTTP Basic authentication.
+    Normally these HTTP headers are hidden from scripts, as it allows
+    scripts to see user ids and passwords used to access the server when
+    HTTP Basic authentication is enabled in the web server.  This directive
+    should be used when scripts are allowed to implement HTTP Basic
+    authentication.</p>
+
+    <p>This directive can be used instead of the compile-time setting
+    <code>SECURITY_HOLE_PASS_AUTHORIZATION</code> which has been available
+    in previous versions of Apache HTTP Server.</p>
+
+    <p>The setting is respected by any modules which use
+    <code>ap_add_common_vars()</code>, such as <module>mod_cgi</module>,
+    <module>mod_cgid</module>, <module>mod_proxy_fcgi</module>,
+    <module>mod_proxy_scgi</module>, and so on.  Notably, it affects
+    modules which don't handle the request in the usual sense but
+    still use this API; examples of this are <module>mod_include</module>
+    and <module>mod_ext_filter</module>.  Third-party modules that don't
+    use <code>ap_add_common_vars()</code> may choose to respect the setting
+    as well.</p>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
 <name>ContentDigest</name>
 <description>Enables the generation of <code>Content-MD5</code> HTTP Response
 headers</description>

Modified: httpd/httpd/trunk/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1642847&r1=1642846&r2=1642847&view=diff
==============================================================================
--- httpd/httpd/trunk/include/ap_mmn.h (original)
+++ httpd/httpd/trunk/include/ap_mmn.h Tue Dec  2 12:20:21 2014
@@ -473,6 +473,8 @@
  * 20140627.8 (2.5.0-dev)  Add ap_set_listencbratio(), ap_close_listeners_ex(),
  *                         ap_duplicate_listeners(), ap_num_listen_buckets and
  *                         ap_have_so_reuseport to ap_listen.h.
+ * 20140627.9 (2.5.0-dev)  Add cgi_pass_auth and AP_CGI_PASS_AUTH_* to 
+ *                         core_dir_config
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
@@ -480,7 +482,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20140627
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 8                 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 9                 /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a

Modified: httpd/httpd/trunk/include/http_core.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_core.h?rev=1642847&r1=1642846&r2=1642847&view=diff
==============================================================================
--- httpd/httpd/trunk/include/http_core.h (original)
+++ httpd/httpd/trunk/include/http_core.h Tue Dec  2 12:20:21 2014
@@ -624,6 +624,15 @@ typedef struct {
     /** Named back references */
     apr_array_header_t *refs;
 
+#define AP_CGI_PASS_AUTH_OFF     (0)
+#define AP_CGI_PASS_AUTH_ON      (1)
+#define AP_CGI_PASS_AUTH_UNSET   (2)
+    /** CGIPassAuth: Whether HTTP authorization headers will be passed to
+     * scripts as CGI variables; affects all modules calling
+     * ap_add_common_vars(), as well as any others using this field as 
+     * advice
+     */
+    unsigned int cgi_pass_auth : 2;
 } core_dir_config;
 
 /* macro to implement off by default behaviour */

Modified: httpd/httpd/trunk/server/core.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?rev=1642847&r1=1642846&r2=1642847&view=diff
==============================================================================
--- httpd/httpd/trunk/server/core.c (original)
+++ httpd/httpd/trunk/server/core.c Tue Dec  2 12:20:21 2014
@@ -196,6 +196,8 @@ static void *create_core_dir_config(apr_
     conf->max_overlaps = AP_MAXRANGES_UNSET;
     conf->max_reversals = AP_MAXRANGES_UNSET;
 
+    conf->cgi_pass_auth = AP_CGI_PASS_AUTH_UNSET;
+
     return (void *)conf;
 }
 
@@ -421,6 +423,8 @@ static void *merge_core_dir_configs(apr_
     conf->max_overlaps = new->max_overlaps != AP_MAXRANGES_UNSET ? new->max_overlaps
: base->max_overlaps;
     conf->max_reversals = new->max_reversals != AP_MAXRANGES_UNSET ? new->max_reversals
: base->max_reversals;
 
+    conf->cgi_pass_auth = new->cgi_pass_auth != AP_CGI_PASS_AUTH_UNSET ? new->cgi_pass_auth
: base->cgi_pass_auth;
+
     return (void*)conf;
 }
 
@@ -1719,6 +1723,15 @@ static const char *set_override(cmd_parm
     return NULL;
 }
 
+static const char *set_cgi_pass_auth(cmd_parms *cmd, void *d_, int flag)
+{
+    core_dir_config *d = d_;
+
+    d->cgi_pass_auth = flag ? AP_CGI_PASS_AUTH_ON : AP_CGI_PASS_AUTH_OFF;
+
+    return NULL;
+}
+
 static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[])
 {
     core_dir_config *d = d_;
@@ -4324,6 +4337,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_lim
 AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF,
               "maximum recursion depth of internal redirects and subrequests"),
 
+AP_INIT_FLAG("CGIPassAuth", set_cgi_pass_auth, NULL, OR_AUTHCFG,
+             "Controls which HTTP authorization headers, normally hidden, will "
+             "be passed to scripts"),
 AP_INIT_TAKE1("ForceType", ap_set_string_slot_lower,
        (void *)APR_OFFSETOF(core_dir_config, mime_type), OR_FILEINFO,
      "a mime type that overrides other configured type"),

Modified: httpd/httpd/trunk/server/util_script.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_script.c?rev=1642847&r1=1642846&r2=1642847&view=diff
==============================================================================
--- httpd/httpd/trunk/server/util_script.c (original)
+++ httpd/httpd/trunk/server/util_script.c Tue Dec  2 12:20:21 2014
@@ -140,6 +140,8 @@ AP_DECLARE(void) ap_add_common_vars(requ
     apr_table_t *e;
     server_rec *s = r->server;
     conn_rec *c = r->connection;
+    core_dir_config *conf =
+        (core_dir_config *)ap_get_core_module_config(r->per_dir_config);
     const char *env_temp;
     const apr_array_header_t *hdrs_arr = apr_table_elts(r->headers_in);
     const apr_table_entry_t *hdrs = (const apr_table_entry_t *) hdrs_arr->elts;
@@ -188,7 +190,9 @@ AP_DECLARE(void) ap_add_common_vars(requ
 #ifndef SECURITY_HOLE_PASS_AUTHORIZATION
         else if (!strcasecmp(hdrs[i].key, "Authorization")
                  || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {
-            continue;
+            if (conf->cgi_pass_auth == AP_CGI_PASS_AUTH_ON) {
+                add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
+            }
         }
 #endif
         else



Mime
View raw message