httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: svn commit: r1642847 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/core.xml include/ap_mmn.h include/http_core.h server/core.c server/util_script.c
Date Sat, 06 Dec 2014 12:54:40 GMT
On Tue, Dec 2, 2014 at 7:20 AM, <trawick@apache.org> wrote:

> Author: trawick
> Date: Tue Dec  2 12:20:21 2014
> New Revision: 1642847
>
> URL: http://svn.apache.org/r1642847
> Log:
> core: Add CGIPassAuth directive to control whether HTTP authorization
> headers are passed to scripts as CGI variables.
>
> PR: 56855
>

Before I propose this as a backport, are there any suggestions for:

a) a better name
b) other places in the manual which should describe it or refer to it
c) anything else?


>
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/docs/manual/mod/core.xml
>     httpd/httpd/trunk/include/ap_mmn.h
>     httpd/httpd/trunk/include/http_core.h
>     httpd/httpd/trunk/server/core.c
>     httpd/httpd/trunk/server/util_script.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1642847&r1=1642846&r2=1642847&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Tue Dec  2 12:20:21 2014
> @@ -6,6 +6,10 @@ Changes with Apache 2.5.0
>       used in multiple Require directives with different arguments.
>       PR57204 [Edward Lu <Chaosed0 gmail.com>]
>
> +  *) core: Add CGIPassAuth directive to control whether HTTP authorization
> +     headers are passed to scripts as CGI variables.  PR 56855.  [Jeff
> +     Trawick]
> +
>    *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
>       context for directories found by mod_userdir and mod_alias.  These no
>       loner require RewriteBase to be specified. [Eric Covener]
>
> Modified: httpd/httpd/trunk/docs/manual/mod/core.xml
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/core.xml?rev=1642847&r1=1642846&r2=1642847&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/mod/core.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/core.xml Tue Dec  2 12:20:21 2014
> @@ -565,6 +565,43 @@ scripts</description>
>  </directivesynopsis>
>
>  <directivesynopsis>
> +<name>CGIPassAuth</name>
> +<description>Enables passing HTTP authorization headers to scripts as CGI
> +variables</description>
> +<syntax>CGIPassAuth On|Off</syntax>
> +<default>CGIPassAuth Off</default>
> +<contextlist><context>directory</context><context>.htaccess</context>
> +</contextlist>
> +<override>AuthConfig</override>
> +<compatibility>Available in Apache HTTP Server 2.5.0 and
> later</compatibility>
> +
> +<usage>
> +    <p><directive>CGIPassAuth</directive> allows scripts access to
HTTP
> +    authorization headers such as <code>Authorization</code>, which is
> +    required for scripts that implement HTTP Basic authentication.
> +    Normally these HTTP headers are hidden from scripts, as it allows
> +    scripts to see user ids and passwords used to access the server when
> +    HTTP Basic authentication is enabled in the web server.  This
> directive
> +    should be used when scripts are allowed to implement HTTP Basic
> +    authentication.</p>
> +
> +    <p>This directive can be used instead of the compile-time setting
> +    <code>SECURITY_HOLE_PASS_AUTHORIZATION</code> which has been available
> +    in previous versions of Apache HTTP Server.</p>
> +
> +    <p>The setting is respected by any modules which use
> +    <code>ap_add_common_vars()</code>, such as <module>mod_cgi</module>,
> +    <module>mod_cgid</module>, <module>mod_proxy_fcgi</module>,
> +    <module>mod_proxy_scgi</module>, and so on.  Notably, it affects
> +    modules which don't handle the request in the usual sense but
> +    still use this API; examples of this are <module>mod_include</module>
> +    and <module>mod_ext_filter</module>.  Third-party modules that don't
> +    use <code>ap_add_common_vars()</code> may choose to respect the
> setting
> +    as well.</p>
> +</usage>
> +</directivesynopsis>
> +
> +<directivesynopsis>
>  <name>ContentDigest</name>
>  <description>Enables the generation of <code>Content-MD5</code> HTTP
> Response
>  headers</description>
>
> Modified: httpd/httpd/trunk/include/ap_mmn.h
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/include/ap_mmn.h?rev=1642847&r1=1642846&r2=1642847&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/include/ap_mmn.h (original)
> +++ httpd/httpd/trunk/include/ap_mmn.h Tue Dec  2 12:20:21 2014
> @@ -473,6 +473,8 @@
>   * 20140627.8 (2.5.0-dev)  Add ap_set_listencbratio(),
> ap_close_listeners_ex(),
>   *                         ap_duplicate_listeners(),
> ap_num_listen_buckets and
>   *                         ap_have_so_reuseport to ap_listen.h.
> + * 20140627.9 (2.5.0-dev)  Add cgi_pass_auth and AP_CGI_PASS_AUTH_* to
> + *                         core_dir_config
>   */
>
>  #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
> @@ -480,7 +482,7 @@
>  #ifndef MODULE_MAGIC_NUMBER_MAJOR
>  #define MODULE_MAGIC_NUMBER_MAJOR 20140627
>  #endif
> -#define MODULE_MAGIC_NUMBER_MINOR 8                 /* 0...n */
> +#define MODULE_MAGIC_NUMBER_MINOR 9                 /* 0...n */
>
>  /**
>   * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
>
> Modified: httpd/httpd/trunk/include/http_core.h
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_core.h?rev=1642847&r1=1642846&r2=1642847&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/include/http_core.h (original)
> +++ httpd/httpd/trunk/include/http_core.h Tue Dec  2 12:20:21 2014
> @@ -624,6 +624,15 @@ typedef struct {
>      /** Named back references */
>      apr_array_header_t *refs;
>
> +#define AP_CGI_PASS_AUTH_OFF     (0)
> +#define AP_CGI_PASS_AUTH_ON      (1)
> +#define AP_CGI_PASS_AUTH_UNSET   (2)
> +    /** CGIPassAuth: Whether HTTP authorization headers will be passed to
> +     * scripts as CGI variables; affects all modules calling
> +     * ap_add_common_vars(), as well as any others using this field as
> +     * advice
> +     */
> +    unsigned int cgi_pass_auth : 2;
>  } core_dir_config;
>
>  /* macro to implement off by default behaviour */
>
> Modified: httpd/httpd/trunk/server/core.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?rev=1642847&r1=1642846&r2=1642847&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/server/core.c (original)
> +++ httpd/httpd/trunk/server/core.c Tue Dec  2 12:20:21 2014
> @@ -196,6 +196,8 @@ static void *create_core_dir_config(apr_
>      conf->max_overlaps = AP_MAXRANGES_UNSET;
>      conf->max_reversals = AP_MAXRANGES_UNSET;
>
> +    conf->cgi_pass_auth = AP_CGI_PASS_AUTH_UNSET;
> +
>      return (void *)conf;
>  }
>
> @@ -421,6 +423,8 @@ static void *merge_core_dir_configs(apr_
>      conf->max_overlaps = new->max_overlaps != AP_MAXRANGES_UNSET ?
> new->max_overlaps : base->max_overlaps;
>      conf->max_reversals = new->max_reversals != AP_MAXRANGES_UNSET ?
> new->max_reversals : base->max_reversals;
>
> +    conf->cgi_pass_auth = new->cgi_pass_auth != AP_CGI_PASS_AUTH_UNSET ?
> new->cgi_pass_auth : base->cgi_pass_auth;
> +
>      return (void*)conf;
>  }
>
> @@ -1719,6 +1723,15 @@ static const char *set_override(cmd_parm
>      return NULL;
>  }
>
> +static const char *set_cgi_pass_auth(cmd_parms *cmd, void *d_, int flag)
> +{
> +    core_dir_config *d = d_;
> +
> +    d->cgi_pass_auth = flag ? AP_CGI_PASS_AUTH_ON : AP_CGI_PASS_AUTH_OFF;
> +
> +    return NULL;
> +}
> +
>  static const char *set_override_list(cmd_parms *cmd, void *d_, int argc,
> char *const argv[])
>  {
>      core_dir_config *d = d_;
> @@ -4324,6 +4337,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_lim
>  AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL,
> RSRC_CONF,
>                "maximum recursion depth of internal redirects and
> subrequests"),
>
> +AP_INIT_FLAG("CGIPassAuth", set_cgi_pass_auth, NULL, OR_AUTHCFG,
> +             "Controls which HTTP authorization headers, normally hidden,
> will "
> +             "be passed to scripts"),
>  AP_INIT_TAKE1("ForceType", ap_set_string_slot_lower,
>         (void *)APR_OFFSETOF(core_dir_config, mime_type), OR_FILEINFO,
>       "a mime type that overrides other configured type"),
>
> Modified: httpd/httpd/trunk/server/util_script.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_script.c?rev=1642847&r1=1642846&r2=1642847&view=diff
>
> ==============================================================================
> --- httpd/httpd/trunk/server/util_script.c (original)
> +++ httpd/httpd/trunk/server/util_script.c Tue Dec  2 12:20:21 2014
> @@ -140,6 +140,8 @@ AP_DECLARE(void) ap_add_common_vars(requ
>      apr_table_t *e;
>      server_rec *s = r->server;
>      conn_rec *c = r->connection;
> +    core_dir_config *conf =
> +        (core_dir_config *)ap_get_core_module_config(r->per_dir_config);
>      const char *env_temp;
>      const apr_array_header_t *hdrs_arr = apr_table_elts(r->headers_in);
>      const apr_table_entry_t *hdrs = (const apr_table_entry_t *)
> hdrs_arr->elts;
> @@ -188,7 +190,9 @@ AP_DECLARE(void) ap_add_common_vars(requ
>  #ifndef SECURITY_HOLE_PASS_AUTHORIZATION
>          else if (!strcasecmp(hdrs[i].key, "Authorization")
>                   || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {
> -            continue;
> +            if (conf->cgi_pass_auth == AP_CGI_PASS_AUTH_ON) {
> +                add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
> +            }
>          }
>  #endif
>          else
>
>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message