httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <hart...@hyperreal.com>
Subject Re: bug in mod_auth_msql.c (fwd)
Date Mon, 02 Oct 1995 16:30:47 GMT
Forwarded message:
> From khera@kci.kciLink.com  Mon Oct  2 08:25:18 1995
> Message-Id: <199510021525.LAA01696@kci.kciLink.com>
> To: Apache Bugs <apache-bugs@mail.apache.org>
> CC: Nathan J Kurz <nate@tripod.tripod.com>
> Subject: Re: bug in mod_auth_msql.c 
> In-reply-to: Your message of "Sun, 01 Oct 1995 06:34:43 EDT."
>              <199510011034.GAA01851@tripod.tripod.com> 
> Date: Mon, 02 Oct 1995 11:25:11 -0400
> From: Vivek Khera <khera@kci.kciLink.com>
> 
> Here's an updated version of my mod_auth_msql.c file for the Apache contrib
> archive.  It fixes a bug (segmentation violation) where the password field
> is allowed to be NULL, even though the documentation warns against it.
> Please also update the note in the "how to install extensions" to list the
> last modified date for this to be 2-OCT-95.
> 
> Thanks.
> 
> 
> 								v.
> 

#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.1).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.
#
# Made on 1995-10-02 11:21 EDT by <khera@kci.kciLink.com>.
# Source directory was `/usr/local/src/kciLink/apache_0.8.14/src'.
#
# Existing files will *not* be overwritten unless `-c' is specified.
#
# This shar contains:
# length mode       name
# ------ ---------- ------------------------------------------
#   7755 -r--r--r-- mod_auth_msql.c
#
touch -am 1231235999 $$.touch >/dev/null 2>&1
if test ! -f 1231235999 && test -f $$.touch; then
  shar_touch=touch
else
  shar_touch=:
  echo
  echo 'WARNING: not restoring timestamps.  Consider getting and'
  echo "installing GNU \`touch', distributed in GNU File Utilities..."
  echo
fi
rm -f 1231235999 $$.touch
#
# ============= mod_auth_msql.c ==============
if test -f 'mod_auth_msql.c' && test X"$1" != X"-c"; then
  echo 'x - skipping mod_auth_msql.c (file already exists)'
else
  echo 'x - extracting mod_auth_msql.c (text)'
  sed 's/^X//' << 'SHAR_EOF' > 'mod_auth_msql.c' &&
X
/*-
X * Copyright (c) 1995 The Apache Group. All rights reserved.
X * 
X *
X * Apache httpd license
X * ====================
X * 
X *
X * This is the license for the Apache Server. It covers all the
X * files which come in this distribution, and should never be removed.
X * 
X * The "Apache Group" has based this server, called "Apache", on
X * public domain code distributed under the name "NCSA httpd 1.3".
X * 
X * NCSA httpd 1.3 was placed in the public domain by the National Center 
X * for Supercomputing Applications at the University of Illinois 
X * at Urbana-Champaign.
X * 
X * As requested by NCSA we acknowledge,
X * 
X *  "Portions developed at the National Center for Supercomputing
X *   Applications at the University of Illinois at Urbana-Champaign."
X *
X * Copyright on the sections of code added by the "Apache Group" belong
X * to the "Apache Group" and/or the original authors. The "Apache Group" and
X * authors hereby grant permission for their code, along with the
X * public domain NCSA code, to be distributed under the "Apache" name.
X * 
X * Reuse of "Apache Group" code outside of the Apache distribution should
X * be acknowledged with the following quoted text, to be included with any new
X * work;
X * 
X * "Portions developed by the "Apache Group", taken with permission 
X *  from the Apache Server   http://www.apache.org/apache/   "
X *
X *
X * Permission is hereby granted to anyone to redistribute Apache under
X * the "Apache" name. We do not grant permission for the resale of Apache, but
X * we do grant permission for vendors to bundle Apache free with other software,
X * or to charge a reasonable price for redistribution, provided it is made
X * clear that Apache is free. Permission is also granted for vendors to 
X * sell support for for Apache. We explicitly forbid the redistribution of 
X * Apache under any other name.
X * 
X * THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS ``AS IS'' AND
X * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X * ARE DISCLAIMED.  IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE
X * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X * SUCH DAMAGE.
X * 
X */
X
X
X
/*
X * http_auth_msql: authentication
X * 
X * Rob McCool & Brian Behlendorf.
X * 
X * Adapted to Shambhala by rst.
X */
X
/*
X * converted to use mSQL by Vivek Khera <khera@kciLink.com>
X * only has user/passwords in mSQL database.  A suitable table would be:
X *
X * CREATE TABLE user_info (
X *   user char(30) primary key,
X *   password char(20) not null,
X *     [ any other fields if needed ]
X * )
X *
X * User must be a unique, non-empty field.  Length is however long you
X * want it to be.  Password length of 20 follows new-style crypt() usage.
X * The older crypt uses shorter encrypted passwords.  Any other fields in
X * the named table will be ignored.
X *
X * Usage in per-directory access conf file:
X *
X *  AuthName mSQL Testing
X *  AuthType Basic
X *  AuthGroupFile /dev/null
X *  AuthMSQLHost localhost
X *  AuthMSQLDB www_data
X *  AuthMSQLUserTable user_info
X * 
X *  <Limit GET POST>
X *  require valid-user
X *  </Limit>
X *
X * the Host of "localhost" means use the mSQL socket instead of a TCP
X * connection to the database.  The DB is the database name on the server,
X * and UserTable is the actual table name within that database.
X *
X * Groups are not implemented in mSQL.  Use the original flat file or
X * the Apache DBM version.
X */
X
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include <msql.h>
X
/*
X * msqlhost is host name. localhost means use Unix Domain socket for mSQL.
X * msqlDB is the database name on that host.
X * msqlpwtable is the table name for passwords.  uses fields "user","password".
X * The "user" field must be "not null" and unique.  "password" is encrypted.
X * the user field must not have a ' (single quote) character in it.
X */
typedef struct  {
X    char *auth_msqlhost;
X    char *auth_msqlDB;
X    char *auth_msqlpwtable;
} msql_auth_config_rec;
X
void *create_msql_auth_dir_config (pool *p, char *d)
{
X    return pcalloc (p, sizeof(msql_auth_config_rec));
}
X
command_rec msql_auth_cmds[] = {
{ "AuthMSQLHost", set_string_slot,
X    (void*)XtOffsetOf(msql_auth_config_rec, auth_msqlhost),
X    OR_AUTHCFG, TAKE1, "mSQL server hostname" },
{ "AuthMSQLDB", set_string_slot,
X    (void*)XtOffsetOf(msql_auth_config_rec, auth_msqlDB),
X    OR_AUTHCFG, TAKE1, "mSQL database name" },
{ "AuthMSQLUserTable", set_string_slot,
X    (void*)XtOffsetOf(msql_auth_config_rec, auth_msqlpwtable),
X    OR_AUTHCFG, TAKE1, "mSQL table name" },
{ NULL }
};
X
module msql_auth_module;
X
/*
X * get password from database
X */
char *get_msql_pw(request_rec *r, char *user, msql_auth_config_rec *m) {
X    int msqlSock;
X    m_result *result;
X    m_row data;
X    char *pw = NULL;
X    char *host;
X    char query[MAX_STRING_LEN];
X
X    if (!m->auth_msqlhost || strcmp(m->auth_msqlhost,"localhost") == 0) {
X      host = NULL;
X    } else {
X      host = m->auth_msqlhost;
X    }
X    
X    if((msqlSock=msqlConnect(host)) < 0) {
X        log_reason (msqlErrMsg, r->uri, r);
X	return NULL;
X    }
X
X    if (msqlSelectDB(msqlSock,m->auth_msqlDB) < 0) {
X        log_reason (msqlErrMsg, r->uri, r);
X	return NULL;
X    }
X
X    sprintf(query,"SELECT password FROM %s WHERE user = '%s'",
X	    m->auth_msqlpwtable, user);
X    if (msqlQuery(msqlSock, query) < 0) {
X        log_reason (msqlErrMsg, r->uri, r);
X	return NULL;
X    }
X
X    result = msqlStoreResult();
X    if (msqlNumRows(result) == 1) {
X        data = msqlFetchRow(result);
X	if (data[0]) {
X	  pw = palloc (r->pool, strlen(data[0]) + 1);
X	  strcpy(pw,data[0]);
X	} else {		/* no password in mSQL table -- returns NULL */
X	  log_reason ("mSQL user has no valid password", r->uri, r);
X	  return NULL;
X	}
X    }
X
X    msqlFreeResult(result);
X    msqlClose(msqlSock);
X
X    return pw; 
}
X
int msql_authenticate_basic_user (request_rec *r)
{
X    msql_auth_config_rec *sec =
X      (msql_auth_config_rec *)get_module_config (r->per_dir_config,
X						&msql_auth_module);
X    conn_rec *c = r->connection;
X    char *sent_pw, *real_pw;
X    char errstr[MAX_STRING_LEN];
X    int res;
X    
X    if ((res = get_basic_auth_pw (r, &sent_pw)))
X        return res;
X    
X    if(!sec->auth_msqlpwtable)
X        return DECLINED;
X	
X    if(!(real_pw = get_msql_pw(r, c->user, sec))) {
X        sprintf(errstr,"mSQL user %s not found", c->user);
X	log_reason (errstr, r->uri, r);
X	note_basic_auth_failure (r);
X	return AUTH_REQUIRED;
X    }    
X    /* anyone know where the prototype for crypt is? */
X    if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
X        sprintf(errstr,"user %s: password mismatch",c->user);
X	log_reason (errstr, r->uri, r);
X	note_basic_auth_failure (r);
X	return AUTH_REQUIRED;
X    }
X    return OK;
}
X    
X
module msql_auth_module = {
X   STANDARD_MODULE_STUFF,
X   NULL,			/* initializer */
X   create_msql_auth_dir_config,	/* dir config creater */
X   NULL,			/* dir merger --- default is to override */
X   NULL,			/* server config */
X   NULL,			/* merge server config */
X   msql_auth_cmds,		/* command table */
X   NULL,			/* handlers */
X   NULL,			/* filename translation */
X   msql_authenticate_basic_user,	/* check_user_id */
X   NULL,			/* check auth */
X   NULL,			/* check access */
X   NULL,			/* type_checker */
X   NULL,			/* fixups */
X   NULL				/* logger */
};
SHAR_EOF
  $shar_touch -am 1002112095 'mod_auth_msql.c' &&
  chmod 0444 'mod_auth_msql.c' ||
  echo 'restore of mod_auth_msql.c failed'
  shar_count="`wc -c < 'mod_auth_msql.c'`"
  test 7755 -eq "$shar_count" ||
    echo "mod_auth_msql.c: original size 7755, current size $shar_count"
fi
exit 0



Mime
View raw message