httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <Dirk.vanGu...@jrc.it>
Subject Re: WWW Form Bug Report: "check auth routines and requires directives" on Solaris 2.x (fwd)
Date Thu, 30 May 1996 08:55:48 GMT
This is one of those authorative problems :-) Which auth module assumes
full authority.

> Should we ask this guy to join the group?  Patch number 4 from him :)
> 
> --
> Cliff Skolnick                                      cliff@organic.com
> 
> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759
> 
> ---------- Forwarded message ----------
> Date: Wed May 29 12:30:31 1996
> From: jk@tools.de
> To: cliff@organic.com
> Subject: WWW Form Bug Report: "check auth routines and requires directives" on Solaris
2.x
> 
> Submitter: jk@tools.de
> Operating system: Solaris 2.x, version: 
> Version of Apache Used: 1.1b3-dev
> Extra Modules used: 
> URL exhibiting problem: 
> 
> Symptoms:
> --
> mod_auth.c already accepts any user id, if there are
> no "requires" directives found for a directory or
> location.
> 
> Since "requires" directives can occur inside a
> <Limit> directive it should also accept any 
> user id if there are "requires" directives, but
> done matches the actual request method.
> 
> The same problem exists in mod_digest.c
> 
> *** mod_auth.c~ Wed May 29 21:21:31 1996
> --- mod_auth.c  Wed May 29 21:22:27 1996
> ***************
> *** 205,210 ****
> --- 205,211 ----
>         (auth_config_rec *)get_module_config (r->per_dir_config, &auth_module);
>       char *user = r->connection->user;
>       int m = r->method_number;
> +     int method_restricted = 0;
>       register int x;
>       char *t, *w;
>       table *grpstatus;
> ***************
> *** 232,237 ****
> --- 233,240 ----
>         
>         if (! (reqs[x].method_mask & (1 << m))) continue;
>          
> +       method_restricted = 1;
> + 
>           t = reqs[x].requirement;
>           w = getword(r->pool, &t, ' ');
>           if(!strcmp(w,"valid-user"))
> ***************
> *** 257,262 ****
> --- 260,268 ----
>           }
>       }
>   
> +     if (!method_restricted)
> +       return OK;
> + 
>       note_basic_auth_failure (r);
>       return AUTH_REQUIRED;
>   }
> leo 53% diff -c mod_digest.c{~,}
> *** mod_digest.c~       Wed May 29 21:21:46 1996
> --- mod_digest.c        Wed May 29 21:22:32 1996
> ***************
> *** 290,295 ****
> --- 290,296 ----
>   int digest_check_auth (request_rec *r) {
>       char *user = r->connection->user;
>       int m = r->method_number;
> +     int method_restricted = 0;    
>       register int x;
>       char *t, *w;
>       array_header *reqs_arr;
> ***************
> *** 310,315 ****
> --- 311,318 ----
>         
>         if (! (reqs[x].method_mask & (1 << m))) continue;
>          
> +       method_restricted = 1;
> + 
>           t = reqs[x].requirement;
>           w = getword(r->pool, &t, ' ');
>           if(!strcmp(w,"valid-user"))
> ***************
> *** 325,330 ****
> --- 328,336 ----
>           return DECLINED;
>       }
>       
> +     if (!method_restricted)
> +       return OK;
> + 
>       note_digest_auth_failure(r);
>       return AUTH_REQUIRED;
>   }
> 
> --
> 
> Backtrace:
> --
> 
> --
> 
> 


Mime
View raw message