httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cliff Skolnick <cl...@organic.com>
Subject WWW Form Bug Report: "mod_digest.c performs too many auth checks" on Solaris 2.x (fwd)
Date Wed, 29 May 1996 18:49:20 GMT

no ack sent

--
Cliff Skolnick                                      cliff@organic.com

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759

---------- Forwarded message ----------
Date: Wed May 29 11:02:36 1996
From: jk@tools.de
To: cliff@organic.com
Subject: WWW Form Bug Report: "mod_digest.c performs too many auth checks" on Solaris 2.x

Submitter: jk@tools.de
Operating system: Solaris 2.x, version: 
Version of Apache Used: 1.1b3-dev
Extra Modules used: 
URL exhibiting problem: 

Symptoms:
--
(Sorry for duplicate bug-report, the previous one
was submitted unintentionally)

digest_check_auth performs auth checks for 
requests that do not use "Digest" authorization:

I'm using the folling access.conf file:

<Location /semi-protected-dir/>
 
AuthName        Auth-Realm
AuthType        Basic
AuthUserFile    /usr/local/etc/httpd/etc/passwd
 
<Limit PUT DELETE>
require user username
</Limit>
 
</Location>

A GET request for something under /semi-protected-dir/
using "Authorization: Basic ..." results in:

- authenticate_digest_user returns DECLINED
- authenticate_basic_user returns OK and sets the
  requests user and auth_type (="Basic")
- digest_check_auth runs, sees that the
  requires array is not empty, doesn't find a
  require line with a matching request method 
  and returns AUTH_REQUIRED, with a request for
  "Digest" Authorization.

I think digest_check_auth should first make sure
that the request really uses "Digest" Authorization
before checking anything.

This should also eliminate the dubious "BUG FIX:
tadc, ..." which doesn't seem right.

*** apache_19960527130015-orig/src/mod_digest.c Sat Apr 20 15:00:09 1996
--- apache_19960527130015/src/mod_digest.c      Wed May 29 19:38:39 1996
***************
*** 293,306 ****
      
      register int x;
      char *t, *w;
!     array_header *reqs_arr = requires (r);
      require_line *reqs;
  
!     /* BUG FIX: tadc, 11-Nov-1995.  If there is no "requires" directive, 
       * then any user will do.
       */
      if (!reqs_arr)
!         return DECLINED;
      reqs = (require_line *)reqs_arr->elts;
  
      for(x=0; x < reqs_arr->nelts; x++) {
--- 293,310 ----
      
      register int x;
      char *t, *w;
!     array_header *reqs_arr;
      require_line *reqs;
  
!     if (!(t = auth_type(r)) || strcasecmp(t, "Digest"))
!       return DECLINED;
! 
!     reqs_arr = requires (r);
!     /* If there is no "requires" directive, 
       * then any user will do.
       */
      if (!reqs_arr)
!         return OK;
      reqs = (require_line *)reqs_arr->elts;
  
      for(x=0; x < reqs_arr->nelts; x++) {

--

Backtrace:
--

--


Mime
View raw message