Received: by taz.hyperreal.com (8.6.12/8.6.5) id BAA07779;
 Thu, 30 May 1996 01:57:08 -0700
Received: from dicsmss1.jrc.it by taz.hyperreal.com (8.6.12/8.6.5) with SMTP
 id BAA07761; Thu, 30 May 1996 01:56:53 -0700
Received: from  jrc.it (elect6.jrc.it) by dicsmss1.jrc.it (4.1/EB-950131-C)
	id AA10864; Thu, 30 May 96 11:00:22 +0200
Received: by  jrc.it (5.x/EB-950213-L)
	id AA07427; Thu, 30 May 1996 10:55:48 +0200
Date: Thu, 30 May 1996 10:55:48 +0200
From: "Dirk.vanGulik" <Dirk.vanGulik@jrc.it>
Message-Id: <9605300855.AA07427@ jrc.it>
To: new-httpd@hyperreal.com
Subject: Re: WWW Form Bug Report: "check auth routines and requires
 directives" on Solaris 2.x (fwd)
X-Sun-Charset: US-ASCII
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

This is one of those authorative problems :-) Which auth module assumes
full authority.

> Should we ask this guy to join the group?  Patch number 4 from him :)
> 
> --
> Cliff Skolnick                                      cliff@organic.com
> 
> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759
> 
> ---------- Forwarded message ----------
> Date: Wed May 29 12:30:31 1996
> From: jk@tools.de
> To: cliff@organic.com
> Subject: WWW Form Bug Report: "check auth routines and requires directives" on Solaris 2.x
> 
> Submitter: jk@tools.de
> Operating system: Solaris 2.x, version: 
> Version of Apache Used: 1.1b3-dev
> Extra Modules used: 
> URL exhibiting problem: 
> 
> Symptoms:
> --
> mod_auth.c already accepts any user id, if there are
> no "requires" directives found for a directory or
> location.
> 
> Since "requires" directives can occur inside a
> <Limit> directive it should also accept any 
> user id if there are "requires" directives, but
> done matches the actual request method.
> 
> The same problem exists in mod_digest.c
> 
> *** mod_auth.c~ Wed May 29 21:21:31 1996
> --- mod_auth.c  Wed May 29 21:22:27 1996
> ***************
> *** 205,210 ****
> --- 205,211 ----
>         (auth_config_rec *)get_module_config (r->per_dir_config, &auth_module);
>       char *user = r->connection->user;
>       int m = r->method_number;
> +     int method_restricted = 0;
>       register int x;
>       char *t, *w;
>       table *grpstatus;
> ***************
> *** 232,237 ****
> --- 233,240 ----
>         
>         if (! (reqs[x].method_mask & (1 << m))) continue;
>          
> +       method_restricted = 1;
> + 
>           t = reqs[x].requirement;
>           w = getword(r->pool, &t, ' ');
>           if(!strcmp(w,"valid-user"))
> ***************
> *** 257,262 ****
> --- 260,268 ----
>           }
>       }
>   
> +     if (!method_restricted)
> +       return OK;
> + 
>       note_basic_auth_failure (r);
>       return AUTH_REQUIRED;
>   }
> leo 53% diff -c mod_digest.c{~,}
> *** mod_digest.c~       Wed May 29 21:21:46 1996
> --- mod_digest.c        Wed May 29 21:22:32 1996
> ***************
> *** 290,295 ****
> --- 290,296 ----
>   int digest_check_auth (request_rec *r) {
>       char *user = r->connection->user;
>       int m = r->method_number;
> +     int method_restricted = 0;    
>       register int x;
>       char *t, *w;
>       array_header *reqs_arr;
> ***************
> *** 310,315 ****
> --- 311,318 ----
>         
>         if (! (reqs[x].method_mask & (1 << m))) continue;
>          
> +       method_restricted = 1;
> + 
>           t = reqs[x].requirement;
>           w = getword(r->pool, &t, ' ');
>           if(!strcmp(w,"valid-user"))
> ***************
> *** 325,330 ****
> --- 328,336 ----
>           return DECLINED;
>       }
>       
> +     if (!method_restricted)
> +       return OK;
> + 
>       note_digest_auth_failure(r);
>       return AUTH_REQUIRED;
>   }
> 
> --
> 
> Backtrace:
> --
> 
> --
> 
>