httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@aaaaaaaa.demon.co.uk>
Subject Re: Just what you all want... another patch.
Date Sun, 16 Jun 1996 14:49:41 GMT
What is the likelehood of people *expecting* the un-patched behaviour
for the correct operation of their applications?  Just wondering
if we're in for a hidden cost with this otherwise priceless benefit
which might require careful documentation to avoid br0kenness...

Ay.

> I was playing with my authoring stuff... in particular, I wanted to
> set up an area which was auth protected for PUTs only... no problem,
> right?  You just do...
> 
>    AuthType Basic
>    ...
> 
>    <Limit PUT>
>    require ...
>    </Limit>
> 
> Well, *wrong*.  PUTs require Auth properly, but the behavior of
> GETs becomes strange and useless.
> 
> The problem is that the core checks whether AuthType is set in order
> to see whether to do authentication in this space, whether there is a
> "require" line applicable to the actual request method at all or not.
> This probably accounts for numerous frequent bug reports and
> complaints about strange behavior (as well as the oft-reported NCSA
> incompatibility that we do auth even if there are no applicable
> "require" lines).
> 
> Herewith, a patch:
> 
> *** ../src.dist.ref/http_request.c	Sat Jun 15 10:05:48 1996
> --- http_request.c	Sun Jun 16 09:57:03 1996
> ***************
> *** 659,664 ****
> --- 659,683 ----
>       else die (status, r);
>   }
>   
> + static int some_auth_required (request_rec *r)
> + {
> +     /* Is there a require line configured for the type of *this* req? */
> +     
> +     array_header *reqs_arr = requires (r);
> +     require_line *reqs;
> +     int i;
> +     
> +     if (!reqs_arr) return 0;
> +     
> +     reqs = (require_line *)reqs_arr->elts;
> + 
> +     for (i = 0; i < reqs_arr->nelts; ++i)
> + 	if (reqs[i].method_mask & (1 << r->method_number))
> + 	    return 1;
> + 
> +     return 0;
> + }
> + 
>   void process_request_internal (request_rec *r)
>   {
>       int access_status;
> ***************
> *** 721,727 ****
>   	return;
>       }
>       
> !     if (auth_type (r)) {
>           if ((access_status = check_user_id (r)) != 0) {
>   	    decl_die (access_status, "check user.  No user file?", r);
>   	    return;
> --- 740,746 ----
>   	return;
>       }
>       
> !     if (some_auth_required (r)) {
>           if ((access_status = check_user_id (r)) != 0) {
>   	    decl_die (access_status, "check user.  No user file?", r);
>   	    return;
> 
> 


Mime
View raw message