httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject access control vialation with Glimpse (fwd)
Date Tue, 04 Mar 1997 15:38:06 GMT

Is it me, or is this bug report so boring it'll send you to sleep ?

not acked.. I'd like to stay awake a bit longer.


---------- Forwarded message ----------
Date: Tue, 04 Mar 1997 19:37:23 +1100
From: Leni Au <l.au@its.unimelb.edu.au>
To: apache-bugs@apache.org
Subject: access control vialation with Glimpse

apache developer


This is regarding to my concerns over the restricted data leaks via the
glimpse search engine on our apache httpd.  That is, glimpse by-pass
restriction in the access.conf (in ny case, ip address) and give users
access to the restricted document from the index.

We have previously patched the ncsa httpd 1.4 source code and implement
the AUTH method to ensure the remote-ip is retained throughout the
glimpse session.

This is the patch done by one of our ex-staff on ncsa httpd.1.4.

He modified httpd_request.c 

      if(!strcmp(method,"AUTH")) {
              header_only=1;
              remote_ip=pretend_ip;
              process_get(in,out,method,url2,args2);
          }

We then add this,

add AUTH perl library in dir
/usr/local/web/lib/perl/libwww-perl-0.40/AUTH 

/cgi-bin/aglimpse calls the AUTH when requested 

The above changes to the source code have been working quite well.


We are now planning to upgrade the server to apache but I need to
implement similar authorisation process as some documents are access
restricted by IP and we need to ensure this works.

I attempted similiar approach to apache and now unable to identify wher
eI might have went wrong.

I added the following to src http_protocol.c 

 if .....(....., "GET") 
 ......
 .....

 else if(!strcmp(r->method, "AUTH")) {     /* lya - add AUTH method */
        r->header_only=1;
        strncpy( conn->remote_ip, table_get(r->headers_in,
"Pretend-IP"), 16);
        conn->remote_ip[16]='\0';
        r->method_number = M_GET;
    }

I went through debugging mode and can be sure that the remote_ip from
the connection is correct but I'm getting a 502 BAD_GATEWAY error and
not the 402 FORBIDDEN message.
I have no idea of what 502 really mean.  Can you help?

My questions are :

Should I persuit this in this manner or should I implment a module?
If yes, what is the best way to do this?
Will apache dudes be looking into solving this security leak problem?


thanks in advance.

lennie Au
The University of Melbourne



Mime
View raw message