httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: [STATUS] 1.3b1 Tue Sep 9 04:39:22 EDT 1997
Date Tue, 16 Sep 1997 04:25:07 GMT
Just cleaning out my mailbox ... dealing with bug fixes and portability
fixes. 

> >>From henson@intranet.intranet.csupomona.edu  Tue Aug 26 17:49:37 1997
> Received: from intranet.intranet.csupomona.edu (intranet.intranet.csupomona.edu [134.71.184.20])
> 	by hyperreal.org (8.8.5/8.8.5) with ESMTP id RAA17667
> 	for <new-httpd@apache.org>; Tue, 26 Aug 1997 17:49:37 -0700 (PDT)
> Received: (from henson@localhost) by intranet.intranet.csupomona.edu (8.8.5/8.8.3) id
RAA26585; Tue, 26 Aug 1997 17:49:32 -0700 (PDT)
> Date: Tue, 26 Aug 1997 17:49:32 -0700 (PDT)
> Message-Id: <199708270049.RAA26585@intranet.intranet.csupomona.edu>
> From: "Paul B. Henson" <henson@intranet.csupomona.edu>
> To: new-httpd@apache.org
> Subject: patches
> Reply-to: pbhenson@csupomona.edu
> 
> 
> I'd like to request the inclusion of any/all of these patches into the
> Apache source tree. I've included part of a README from my mod_auth_dce
> package, and a patch file.
> 
> Except for the patch to http_request.c, none of these are really specific
> to my module, and I don't think there would be any side effects.
> 
> I don't really mind applying a few patches myself, but a number of people
> who use my module have requested that I try and get these patches
> incorporated into Apache rather than including the patch file with my
> distribution.
> 
> Thanks for your consideration... If anyone would like to take a look at
> mod_auth_dce, it's available at:
> 
> http://www.intranet.csupomona.edu/~henson/www/projects/mod_auth_dce/
> 
> 
> ---------------------------------------------------------------------------
> Technical Details
> -----------------
> 
> The following is a list of files modified by the patches and the reasons
> the modifications needed to be made.
> 
>   mod_cgi.c
> 
>        The call to can_exec(), which checks execute permissions by
>        comparing the server's UID and GID to owner/group permissions
>        on the file, does not work correctly when a CGI might not be
>        executable by the server user/group. This call is replaced with
>        a call to the access() system routine instead, which will take
>        ACLs into account when deciding whether execute permission
>        exists.

I just +1d a patch from Randy that probably makes this change unnecessary. 
In any event we can't use access() like he's using it with DCE ... 'cause
the server doesn't change uids. 

>   mod_userdir.c
> 
>        This module was using the r->finfo structure as storage for a 
>        local stat. This contaminated the structure, and had unexpected
>        side effects on mod_auth_dce. A local stat structure was added.

This bug fix was incomplete (it didn't set r->finfo properly when the stat
was successful).  I fixed that, and committed it.

>       
> 
>   http_request.c
> 
>        In the get_path_info() function in this file, the server tries to
>        separate the request into a system path and the extra PATH_INFO
>        environment variable. This is accomplished by repeated calls to
>        stat(), and the removal of the rightmost component of the
>        request on each stat() failure. This function is called before
>        any credentials are obtained, and the stat() might fail with a
>        permission error if the any_other entry does not have access.
>        This makes the PATH_INFO incorrect. The function is modified to
>        check for a permission error (EACCES) when stat() fails, and if
>        it finds one, to immediately return OK with no further processing.
>        mod_auth_dce will call this function again after credentials
>        have been obtained, if needed, to correctly separate the PATH_INFO.

This seems innocuous ... ;)  I give it a +1, but fully expect a veto. 

>   md5.h, md5c.c, mod_proxy.c, util_md5.h, util_md5.c 
> 
>        Apache includes MD5 hashing routines. These routines collide
>        with identically named functions in the DCE library. All the
>        Apache routines are modified to include an apache_ prefix to
>        remove this collision.

Already dealt with.

> ---------------------------------------------------------------------------
> 
> diff -c -r apache_1.2.0-orig/src/http_request.c apache_1.2.0/src/http_request.c
> *** apache_1.2.0-orig/src/http_request.c	Wed May 14 12:22:52 1997
> --- apache_1.2.0/src/http_request.c	Tue Jun 17 18:37:26 1997
> ***************
> *** 177,182 ****
> --- 177,191 ----
>   	    *cp = '\0';
>   	    return OK;
>   	}
> + 	/* Modification for mod_auth_dce -- This check is made before
> + 	 * authentication modules are called. If the error is access
> + 	 * denied, it is possible that once DCE credentials are obtained
> + 	 * that the entry would be accessible. Therefore, return OK now,
> + 	 * and mod_auth_dce will call this function again after credentials
> + 	 * are obtained.
> + 	 */
> + 	else if (errno == EACCES)
> + 	  return OK;
>   #if defined(ENOENT) && defined(ENOTDIR)
>   	else if (errno == ENOENT || errno == ENOTDIR) {
>   #else
> diff -c -r apache_1.2.0-orig/src/md5.h apache_1.2.0/src/md5.h
> *** apache_1.2.0-orig/src/md5.h	Wed Jan  1 10:10:23 1997
> --- apache_1.2.0/src/md5.h	Tue Jun 17 18:22:45 1997
> ***************
> *** 91,99 ****
>     UINT4 state[4];                                   /* state (ABCD) */
>     UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
>     unsigned char buffer[64];                         /* input buffer */
> ! } MD5_CTX;
>   
> ! extern void MD5Init(MD5_CTX *context);
> ! extern void MD5Update(MD5_CTX *context, const unsigned char *input,
>   		      unsigned int inputLen);
> ! extern void MD5Final(unsigned char digest[16], MD5_CTX *context);
> --- 91,99 ----
>     UINT4 state[4];                                   /* state (ABCD) */
>     UINT4 count[2];        /* number of bits, modulo 2^64 (lsb first) */
>     unsigned char buffer[64];                         /* input buffer */
> ! } APACHE_MD5_CTX;
>   
> ! extern void apache_MD5Init(APACHE_MD5_CTX *context);
> ! extern void apache_MD5Update(APACHE_MD5_CTX *context, const unsigned char *input,
>   		      unsigned int inputLen);
> ! extern void apache_MD5Final(unsigned char digest[16], APACHE_MD5_CTX *context);
> diff -c -r apache_1.2.0-orig/src/md5c.c apache_1.2.0/src/md5c.c
> *** apache_1.2.0-orig/src/md5c.c	Wed Jan  1 10:10:24 1997
> --- apache_1.2.0/src/md5c.c	Tue Jun 17 18:22:47 1997
> ***************
> *** 158,164 ****
>   /* MD5 initialization. Begins an MD5 operation, writing a new context.
>    */
>   void
> ! MD5Init(MD5_CTX *context)
>   {
>       context->count[0] = context->count[1] = 0;
>     /* Load magic initialization constants. */
> --- 158,164 ----
>   /* MD5 initialization. Begins an MD5 operation, writing a new context.
>    */
>   void
> ! apache_MD5Init(APACHE_MD5_CTX *context)
>   {
>       context->count[0] = context->count[1] = 0;
>     /* Load magic initialization constants. */
> ***************
> *** 173,179 ****
>     context.
>    */
>   void
> ! MD5Update(MD5_CTX *context, const unsigned char *input, unsigned int inputLen)
>   {
>       unsigned int i, index, partLen;
>   
> --- 173,179 ----
>     context.
>    */
>   void
> ! apache_MD5Update(APACHE_MD5_CTX *context, const unsigned char *input, unsigned int
inputLen)
>   {
>       unsigned int i, index, partLen;
>   
> ***************
> *** 209,215 ****
>     the message digest and zeroizing the context.
>    */
>   void
> ! MD5Final(unsigned char digest[16], MD5_CTX *context)
>   {
>       unsigned char bits[8];
>       unsigned int index, padLen;
> --- 209,215 ----
>     the message digest and zeroizing the context.
>    */
>   void
> ! apache_MD5Final(unsigned char digest[16], APACHE_MD5_CTX *context)
>   {
>       unsigned char bits[8];
>       unsigned int index, padLen;
> ***************
> *** 220,229 ****
>     /* Pad out to 56 mod 64. */
>       index = (unsigned int)((context->count[0] >> 3) & 0x3f);
>       padLen = (index < 56) ? (56 - index) : (120 - index);
> !     MD5Update(context, PADDING, padLen);
>   
>     /* Append length (before padding) */
> !     MD5Update(context, bits, 8);
>   
>     /* Store state in digest */
>       Encode(digest, context->state, 16);
> --- 220,229 ----
>     /* Pad out to 56 mod 64. */
>       index = (unsigned int)((context->count[0] >> 3) & 0x3f);
>       padLen = (index < 56) ? (56 - index) : (120 - index);
> !     apache_MD5Update(context, PADDING, padLen);
>   
>     /* Append length (before padding) */
> !     apache_MD5Update(context, bits, 8);
>   
>     /* Store state in digest */
>       Encode(digest, context->state, 16);
> diff -c -r apache_1.2.0-orig/src/mod_cgi.c apache_1.2.0/src/mod_cgi.c
> *** apache_1.2.0-orig/src/mod_cgi.c	Mon Apr 21 13:29:09 1997
> --- apache_1.2.0/src/mod_cgi.c	Tue Jun 17 18:37:24 1997
> ***************
> *** 393,401 ****
>   			       "script not found or unable to stat");
>   #endif
>       if (!suexec_enabled) {
> !         if (!can_exec(&r->finfo))
> !             return log_scripterror(r, conf, FORBIDDEN,
> !                                    "file permissions deny server execution");
>       }
>   
>       if ((retval = setup_client_block(r, REQUEST_CHUNKED_ERROR)))
> --- 393,412 ----
>   			       "script not found or unable to stat");
>   #endif
>       if (!suexec_enabled) {
> !       /* Modification for mod_auth_dce -- This used to be a call to can_exec
> !        * in util.c; however, that function does a naive bit check to decide
> !        * if a script is executable. That fails in an environment with ACLs,
> !        * where the server may have permission based on the ACL, but not on
> !        * the Unix mode bits. The access() system call takes ACLs into account.
> !        */
> !       if(access(r->filename, X_OK)) {
> ! 	if (errno == EACCES)
> ! 	  return log_scripterror(r, conf, FORBIDDEN,
> ! 				 "file permissions deny server execution");
> ! 	else
> ! 	  return log_scripterror(r, conf, SERVER_ERROR,
> ! 				 "system error checking execute access");
> !       }
>       }
>   
>       if ((retval = setup_client_block(r, REQUEST_CHUNKED_ERROR)))
> diff -c -r apache_1.2.0-orig/src/mod_userdir.c apache_1.2.0/src/mod_userdir.c
> *** apache_1.2.0-orig/src/mod_userdir.c	Fri Mar  7 06:15:44 1997
> --- apache_1.2.0/src/mod_userdir.c	Tue Jun 17 18:37:21 1997
> ***************
> *** 114,120 ****
>       char *name = r->uri;
>       const char *w, *dname, *redirect;
>       char *x = NULL;
> ! 
>       if (userdirs == NULL || !strcasecmp(userdirs, "disabled") ||
>           (name[0] != '/') || (name[1] != '~')) {
>         return DECLINED;
> --- 114,126 ----
>       char *name = r->uri;
>       const char *w, *dname, *redirect;
>       char *x = NULL;
> !     /* Modification for mod_auth_dce -- This module previously used the
> !      * r->finfo structure for temporary storage of a local stat. This
> !      * contaminated that structure and had unexpected side effects. Adding
> !      * a local stat structure will fix the problem.
> !      */
> !     struct stat statbuf;
> !     
>       if (userdirs == NULL || !strcasecmp(userdirs, "disabled") ||
>           (name[0] != '/') || (name[1] != '~')) {
>         return DECLINED;
> ***************
> *** 182,188 ****
>          in the hope that some handler might handle it. This can be used, for
>          example, to run a CGI script for the user. 
>          */
> !       if (filename && (!*userdirs || stat(filename, &r->finfo) != -1))
{
>   	r->filename = pstrcat(r->pool, filename, dname, NULL);
>   	return OK;
>         }
> --- 188,194 ----
>          in the hope that some handler might handle it. This can be used, for
>          example, to run a CGI script for the user. 
>          */
> !       if (filename && (!*userdirs || stat(filename, &statbuf) != -1)) {
>   	r->filename = pstrcat(r->pool, filename, dname, NULL);
>   	return OK;
>         }
> diff -c -r apache_1.2.0-orig/src/util_md5.c apache_1.2.0/src/util_md5.c
> *** apache_1.2.0-orig/src/util_md5.c	Wed Jan  1 10:10:46 1997
> --- apache_1.2.0/src/util_md5.c	Tue Jun 17 18:22:51 1997
> ***************
> *** 84,90 ****
>   
>   char *md5 (pool *p, unsigned char *string)
>   {
> !     MD5_CTX my_md5;
>       unsigned char hash[16];
>       char *r, result[33];
>       int i;
> --- 84,90 ----
>   
>   char *md5 (pool *p, unsigned char *string)
>   {
> !     APACHE_MD5_CTX my_md5;
>       unsigned char hash[16];
>       char *r, result[33];
>       int i;
> ***************
> *** 93,101 ****
>        * Take the MD5 hash of the string argument.
>        */
>   
> !     MD5Init(&my_md5);
> !     MD5Update(&my_md5, string, strlen((const char *)string));
> !     MD5Final(hash, &my_md5);
>   
>       for (i=0, r=result; i<16; i++, r+=2)
>           sprintf(r, "%02x", hash[i]);
> --- 93,101 ----
>        * Take the MD5 hash of the string argument.
>        */
>   
> !     apache_MD5Init(&my_md5);
> !     apache_MD5Update(&my_md5, string, strlen((const char *)string));
> !     apache_MD5Final(hash, &my_md5);
>   
>       for (i=0, r=result; i<16; i++, r+=2)
>           sprintf(r, "%02x", hash[i]);
> ***************
> *** 149,155 ****
>   static char basis_64[] =
>      "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
>   
> ! char *md5contextTo64(pool *a, MD5_CTX *context)
>   {
>       unsigned char digest[18];
>       char *encodedDigest;
> --- 149,155 ----
>   static char basis_64[] =
>      "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
>   
> ! char *md5contextTo64(pool *a, APACHE_MD5_CTX *context)
>   {
>       unsigned char digest[18];
>       char *encodedDigest;
> ***************
> *** 158,164 ****
>   
>       encodedDigest = (char *)pcalloc(a, 25 * sizeof(char));
>   
> !     MD5Final(digest, context);
>       digest[sizeof(digest)-1] = digest[sizeof(digest)-2] = 0;
>   
>       p = encodedDigest;
> --- 158,164 ----
>   
>       encodedDigest = (char *)pcalloc(a, 25 * sizeof(char));
>   
> !     apache_MD5Final(digest, context);
>       digest[sizeof(digest)-1] = digest[sizeof(digest)-2] = 0;
>   
>       p = encodedDigest;
> ***************
> *** 176,190 ****
>   
>   char *md5digest(pool *p, FILE *infile)
>   {
> !     MD5_CTX context;
>       unsigned char buf[1000];
>       long length = 0;
>       int nbytes;
>   
> !     MD5Init(&context);
>       while ((nbytes = fread(buf, 1, sizeof(buf), infile))) {
>           length += nbytes;
> !         MD5Update(&context, buf, nbytes);
>       }
>       rewind(infile);
>       return md5contextTo64(p, &context);
> --- 176,190 ----
>   
>   char *md5digest(pool *p, FILE *infile)
>   {
> !     APACHE_MD5_CTX context;
>       unsigned char buf[1000];
>       long length = 0;
>       int nbytes;
>   
> !     apache_MD5Init(&context);
>       while ((nbytes = fread(buf, 1, sizeof(buf), infile))) {
>           length += nbytes;
> !         apache_MD5Update(&context, buf, nbytes);
>       }
>       rewind(infile);
>       return md5contextTo64(p, &context);
> diff -c -r apache_1.2.0-orig/src/util_md5.h apache_1.2.0/src/util_md5.h
> *** apache_1.2.0-orig/src/util_md5.h	Wed Jan  1 10:10:46 1997
> --- apache_1.2.0/src/util_md5.h	Tue Jun 17 18:22:46 1997
> ***************
> *** 53,58 ****
>   #include "md5.h"
>   
>   char *md5(pool *a, unsigned char *string);
> ! char *md5contextTo64(pool *p, MD5_CTX *context);
>   char *md5digest(pool *p, FILE *infile);
>   
> --- 53,58 ----
>   #include "md5.h"
>   
>   char *md5(pool *a, unsigned char *string);
> ! char *md5contextTo64(pool *p, APACHE_MD5_CTX *context);
>   char *md5digest(pool *p, FILE *infile);
> 
> 
> -- 
> Paul Henson  |  System Administrator  |  Cal Poly Pomona  |  (909) 869-3781
> pbhenson@csupomona.edu | finger -l henson@www.csupomona.edu for PGP key
> 
> 


Mime
View raw message