httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Bloom <...@covalent.net>
Subject Re: [PATCH] apache core dumps if you call ap_note_basic_auth_failure when auth type is null
Date Wed, 21 Nov 2001 04:33:43 GMT
On Tuesday 20 November 2001 09:31 pm, sterling wrote:
> On Tue, 20 Nov 2001, Doug MacEachern wrote:
> > On Tue, 20 Nov 2001, sterling wrote:
> > > Hi -
> > >
> > > Set up an auth directory without AuthType but with require valid-user
> > > and AuthName and load an auth module that uses
> > > ap_note_basic_auth_failure... el kabong!! this patch stops the coro
> > > dumpo.
> >
> > this has bitten others in 1.x too.  ended up adding protection in the
> > modperl wrapper functions.  i applied a slightly different version to
> > prevent the same problem in ap_note_auth_failure().  and also changed
> > if (type && strcasecmp(ap_auth_type(r), "Basic"))
> >  to
> > if (!type || ...)
> > cause i don't think it should set the *-Authenticate header if there is
> > no AuthType configured, right?  or maybe ap_auth_type() should default to
> > Basic?
>
> Yeah -
>
> I pondered that for a bit... We should probably log an error (like bloom
> suggested) so the user is aware of the misconfiguration, and then send
> none of the headers (like your patch does).
>
> I don't think we should default to Basic.

I was actually thinking of not starting.  The configuration is invalid, so we 
should exit with an error IMO.

Ryan
______________________________________________________________
Ryan Bloom				rbb@apache.org
Covalent Technologies			rbb@covalent.net
--------------------------------------------------------------

Mime
View raw message