httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: mod_auth.c bug?
Date Wed, 08 Oct 2003 06:01:05 GMT

> Without checking that user is not NULL. Under normal use this probably
> never happens, but if another module handles the check_user_id, returns OK
> but neglects to set r->user, AND there exists a "require user ..."

Which is not uncommon in some commercial models which will fill out the
data later in the chain.. (or because they do not have the concept of a
single uid style 'user' yet use the auth handler).

> directive, the above will segfault. This is a situation possible to run
..
>     if (!user) {
>         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
>                       "access to %s failed, reason: r->user is not set!",
>                       r->uri);
>         return HTTP_INTERNAL_SERVER_ERROR;
>     }

Actualy I'd be happier if the strcmp() would becomce

	if (user && !strcmp(r->user,user)

as that does not break existing modules -and- keeps the semantics of
"require user" to be functional. On the other hand - this is in the 2.x
branch - so you could argue that r->user MUST be filled out by auth
modules (even if they do not really have the concept of a user!) if they
return OK. _IF_ you document that - then by all means - the above
HTTP_INTERNAL_SERVER_ERROR is the right thing to do.

Dw.

Mime
View raw message