httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rici Lake <>
Subject Re: svn commit: r125465 httpd/httpd/trunk/modules/ldap/util_ldap.c
Date Tue, 22 Mar 2005 23:02:27 GMT

On 22-Mar-05, at 5:17 PM, Graham Leggett wrote:

> This is also broken - the LDAPTrustedClientCert is supposed to have 
> scope on a per directory basis.
> To fix this, we would need to add a directory config creator, and a 
> directory config merger, is that correct?

Sure, but then there is still a problem with .htaccess files. The 
client_certs array will have been allocated in the request pool during 
the merge operation for the .htaccess file, but it then may be copied 
into the global connection cache; currently, the code only copies the 
array header (at line 525). So you'd end up with dangling pointers 
after the request finished. If, on the other hand, the strings were 
copied into the server or config pools, then they would slowly consume 
memory. The most plausible solution might be to manually manage 
connection cache memory with malloc instead of using pool-allocated 

Although now that I look at the file again, I see that it never would 
have worked anyway because at line 1546, the function 
util_ldap_set_trusted_client_cert stores the certificate in 
st->global_certs instead of st->client_certs.

I also wonder about the two apr_array_append calls at line 1671 in 
util_ldap_merge_config. The second one would mean that the client certs 
specified in LDAPTrustedClientCerts would be appended to the list of 
client certs inherited from some containing section. This might be 
counter-intuitive if the certs are supposed to be directory scoped. I'm 
not sure what the use case for this directive would be, so it's hard to 
know for sure.

View raw message