httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r654958 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_auth_form.c
Date Sat, 10 May 2008 06:13:31 GMT


On 05/10/2008 12:15 AM, minfrin@apache.org wrote:
> Author: minfrin
> Date: Fri May  9 15:15:37 2008
> New Revision: 654958
> 
> URL: http://svn.apache.org/viewvc?rev=654958&view=rev
> Log:
> mod_auth_form: Make sure the input filter stack is properly set
> up before reading the login form. Make sure the kept body filter
> is correctly inserted to ensure the body can be read a second
> time safely should the authn be successful. [Graham Leggett,
> Ruediger Pluem]
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/aaa/mod_auth_form.c
> 

> Modified: httpd/httpd/trunk/modules/aaa/mod_auth_form.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_form.c?rev=654958&r1=654957&r2=654958&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/aaa/mod_auth_form.c (original)
> +++ httpd/httpd/trunk/modules/aaa/mod_auth_form.c Fri May  9 15:15:37 2008
> @@ -912,19 +905,73 @@
>       * type and with the given body.
>       *
>       * Otherwise access is denied.
> +     * 
> +     * Reading the body requires some song and dance, because the input filters
> +     * are not yet configured. To work around this problem, we create a
> +     * subrequest and use that to create a sane filter stack we can read the
> +     * form from.
> +     * 
> +     * The main request is then capped with a kept_body input filter, which has
> +     * the effect of guaranteeing the input stack can be safely read a second time.
> +     * 
>       */
> -    if (r->method_number == M_POST) {
> -        rv2 = get_form_auth(r, conf->username, conf->password, conf->location,
> -                            conf->method, conf->mimetype, conf->body,
> -                            &sent_user, &sent_pw, &sent_loc, &sent_method,
> -                            &sent_mimetype, conf);
> -        if (OK == rv2) {
> -            rv = check_auth(r, sent_user, sent_pw);
> +    if (HTTP_UNAUTHORIZED == rv && r->method_number == M_POST &&
ap_is_initial_req(r)) {
> +        request_rec *rr;
> +        apr_bucket_brigade *sent_body = NULL;
> +
> +        /* create a subrequest of our current uri */
> +        rr = ap_sub_req_lookup_uri(r->uri, r, r->input_filters);
> +        rr->headers_in = r->headers_in;
> +
> +        /* run the insert_filters hook on the subrequest to ensure a body read can
> +         * be done properly.
> +         */
> +        ap_run_insert_filter(rr);
> +
> +        /* parse the form by reading the subrequest */
> +        rv = get_form_auth(rr, conf->username, conf->password, conf->location,
> +                           conf->method, conf->mimetype, conf->body,
> +                           &sent_user, &sent_pw, &sent_loc, &sent_method,
> +                           &sent_mimetype, &sent_body, conf);
> +
> +        /* insert the kept_body filter on the main request to guarantee the
> +         * input filter stack cannot be read a second time, optionally inject
> +         * a saved body if one was specified in the login form.
> +         */
> +        if (sent_body && sent_mimetype) {
> +            apr_table_set(r->headers_in, "Content-Type", sent_mimetype);
> +            r->kept_body = sent_body;

Any reason why we do not need to adjust the Content-Length header any longer?

Regards

RĂ¼diger


Mime
View raw message