httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Mansfield <>
Subject Re: help with fixing a mod_auth_form bug regarding kept_body
Date Thu, 16 May 2013 14:45:23 GMT

On 05/16/2013 09:32 AM, Graham Leggett wrote:
> On 16 May 2013, at 3:26 PM, Eric Covener <> wrote:
>>> Wow for a "dev" list there is nobody who can even comment in any way
>>> whatsoever.  Where do the devs for httpd live for real?  IRC? Anyone?
>>> Bueller?
>> This is the right place, despite the fact that nobody has shown
>> interest in your issue in this thread.
> As applies to everyone who posts to a public mailing list asking for help, we need a
proper description of the problem, including an example config that would allow someone else
to reproduce the problem you are seeing.
> The bugreport contains a single paragraph with a vague description of the problem, and
this tells us nothing. Was the server set up correctly? No way to tell.

Thanks for your help.

First of all, the bug report was not put in by me, just found by me.  I 
have done extensive debugging in the source code to determine some basic 
facts, primarily that, when using an ErrorDocument it is impossible to 
"keep" the POST body using the kept_body_filter.  The r->kept_body is 
simply not assigned to the sub request in "internal_internal_redirect" 
(and even after "fixing" this and recompiling, it doesn't work because 
the filter "ctx" variable is not preserved).

I was asking the question "has anyone ever seen this working", because 
it seems that there is no possible way it could ever work AFACT.

However, if it means someone may help, here is a simple test case:

To start with, the goal is a user should be able to POST data from 
within (say) an expired session or unprotected part of the website when 
not-yet-logged-in, get the login page, enter credentials, and the 
originally POSTed data should be POSTed to the original target.

In order to accomplish this, a basic fact is that the originally POSTed 
data must be accessible in some way while handling the login page and 
not be discarded. If it's discarded it cannot be preserved, right?

In this example I will show that by the time the ErrorDocument for 401 
is invoked (which is the way "inline authentication with body 
preservation" works), that the POST body has been discarded and the 
request has been converted from POST to GET (these are probably related).

So in this example there is a page /start.html which is NOT within the 
"private" area of the site.  It has a simple form which gets POSTed to 
/private/target.html (which doesn't need to exist because we fail before 
it's relevant).

The authentication hook intercepts the POST, and the mod_auth_form 
throws a 401, which is handled with the ErrorDocument 401 
/cgi-bin/login.cgi (or /login.shtml)

When login.cgi runs there is no POST data on STDIN and REQUEST_METHOD is 
always GET.

BTW, I have also tried using ErrorDocument 401 /login.shtml (via 
mod_include) but the result is the same.

Files attached:

formauth.conf => place in /etc/httpd/conf.d or equiv
start.html => place in /var/www/form_auth_test as per conf
login.shtml => ditto (to activate this change the ErrorDocument in conf)
login.cgi => place in /var/www/form_auth_test_cgi as per conf

This is tested on Fedora 18 with fedora build of httpd 2.4.4-2 as well 
as on centos 6 with httpd 2.4.4 compiled from .tar.gz using the 
instructions here:

David Mansfield

View raw message