httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: svn commit: r1492395 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_auth_digest.c
Date Fri, 14 Jun 2013 21:16:44 GMT
On Thursday 13 June 2013, Roy T. Fielding wrote:
> On Jun 12, 2013, at 12:34 PM, wrote:
> > Author: sf
> > Date: Wed Jun 12 19:34:19 2013
> > New Revision: 1492395
> > 
> > URL:
> > Log:
> > Actually use the secret when generating nonces.
> > 
> > This change may cause problems if used with round robin load
> > balancers. Before it is backported, we should add a directive to
> > use a user specified secret.
> > 
> > PR: 54637
> FWIW, I don't think this code can be released as is.

I agree. That's what I wanted to express in the commit message, sorry 
if that did not come out correctly.

> Using a global pointer to an allocated pool variable is
> not even remotely safe when that pool gets deallocated.
> And a routine that gets called within .htaccess files is not an
> appropriate place to set a server-wide value.

It's the process pool, and that won't get cleaned up before server 
shutdown. And the secret will be initialized in post_config hook at 
the latest, so there is no chance that it will be called from 
.htaccess. But moving the whole thing to pre_config would be clearer 
and better. I will do that when I have some cycles.

> because that is where the real fix should be.  The current secret
> should be replaced here by a configurable string that is set in
> the virtual host config.

Ack. Though in absence of a configured value, the random secret is 


View raw message