httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jesper Krogh" <jesper.kr...@gmail.com>
Subject Re: [users@httpd] Case insensitive username in htaccess.
Date Wed, 01 Mar 2006 08:11:36 GMT
On 3/1/06, Jesper Krogh <jesper.krogh@gmail.com> wrote:
> On 3/1/06, Nick Kew <nick@webthing.com> wrote:
> > On Tuesday 28 February 2006 21:40, Jesper Krogh wrote:
> > > Is it possible to make apache match the username "case-insensitive"
> > > against lists in AuthUserFile /AuthGroupFile?
> >
> > That would potentially be a security hole.
>
> Yes if it could be done without people knowing it. If it were
> configurable, it would be a feature :-)
>
> If I didn't explain the problem well enough, then an example would work:
> I just would like apache to assume that Jesper, JESPER, jesper, and so
> on, was the same user
> when matching up agaings the lists.
>
> > > We're using mod_ntlm and it generally works fine, but the different
> > > platforms tend to send usernames in mixed cases.
> >
> > Hmmm.  Don't you get that behaviour if you use a case-insensitive filesystem?
>
> No. That would give me flexibillity in the names of the files
> containing the user-list, not the
> usernames.
>
> I have got the mod_ntlm C-code, so if anyone could give me directions
> on how to modify
> the REMOTE_USER stuff from a C-apache module, then I could probably do
> it that way.

Sometimes "fresh eyes" in the morning helps a lot. This patch against
mod_ntlm2 makes
the usernames in lowercase:

diff -Nur mod_ntlm2-0.1/mod_ntlm.c mod_ntlm2-0.1-mod/mod_ntlm.c
--- mod_ntlm2-0.1/mod_ntlm.c    2003-02-23 16:58:02.000000000 +0100
+++ mod_ntlm2-0.1-mod/mod_ntlm.c        2006-03-01 09:06:13.000000000 +0100
@@ -522,6 +522,12 @@
             /* silently accept login with same credentials */
             r->user = apr_pstrdup(r->connection->pool,
                                   ntlm_connection->user);
+
+           char *user= r->user;
+           while(*user){
+               *user = tolower(*user);
+               user++;
+           }
             r->ap_auth_type = apr_pstrdup(r->connection->pool,
                                           NTLM_AUTH_NAME);
             return OK;
@@ -557,6 +563,11 @@
      * NULL; */
     r->user = apr_pstrdup(r->connection->pool,
                           ntlm_connection->user);
+    char *user= r->user;
+    while(*user){
+       *user = tolower(*user);
+       user++;
+    }
     r->ap_auth_type = apr_pstrdup(r->connection->pool,
                                   NTLM_AUTH_NAME);

@@ -664,6 +675,11 @@
      * connection.  The other allocations are temporary and can be
      * tossed away any time. */
     r->user = apr_pstrcat(r->connection->pool, sent_user, NULL);
+    char *user= r->user;
+    while(*user){
+       *user = tolower(*user);
+       user++;
+    }
     r->ap_auth_type = "Basic";

Jesper

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message