www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Wolter <j...@wwnet.net>
Subject general/4023: Location Redirects can confuse authentication
Date Mon, 08 Mar 1999 23:07:15 GMT

>Number:         4023
>Category:       general
>Synopsis:       Location Redirects can confuse authentication
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Mar  8 15:10:01 PST 1999
>Originator:     janc@wwnet.net
>Release:        1.3.4
Linux kokopelli 2.0.35 #2 Fri Nov 13 16:14:02 EST 1998 i586 unknown.
gcc version 2.8.0.
Same problem occurs with Netscape and Lynx clients.
Same problem occured with Apache 1.2.x
I have a setup where I have two subdirectories of my cgi-bin directory each
with .htaccess files.  The two .htaccess files have the same AuthUserFile, and
AuthType, but different AuthNames.  (The idea is to let a person log in as
two different users simultaneously.)

I found that under some circumstances, a user who has authenticated for one
subdirectory does not get asked to reauthenticate when he accesses programs
in the other subdirectory.  My guess is that this has to do with a Location
redirect from the parent directory during the first authentication maybe
causing Apache to associate the AuthName with the parent directory instead
of the subdirectory.
I spent some time generating simple programs that reproduce the same bug I
first hit in my complex program.  I'm not on a publically accessible server,
but it's easy enough to set up.  Here's how it goes:

- Create two subdirectories under cgi-bin.  Mine are called "pw" and "adm".
- Stick a copy of the "printenv" cgi program distributed with Apache in each
- Create a .htaccess file in each directory.  Mine look like:

   AuthUserFile <path-name>
   AuthGroupFile /dev/null
   AuthName PWDIR
   AuthType Basic

   <Limit GET POST PUT>
   require valid-user

 - Edit the .htaccess file in the "adm" subdirectory to have a different
   AuthName, say "ADMDIR", but leave it with the same AuthUserFile.
 - Create the AuthUserFile with at least one user in it.

At this point, you should be able to hit "cgi-bin/pw/printenv", authenticate
for that, and then hit "cgi-bin/adm/printenv" and be asked to reauthenticate.
Everything cool so far.

 - Install the following script in the parent cgi-bin directory, calling it

    echo "Content-type: text/html"
    echo "Location: /cgi-bin/pw/printenv"
    echo ""

Now we are all set up.  Here's the sequence of events that causes problems:
 - Exit your browser and start a fresh one.
 - Hit the "/cgi-bin/redirect" page.  You will be asked for a login and
   password.  Give them.  This runs cgi-bin/pw/printenv and works fine.
 - Now hit "/cgi-bin/adm/printenv".  This should ask for authentication, but
   it doesn't.  It happily runs the script without reauthenticating.

If the location redirect in the "redirect" script is done as
   Location: pw/printenv
instead of
   Location: /cgi-bin/pw/printenv
this seems to work OK.

Luckily it seems only the AuthName that it gets confused about.  If the
second .htaccess file has a different AuthUserFile, it still looks in the
right AuthUserFile on the second hit.

If you have any trouble reproducing this, let me know.  I can probably put it
somewhere public.
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]

View raw message