source: branches/fc20-dev/server/common/patches/httpd-allow-null-user.patch @ 2582

Last change on this file since 2582 was 2582, checked in by glasgall, 8 years ago
Add httpd-allow-null-user.patch, which fixes mod_auth_optional on Apache 2.4.
File size: 3.1 KB
RevLine 
[2582]1From a60a2c6a87331510847de401323bcdf3b9895838 Mon Sep 17 00:00:00 2001
2From: Adam Glasgall <glasgall@mit.edu>
3Date: Tue, 26 Aug 2014 17:47:45 -0400
4Subject: [PATCH] Remove r->user != NULL check from ap_process_request_internal
5
6After the check_user_id hook runs, Apache checks to make sure it's
7identified a user and aborts if this is not the case, to protect the
8auth_checker hook from accidental null pointer
9dereferences. Unfortunately, Scripts's mod_auth_optional relies on
10being able to have r->user still be NULL after check_user_id has run.
11
12This patch removes the null check. I believe this is safe because
13mod_auth_optional installs its auth_checker hook forcibly at the head
14of the hook chain, and said hook ends authz processing immediately if
15the directory in question has AuthOptional and no default user.
16
17Signed-off-by: Adam Glasgall <glasgall@mit.edu>
18---
19 server/request.c | 20 --------------------
20 1 file changed, 20 deletions(-)
21
22diff --git a/server/request.c b/server/request.c
23index af0a697..9d7e29d 100644
24--- a/server/request.c
25+++ b/server/request.c
26@@ -244,16 +244,6 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
27                 if ((access_status = ap_run_check_user_id(r)) != OK) {
28                     return decl_die(access_status, "check user", r);
29                 }
30-                if (r->user == NULL) {
31-                    /* don't let buggy authn module crash us in authz */
32-                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00027)
33-                                  "No authentication done but request not "
34-                                  "allowed without authentication for %s. "
35-                                  "Authentication not configured?",
36-                                  r->uri);
37-                    access_status = HTTP_INTERNAL_SERVER_ERROR;
38-                    return decl_die(access_status, "check user", r);
39-                }
40                 if ((access_status = ap_run_auth_checker(r)) != OK) {
41                     return decl_die(access_status, "check authorization", r);
42                 }
43@@ -281,16 +271,6 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
44                 if ((access_status = ap_run_check_user_id(r)) != OK) {
45                     return decl_die(access_status, "check user", r);
46                 }
47-                if (r->user == NULL) {
48-                    /* don't let buggy authn module crash us in authz */
49-                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00028)
50-                                  "No authentication done but request not "
51-                                  "allowed without authentication for %s. "
52-                                  "Authentication not configured?",
53-                                  r->uri);
54-                    access_status = HTTP_INTERNAL_SERVER_ERROR;
55-                    return decl_die(access_status, "check user", r);
56-                }
57                 if ((access_status = ap_run_auth_checker(r)) != OK) {
58                     return decl_die(access_status, "check authorization", r);
59                 }
60--
611.9.1
62
Note: See TracBrowser for help on using the repository browser.