source:
trunk/server/common/patches/httpd-allow-null-user.patch
@
2625
Last change on this file since 2625 was 2591, checked in by achernya, 10 years ago | |
---|---|
File size: 3.1 KB |
-
server/request.c
From a60a2c6a87331510847de401323bcdf3b9895838 Mon Sep 17 00:00:00 2001 From: Adam Glasgall <glasgall@mit.edu> Date: Tue, 26 Aug 2014 17:47:45 -0400 Subject: [PATCH] Remove r->user != NULL check from ap_process_request_internal After the check_user_id hook runs, Apache checks to make sure it's identified a user and aborts if this is not the case, to protect the auth_checker hook from accidental null pointer dereferences. Unfortunately, Scripts's mod_auth_optional relies on being able to have r->user still be NULL after check_user_id has run. This patch removes the null check. I believe this is safe because mod_auth_optional installs its auth_checker hook forcibly at the head of the hook chain, and said hook ends authz processing immediately if the directory in question has AuthOptional and no default user. Signed-off-by: Adam Glasgall <glasgall@mit.edu> --- server/request.c | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/server/request.c b/server/request.c index af0a697..9d7e29d 100644
a b AP_DECLARE(int) ap_process_request_internal(request_rec *r) 244 244 if ((access_status = ap_run_check_user_id(r)) != OK) { 245 245 return decl_die(access_status, "check user", r); 246 246 } 247 if (r->user == NULL) {248 /* don't let buggy authn module crash us in authz */249 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00027)250 "No authentication done but request not "251 "allowed without authentication for %s. "252 "Authentication not configured?",253 r->uri);254 access_status = HTTP_INTERNAL_SERVER_ERROR;255 return decl_die(access_status, "check user", r);256 }257 247 if ((access_status = ap_run_auth_checker(r)) != OK) { 258 248 return decl_die(access_status, "check authorization", r); 259 249 } … … AP_DECLARE(int) ap_process_request_internal(request_rec *r) 281 271 if ((access_status = ap_run_check_user_id(r)) != OK) { 282 272 return decl_die(access_status, "check user", r); 283 273 } 284 if (r->user == NULL) {285 /* don't let buggy authn module crash us in authz */286 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00028)287 "No authentication done but request not "288 "allowed without authentication for %s. "289 "Authentication not configured?",290 r->uri);291 access_status = HTTP_INTERNAL_SERVER_ERROR;292 return decl_die(access_status, "check user", r);293 }294 274 if ((access_status = ap_run_auth_checker(r)) != OK) { 295 275 return decl_die(access_status, "check authorization", r); 296 276 }
Note: See TracBrowser
for help on using the repository browser.