source: trunk/server/common/patches/httpd-allow-null-user.patch @ 2717

Last change on this file since 2717 was 2591, checked in by achernya, 10 years ago
Reintegrate fc20-dev into trunk
File size: 3.1 KB
  • server/request.c

    From a60a2c6a87331510847de401323bcdf3b9895838 Mon Sep 17 00:00:00 2001
    From: Adam Glasgall <glasgall@mit.edu>
    Date: Tue, 26 Aug 2014 17:47:45 -0400
    Subject: [PATCH] Remove r->user != NULL check from ap_process_request_internal
    
    After the check_user_id hook runs, Apache checks to make sure it's
    identified a user and aborts if this is not the case, to protect the
    auth_checker hook from accidental null pointer
    dereferences. Unfortunately, Scripts's mod_auth_optional relies on
    being able to have r->user still be NULL after check_user_id has run.
    
    This patch removes the null check. I believe this is safe because
    mod_auth_optional installs its auth_checker hook forcibly at the head
    of the hook chain, and said hook ends authz processing immediately if
    the directory in question has AuthOptional and no default user.
    
    Signed-off-by: Adam Glasgall <glasgall@mit.edu>
    ---
     server/request.c | 20 --------------------
     1 file changed, 20 deletions(-)
    
    diff --git a/server/request.c b/server/request.c
    index af0a697..9d7e29d 100644
    a b AP_DECLARE(int) ap_process_request_internal(request_rec *r) 
    244244                if ((access_status = ap_run_check_user_id(r)) != OK) {
    245245                    return decl_die(access_status, "check user", r);
    246246                }
    247                 if (r->user == NULL) {
    248                     /* don't let buggy authn module crash us in authz */
    249                     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00027)
    250                                   "No authentication done but request not "
    251                                   "allowed without authentication for %s. "
    252                                   "Authentication not configured?",
    253                                   r->uri);
    254                     access_status = HTTP_INTERNAL_SERVER_ERROR;
    255                     return decl_die(access_status, "check user", r);
    256                 }
    257247                if ((access_status = ap_run_auth_checker(r)) != OK) {
    258248                    return decl_die(access_status, "check authorization", r);
    259249                }
    AP_DECLARE(int) ap_process_request_internal(request_rec *r) 
    281271                if ((access_status = ap_run_check_user_id(r)) != OK) {
    282272                    return decl_die(access_status, "check user", r);
    283273                }
    284                 if (r->user == NULL) {
    285                     /* don't let buggy authn module crash us in authz */
    286                     ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00028)
    287                                   "No authentication done but request not "
    288                                   "allowed without authentication for %s. "
    289                                   "Authentication not configured?",
    290                                   r->uri);
    291                     access_status = HTTP_INTERNAL_SERVER_ERROR;
    292                     return decl_die(access_status, "check user", r);
    293                 }
    294274                if ((access_status = ap_run_auth_checker(r)) != OK) {
    295275                    return decl_die(access_status, "check authorization", r);
    296276                }
Note: See TracBrowser for help on using the repository browser.