Lines 72-77
Link Here
|
72 |
int body_set; |
72 |
int body_set; |
73 |
int disable_no_store; |
73 |
int disable_no_store; |
74 |
int disable_no_store_set; |
74 |
int disable_no_store_set; |
|
|
75 |
int disable_pw_store; |
76 |
int disable_pw_store_set; |
75 |
ap_expr_info_t *loginsuccess; |
77 |
ap_expr_info_t *loginsuccess; |
76 |
int loginsuccess_set; |
78 |
int loginsuccess_set; |
77 |
ap_expr_info_t *loginrequired; |
79 |
ap_expr_info_t *loginrequired; |
Lines 131-136
Link Here
|
131 |
new->body_set = add->body_set || base->body_set; |
133 |
new->body_set = add->body_set || base->body_set; |
132 |
new->disable_no_store = (add->disable_no_store_set == 0) ? base->disable_no_store : add->disable_no_store; |
134 |
new->disable_no_store = (add->disable_no_store_set == 0) ? base->disable_no_store : add->disable_no_store; |
133 |
new->disable_no_store_set = add->disable_no_store_set || base->disable_no_store_set; |
135 |
new->disable_no_store_set = add->disable_no_store_set || base->disable_no_store_set; |
|
|
136 |
new->disable_pw_store = (add->disable_pw_store_set == 0) ? base->disable_pw_store : add->disable_pw_store; |
137 |
new->disable_pw_store_set = add->disable_pw_store_set || base->disable_pw_store_set; |
134 |
new->loginsuccess = (add->loginsuccess_set == 0) ? base->loginsuccess : add->loginsuccess; |
138 |
new->loginsuccess = (add->loginsuccess_set == 0) ? base->loginsuccess : add->loginsuccess; |
135 |
new->loginsuccess_set = add->loginsuccess_set || base->loginsuccess_set; |
139 |
new->loginsuccess_set = add->loginsuccess_set || base->loginsuccess_set; |
136 |
new->loginrequired = (add->loginrequired_set == 0) ? base->loginrequired : add->loginrequired; |
140 |
new->loginrequired = (add->loginrequired_set == 0) ? base->loginrequired : add->loginrequired; |
Lines 349-354
Link Here
|
349 |
return NULL; |
353 |
return NULL; |
350 |
} |
354 |
} |
351 |
|
355 |
|
|
|
356 |
static const char *set_disable_pw_store(cmd_parms * cmd, void *config, int flag) |
357 |
{ |
358 |
auth_form_config_rec *conf = (auth_form_config_rec *) config; |
359 |
conf->disable_pw_store = flag; |
360 |
conf->disable_pw_store_set = 1; |
361 |
return NULL; |
362 |
} |
363 |
|
352 |
static const command_rec auth_form_cmds[] = |
364 |
static const command_rec auth_form_cmds[] = |
353 |
{ |
365 |
{ |
354 |
AP_INIT_ITERATE("AuthFormProvider", add_authn_provider, NULL, OR_AUTHCFG, |
366 |
AP_INIT_ITERATE("AuthFormProvider", add_authn_provider, NULL, OR_AUTHCFG, |
Lines 401-406
Link Here
|
401 |
"the login screen. This allows the browser to cache the credentials, but " |
413 |
"the login screen. This allows the browser to cache the credentials, but " |
402 |
"at the risk of it being possible for the login form to be resubmitted " |
414 |
"at the risk of it being possible for the login form to be resubmitted " |
403 |
"and revealed to the backend server through XSS. Use at own risk."), |
415 |
"and revealed to the backend server through XSS. Use at own risk."), |
|
|
416 |
AP_INIT_FLAG("AuthFormDisablePwStore", set_disable_pw_store, |
417 |
NULL, OR_AUTHCFG, |
418 |
"Set to 'on' to not store the password in the session when " |
419 |
"AuthFormSitePassphrase ist set."), |
404 |
{NULL} |
420 |
{NULL} |
405 |
}; |
421 |
}; |
406 |
|
422 |
|
Lines 520-528
Link Here
|
520 |
static apr_status_t set_session_auth(request_rec * r, |
536 |
static apr_status_t set_session_auth(request_rec * r, |
521 |
const char *user, const char *pw, const char *site) |
537 |
const char *user, const char *pw, const char *site) |
522 |
{ |
538 |
{ |
|
|
539 |
auth_form_config_rec *conf; |
523 |
const char *hash = NULL; |
540 |
const char *hash = NULL; |
524 |
const char *authname = ap_auth_name(r); |
541 |
const char *authname = ap_auth_name(r); |
525 |
session_rec *z = NULL; |
542 |
session_rec *z = NULL; |
|
|
543 |
conf = ap_get_module_config(r->per_dir_config, &auth_form_module); |
526 |
|
544 |
|
527 |
if (site) { |
545 |
if (site) { |
528 |
hash = ap_md5(r->pool, |
546 |
hash = ap_md5(r->pool, |
Lines 531-539
Link Here
|
531 |
|
549 |
|
532 |
ap_session_load_fn(r, &z); |
550 |
ap_session_load_fn(r, &z); |
533 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_USER, NULL), user); |
551 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_USER, NULL), user); |
534 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_PW, NULL), pw); |
|
|
535 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_AUTH_FORM_HASH, NULL), hash); |
552 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_AUTH_FORM_HASH, NULL), hash); |
536 |
|
553 |
|
|
|
554 |
if (!site || !conf->disable_pw_store) { |
555 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_PW, NULL), pw); |
556 |
} |
557 |
|
537 |
return APR_SUCCESS; |
558 |
return APR_SUCCESS; |
538 |
|
559 |
|
539 |
} |
560 |
} |
Lines 930-936
Link Here
|
930 |
} |
951 |
} |
931 |
|
952 |
|
932 |
/* first test whether the site passphrase matches */ |
953 |
/* first test whether the site passphrase matches */ |
933 |
if (APR_SUCCESS == res && sent_user && sent_hash && sent_pw) { |
954 |
if (APR_SUCCESS == res && sent_user && sent_hash) { |
934 |
rv = check_site(r, conf->site, sent_user, sent_hash); |
955 |
rv = check_site(r, conf->site, sent_user, sent_hash); |
935 |
if (OK == rv) { |
956 |
if (OK == rv) { |
936 |
fake_basic_authentication(r, conf, sent_user, sent_pw); |
957 |
fake_basic_authentication(r, conf, sent_user, sent_pw); |