|
Lines 72-77
Link Here
|
| 72 |
int body_set; |
72 |
int body_set; |
| 73 |
int disable_no_store; |
73 |
int disable_no_store; |
| 74 |
int disable_no_store_set; |
74 |
int disable_no_store_set; |
|
|
75 |
int disable_pw_store; |
| 76 |
int disable_pw_store_set; |
| 75 |
ap_expr_info_t *loginsuccess; |
77 |
ap_expr_info_t *loginsuccess; |
| 76 |
int loginsuccess_set; |
78 |
int loginsuccess_set; |
| 77 |
ap_expr_info_t *loginrequired; |
79 |
ap_expr_info_t *loginrequired; |
|
Lines 131-136
Link Here
|
| 131 |
new->body_set = add->body_set || base->body_set; |
133 |
new->body_set = add->body_set || base->body_set; |
| 132 |
new->disable_no_store = (add->disable_no_store_set == 0) ? base->disable_no_store : add->disable_no_store; |
134 |
new->disable_no_store = (add->disable_no_store_set == 0) ? base->disable_no_store : add->disable_no_store; |
| 133 |
new->disable_no_store_set = add->disable_no_store_set || base->disable_no_store_set; |
135 |
new->disable_no_store_set = add->disable_no_store_set || base->disable_no_store_set; |
|
|
136 |
new->disable_pw_store = (add->disable_pw_store_set == 0) ? base->disable_pw_store : add->disable_pw_store; |
| 137 |
new->disable_pw_store_set = add->disable_pw_store_set || base->disable_pw_store_set; |
| 134 |
new->loginsuccess = (add->loginsuccess_set == 0) ? base->loginsuccess : add->loginsuccess; |
138 |
new->loginsuccess = (add->loginsuccess_set == 0) ? base->loginsuccess : add->loginsuccess; |
| 135 |
new->loginsuccess_set = add->loginsuccess_set || base->loginsuccess_set; |
139 |
new->loginsuccess_set = add->loginsuccess_set || base->loginsuccess_set; |
| 136 |
new->loginrequired = (add->loginrequired_set == 0) ? base->loginrequired : add->loginrequired; |
140 |
new->loginrequired = (add->loginrequired_set == 0) ? base->loginrequired : add->loginrequired; |
|
Lines 349-354
Link Here
|
| 349 |
return NULL; |
353 |
return NULL; |
| 350 |
} |
354 |
} |
| 351 |
|
355 |
|
|
|
356 |
static const char *set_disable_pw_store(cmd_parms * cmd, void *config, int flag) |
| 357 |
{ |
| 358 |
auth_form_config_rec *conf = (auth_form_config_rec *) config; |
| 359 |
conf->disable_pw_store = flag; |
| 360 |
conf->disable_pw_store_set = 1; |
| 361 |
return NULL; |
| 362 |
} |
| 363 |
|
| 352 |
static const command_rec auth_form_cmds[] = |
364 |
static const command_rec auth_form_cmds[] = |
| 353 |
{ |
365 |
{ |
| 354 |
AP_INIT_ITERATE("AuthFormProvider", add_authn_provider, NULL, OR_AUTHCFG, |
366 |
AP_INIT_ITERATE("AuthFormProvider", add_authn_provider, NULL, OR_AUTHCFG, |
|
Lines 401-406
Link Here
|
| 401 |
"the login screen. This allows the browser to cache the credentials, but " |
413 |
"the login screen. This allows the browser to cache the credentials, but " |
| 402 |
"at the risk of it being possible for the login form to be resubmitted " |
414 |
"at the risk of it being possible for the login form to be resubmitted " |
| 403 |
"and revealed to the backend server through XSS. Use at own risk."), |
415 |
"and revealed to the backend server through XSS. Use at own risk."), |
|
|
416 |
AP_INIT_FLAG("AuthFormDisablePwStore", set_disable_pw_store, |
| 417 |
NULL, OR_AUTHCFG, |
| 418 |
"Set to 'on' to not store the password in the session when " |
| 419 |
"AuthFormSitePassphrase ist set."), |
| 404 |
{NULL} |
420 |
{NULL} |
| 405 |
}; |
421 |
}; |
| 406 |
|
422 |
|
|
Lines 520-528
Link Here
|
| 520 |
static apr_status_t set_session_auth(request_rec * r, |
536 |
static apr_status_t set_session_auth(request_rec * r, |
| 521 |
const char *user, const char *pw, const char *site) |
537 |
const char *user, const char *pw, const char *site) |
| 522 |
{ |
538 |
{ |
|
|
539 |
auth_form_config_rec *conf; |
| 523 |
const char *hash = NULL; |
540 |
const char *hash = NULL; |
| 524 |
const char *authname = ap_auth_name(r); |
541 |
const char *authname = ap_auth_name(r); |
| 525 |
session_rec *z = NULL; |
542 |
session_rec *z = NULL; |
|
|
543 |
conf = ap_get_module_config(r->per_dir_config, &auth_form_module); |
| 526 |
|
544 |
|
| 527 |
if (site) { |
545 |
if (site) { |
| 528 |
hash = ap_md5(r->pool, |
546 |
hash = ap_md5(r->pool, |
|
Lines 531-539
Link Here
|
| 531 |
|
549 |
|
| 532 |
ap_session_load_fn(r, &z); |
550 |
ap_session_load_fn(r, &z); |
| 533 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_USER, NULL), user); |
551 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_USER, NULL), user); |
| 534 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_PW, NULL), pw); |
|
|
| 535 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_AUTH_FORM_HASH, NULL), hash); |
552 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_AUTH_FORM_HASH, NULL), hash); |
| 536 |
|
553 |
|
|
|
554 |
if (!site || !conf->disable_pw_store) { |
| 555 |
ap_session_set_fn(r, z, apr_pstrcat(r->pool, authname, "-" MOD_SESSION_PW, NULL), pw); |
| 556 |
} |
| 557 |
|
| 537 |
return APR_SUCCESS; |
558 |
return APR_SUCCESS; |
| 538 |
|
559 |
|
| 539 |
} |
560 |
} |
|
Lines 930-936
Link Here
|
| 930 |
} |
951 |
} |
| 931 |
|
952 |
|
| 932 |
/* first test whether the site passphrase matches */ |
953 |
/* first test whether the site passphrase matches */ |
| 933 |
if (APR_SUCCESS == res && sent_user && sent_hash && sent_pw) { |
954 |
if (APR_SUCCESS == res && sent_user && sent_hash) { |
| 934 |
rv = check_site(r, conf->site, sent_user, sent_hash); |
955 |
rv = check_site(r, conf->site, sent_user, sent_hash); |
| 935 |
if (OK == rv) { |
956 |
if (OK == rv) { |
| 936 |
fake_basic_authentication(r, conf, sent_user, sent_pw); |
957 |
fake_basic_authentication(r, conf, sent_user, sent_pw); |