Summary: | realm is not set for each configured directory when digest authentication is used | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Grzegorz Sala <grzegorz.sala> |
Component: | mod_auth_digest | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED LATER | ||
Severity: | normal | CC: | stanger |
Priority: | P2 | Keywords: | MassUpdate |
Version: | 2.2.3 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
Attachments: | Patch to fix segfaults and incorrect realm values in mod_auth_digest |
Description
Grzegorz Sala
2007-06-18 07:33:39 UTC
Ran into the same stack trace in a deployment I am currently working on. This setup involves mod_auth_digest, mod_authn_dbd and mod_vhost_alias. The abbreviated relevant portions of my config are: VirtualDocumentRoot /vhosts/%0 <Directory /vhosts> AllowOverride AuthConfig </Directory> <LocationMatch "^(/private/).*"> AuthType Digest AuthDigestProvider dbd # core authorization configuration Require valid-user AuthDBDUserRealmQuery \ "SELECT password FROM apache_users WHERE username = %s AND realm = %s" </LocationMatch> In the Document Root for each virtual host is an .htaccess file that defines the AuthName for that virtual host AuthName "some_realm" I have a patch that fixes two issues this segfault exposes. 1) (Obviously) Apache shouldn't segfault when either the expected or provided auth realm is null. The if() statement that calls strcmp on those two values should also ensure neither is null. Additionally, this check should probably be done on all calls to strcmp in the module. 2) For some reason the realm mod_auth_digest and mod_authn_core are reporting different realms for the same request. This is due to different merge rules on dir_config struct members ap_auth_name/realm in the mod_authn_core and mod_auth_digest modules. The patch I've included performs NULL checks before calling strcmp and it adds a dir_config merge function that matches the merge rules in mod_authn_core. Created attachment 28531 [details]
Patch to fix segfaults and incorrect realm values in mod_auth_digest
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated. |