Bug 42690

Summary: realm is not set for each configured directory when digest authentication is used
Product: Apache httpd-2 Reporter: Grzegorz Sala <grzegorz.sala>
Component: mod_auth_digestAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED LATER    
Severity: normal CC: stanger
Priority: P2 Keywords: MassUpdate
Version: 2.2.3   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
Attachments: Patch to fix segfaults and incorrect realm values in mod_auth_digest

Description Grzegorz Sala 2007-06-18 07:33:39 UTC 
When the following configuration is set in httpd.conf file:

<Directory "/var/www/webapps/*/cgi-bin">
        AllowOverride None
        Order allow,deny
        Allow from all
        AuthType Digest
        AuthDigestDomain /var/www/webapps/*/cgi-bin/
        AuthName My_Realm
        AuthUserFile /etc/apache/.htdigest
        AuthGroupFile /etc/apache/.htgroups
        Require group users
    </Directory>

    <Directory "/var/www/webapps/admin/cgi-bin">
        AuthDigestDomain /admin/cgi-bin/
        Require group admins
    </Directory>

"Segmentation fault (11)" is logged in Apache error log because realm (AuthName)
for /var/www/webapps/admin/cgi-bin directory is not initialized.
When AuthDigestDomain directive is not set for this directory then Apache work
correctly. Here is gdb output:

# gdb httpd -d /source/
GNU gdb 5.2.1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "powerpc-hardhat-linux"...
(gdb) b create_digest_dir_config
Breakpoint 1 at 0x10051998: file mod_auth_digest.c, line 405.
(gdb) b set_uri_list
Breakpoint 2 at 0x100521d0: file mod_auth_digest.c, line 581.
(gdb) b set_realm
Breakpoint 3 at 0x10051a88: file mod_auth_digest.c, line 423.
(gdb) b authenticate_digest_user
Breakpoint 4 at 0x10054be0: file mod_auth_digest.c, line 1594.
(gdb) run -X  -f /etc/apache/httpd.conf
Starting program: /usr/sbin/httpd -X  -f /etc/apache/httpd.conf

Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x0) at
mod_auth_digest.c:405
405         if (dir == NULL) {
(gdb) c
Continuing.

Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x101ab0e8
"/var/www/webapps/*/cgi-bin/") at mod_auth_digest.c:405
405         if (dir == NULL) {
(gdb) c
Continuing.

Breakpoint 2, set_uri_list (cmd=0x7ffffcf0, config=0x101ab498, uri=0x101ab550
"/var/www/webapps/*/cgi-bin/") at mod_auth_digest.c:581
581         digest_config_rec *c = (digest_config_rec *) config;
(gdb) c
Continuing.

Breakpoint 3, set_realm (cmd=0x7ffffcf0, config=0x101ab498, realm=0x101ab5a8
"My_Realm") at mod_auth_digest.c:423
423         digest_config_rec *conf = (digest_config_rec *) config;
(gdb) c
Continuing.

Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x101ab9d0
"/var/www/webapps/admin/cgi-bin/") at mod_auth_digest.c:405
405         if (dir == NULL) {
(gdb) c
Continuing.

Breakpoint 2, set_uri_list (cmd=0x7ffffcf0, config=0x101abba8, uri=0x101abc60
"/admin/cgi-bin/") at mod_auth_digest.c:581
581         digest_config_rec *c = (digest_config_rec *) config;
(gdb) c
Continuing.
Detaching after fork from child process 3115.
cDetaching after fork from child process 3117.

Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x0) at
mod_auth_digest.c:405
405         if (dir == NULL) {
(gdb) c
Continuing.

Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x1018f510
"/var/www/webapps/*/cgi-bin/") at mod_auth_digest.c:405
405         if (dir == NULL) {
(gdb) c
Continuing.

Breakpoint 2, set_uri_list (cmd=0x7ffffcf0, config=0x1018f8a8, uri=0x1018f960
"/var/www/webapps/*/cgi-bin/") at mod_auth_digest.c:581
581         digest_config_rec *c = (digest_config_rec *) config;
(gdb) c
Continuing.

Breakpoint 3, set_realm (cmd=0x7ffffcf0, config=0x1018f8a8, realm=0x1018f9b8
"My_Realm") at mod_auth_digest.c:423
423         digest_config_rec *conf = (digest_config_rec *) config;
(gdb) c
Continuing.

Breakpoint 1, create_digest_dir_config (p=0x10114968, dir=0x101af8f0
"/var/www/webapps/admin/cgi-bin/") at mod_auth_digest.c:405
405         if (dir == NULL) {
(gdb) c
Continuing.

Breakpoint 2, set_uri_list (cmd=0x7ffffcf0, config=0x101afac8, uri=0x101afb80
"/admin/cgi-bin/") at mod_auth_digest.c:581
581         digest_config_rec *c = (digest_config_rec *) config;
(gdb) c
Continuing.
Detaching after fork from child process 3119.
Detaching after fork from child process 3121.

Breakpoint 4, authenticate_digest_user (r=0x10214d30) at mod_auth_digest.c:1594
1594        if (!(t = ap_auth_type(r)) || strcasecmp(t, "Digest")) {
(gdb) n
1598        if (!ap_auth_name(r)) {
(gdb) n
1607        mainreq = r;
(gdb) n
1608        while (mainreq->main != NULL) {
(gdb) n
1611        while (mainreq->prev != NULL) {
(gdb) n
1614        resp = (digest_header_rec *)
ap_get_module_config(mainreq->request_config,
(gdb) n
1616        resp->needed_auth = 1;
(gdb) n
1621        conf = (digest_config_rec *) ap_get_module_config(r->per_dir_config,
(gdb) n
1627        if (resp->auth_hdr_sts != VALID) {
(gdb) n
1644        r->user         = (char *) resp->username;
(gdb) n
1645        r->ap_auth_type = (char *) "Digest";
(gdb) n
1649        if (strcmp(resp->uri, resp->raw_request_uri)) {
(gdb) n
1737        if (resp->opaque && resp->opaque_num == 0) {
(gdb) n
1745        if (strcmp(resp->realm, conf->realm)) {
(gdb) p conf->realm
$1 = 0x0
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x0fb0aba4 in strcmp () from /lib/libc.so.6
(gdb) where
#0  0x0fb0aba4 in strcmp () from /lib/libc.so.6
#1  0x10055204 in authenticate_digest_user (r=0x10214d30) at mod_auth_digest.c:1745
#2  0x100363f0 in ap_run_check_user_id (r=0x10214d30) at request.c:71
#3  0x1003751c in ap_process_request_internal (r=0x10214d30) at request.c:194
#4  0x10087eb0 in ap_process_request (r=0x10214d30) at http_request.c:256
#5  0x10084248 in ap_process_http_connection (c=0x1020eeb0) at http_core.c:184
#6  0x10048dc4 in ap_run_process_connection (c=0x1020eeb0) at connection.c:43
#7  0x100493d0 in ap_process_connection (c=0x1020eeb0, csd=0x1020ed18) at
connection.c:178
#8  0x100c4040 in child_main (child_num_arg=0) at prefork.c:640
#9  0x100c415c in make_child (s=0x1011b028, slot=0) at prefork.c:680
#10 0x100c48b0 in ap_mpm_run (_pconf=0x10114968, plog=0x10158a78, s=0x1011b028)
at prefork.c:956
#11 0x1001e608 in main (argc=4, argv=0x7ffffe24) at main.c:717
#12 0x0faad6cc in __libc_start_main () from /lib/libc.so.6
(gdb) q
#
Comment 1 Troy Stanger 2012-04-02 17:40:56 UTC 
Ran into the same stack trace in a deployment I am currently working on.  This setup involves mod_auth_digest, mod_authn_dbd and mod_vhost_alias.  The abbreviated relevant portions of my config are:

	VirtualDocumentRoot /vhosts/%0

	<Directory /vhosts>
		AllowOverride AuthConfig
	</Directory>

	<LocationMatch "^(/private/).*">
		AuthType Digest
		AuthDigestProvider dbd
		
		# core authorization configuration
		Require valid-user
		
		AuthDBDUserRealmQuery \
		"SELECT password FROM apache_users WHERE username = %s AND realm = %s"
	</LocationMatch>

In the Document Root for each virtual host is an .htaccess file that defines the AuthName for that virtual host

	AuthName "some_realm"

I have a patch that fixes two issues this segfault exposes.

1) (Obviously) Apache shouldn't segfault when either the expected or provided auth realm is null.  The if() statement that calls strcmp on those two values should also ensure neither is null.  Additionally, this check should probably be done on all calls to strcmp in the module.

2)  For some reason the realm mod_auth_digest and mod_authn_core are reporting different realms for the same request.  This is due to different merge rules on dir_config struct members ap_auth_name/realm in the mod_authn_core and mod_auth_digest modules.  

The patch I've included performs NULL checks before calling strcmp and it adds a dir_config merge function that matches the merge rules in mod_authn_core.
Comment 2 Troy Stanger 2012-04-02 17:44:49 UTC 
Created attachment 28531 [details]
Patch to fix segfaults and incorrect realm values in mod_auth_digest
Comment 3 William A. Rowe Jr. 2018-11-07 21:08:29 UTC 
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.