Bug 43084

Summary: Group line in AuthGroupFile cannot contain more than 8192 characters (including EOL)
Product: Apache httpd-2 Reporter: Björn Wiberg <bjorn.wiberg>
Component: Other ModulesAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal Keywords: FixedInTrunk
Priority: P2    
Version: 2.2.4   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Example AuthGroupFile
Example .htaccess file

Description Björn Wiberg 2007-08-10 05:04:02 UTC 
Group lines in (mod_authz_groupfile) AuthGroupfiles appear to have a maximum
fixed size of 8192 characters including the group name, colon, whitespace and
end-of-line character(s).

Usernames on such a long group line, appearing past the 8192-byte limit, will
not be let in:

---8<---
[Fri Aug 10 13:09:33 2007] [error] [client 130.238.131.137] Authorization of
user XYZ to access /Pass/index.html failed, reason: user doesn't appear in group
file (/apache/secret/abc/def/.htgroup)., referer: http://www.xyz.uu.se/
--->8---

...even though they are present on the line and hence should be considered a
member of the group.

Attaching example files to test this. The username "test" will not be considered
a member of the group "brokengroup", but will be considered a member of the
group "okgroup".

(Tested on both Linux and AIX.)
Comment 1 Björn Wiberg 2007-08-10 05:07:00 UTC 
Created attachment 20636 [details]
Example AuthGroupFile

The user "test" will be considered a user of the group "okgroup", but not of
the group "brokengroup", due to line lengths.
Comment 2 Björn Wiberg 2007-08-10 05:08:55 UTC 
Created attachment 20637 [details]
Example .htaccess file

Adjust the path to the user and group files.
Try adding "okgroup" to the list of allowed groups (and not).
Notice the difference (let in vs not let in).
Comment 3 Tom Donovan 2007-08-19 19:54:40 UTC 
True - the line length is limited by the value in include/httpd.h near line 310

  /** The length of a Huge string */
  #define HUGE_STRING_LEN 8192

This line-length limit applies to user files, group files, config files, log
lines, mod_ssl passphrases, and many other things in Apache.  Changing it for
all of them seems disruptive.  A site with a unique requirement could change the
value in httpd.h and re-build Apache.

Should this really be fixed?
Very large group lists may be better handled by DBM or DBD than extra long lines
in a flat file.
Comment 4 Stefan Fritsch 2011-08-13 09:07:39 UTC 
Fixed in trunk in r1157354
Comment 5 Stefan Fritsch 2012-02-26 16:46:18 UTC 
fixed in 2.4.1