Bug 54463

Summary: Case sensitive option in mod_auth
Product: Apache httpd-2 Reporter: Tianyin Xu <tixu>
Component: mod_authAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: tixu
Priority: P2 Keywords: FixedInTrunk, PatchAvailable
Version: 2.4.3   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Case insensitive for mod_auth

Description Tianyin Xu 2013-01-22 06:47:14 UTC 
Created attachment 29878 [details]
Case insensitive for mod_auth

The "AuthGroupFile" and "AuthUserFile" in mod_auth use case sensitive string comparison function, i.e., strcmp, which conflicts with the case insensitivity of Apache's configuration design. According to my understanding, httpd champions case insensitivity for both configuration directive and configuration options, e.g., all boolean options and the options in the core module.

The fix is straightforward as follows:


--- modules/aaa/mod_authn_file.c        2011-12-04 16:08:01.000000000 -0800
+++ modules/aaa/mod_authn_file.c        2013-01-21 22:29:01.536197988 -0800
@@ -48,7 +48,7 @@
 static const char *set_authn_file_slot(cmd_parms *cmd, void *offset,
                                        const char *f, const char *t) 
 {
-    if (t && strcmp(t, "standard")) {
+    if (t && strcasecmp(t, "standard")) {
         return apr_pstrcat(cmd->pool, "Invalid auth file type: ", t, NULL);
     }   


--- modules/aaa/mod_authz_groupfile.c   2011-12-04 16:08:01.000000000 -0800
+++ modules/aaa/mod_authz_groupfile.c   2013-01-21 22:29:25.056198548 -0800
@@ -73,7 +73,7 @@
 static const char *set_authz_groupfile_slot(cmd_parms *cmd, void *offset, const char *f, 
                                  const char *t) 
 {
-    if (t && strcmp(t, "standard")) {
+    if (t && strcasecmp(t, "standard")) {
         return apr_pstrcat(cmd->pool, "Invalid auth file type: ", t, NULL);
     }
Comment 1 Christophe JAILLET 2013-04-04 20:58:27 UTC 
Well, not sure this is the correct fix.

I really don't see the use of the 2nd optional parameter for these options. They are not documented and the code seems to be useless.

This has been this way for more than 10 years.



Should these parameters be defined with AP_INIT_TAKE1 (instead of AP_INIT_TAKE12) and/or the test against "standard" removed ?

This could break conf file compatibility, but I see no reason for someone to use this 2nd parameter anyway.
Comment 2 Christophe JAILLET 2013-05-20 08:30:07 UTC 
"standard" option removed in trunk in r1484398
Comment 3 Christophe JAILLET 2013-05-31 07:00:30 UTC 
Backported in 2.4.x: r1485737

Will be available in 2.4.5