Bug 57204

Summary: LuaAuthzProvider mixes up parsed require arguments when used multiple times
Product: Apache httpd-2 Reporter: Eric Covener <covener>
Component: mod_luaAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal Keywords: FixedInTrunk, PatchAvailable
Priority: P2    
Version: 2.4.10   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Allow multiple LuaAuthzProvider directives with the same provider name but different args

Description Eric Covener 2014-11-12 14:52:50 UTC
as reported in comments section of the manual anonymously, it looks like the lua-specific hash used to store the parameters gets mixed up if you define 1 provider but use it with multiple require arguments.


original:

http://httpd.apache.org/docs/trunk/mod/mod_lua.html#comment_3245
Comment 1 Gregory A Lundberg 2014-11-14 03:47:05 UTC
Reactivated ancient apache bugzilla account to record as originator of comment on modlua documentation page.
Comment 2 Edward Lu 2014-11-19 21:26:52 UTC
Created attachment 32219 [details]
Allow multiple LuaAuthzProvider directives with the same provider name but different args
Comment 3 Edward Lu 2014-11-19 21:29:10 UTC
Forgot to attach comment to patch.

Above patch should fix the issue. The operative part is that it separates the provider from the arguments that are passed to it.

As a sidenote, the typenames lua_authz_provider_spec and lua_authz_provider_func should probably be switched. I skipped that in the interest of a smaller diff, but whoever reviews/commits should probably look at naming those better.
Comment 4 Eric Covener 2014-11-20 00:18:31 UTC
Thanks, waiting to see if a CVE should be assigned.
Comment 5 Eric Covener 2014-12-29 20:30:17 UTC
CVE-2014-8109, waiting for next 2.4.x release
Comment 6 Yann Ylavic 2015-01-23 08:49:44 UTC
Backported to 2.4.11 in r1642861.