Bug 54463 - Case sensitive option in mod_auth
Summary: Case sensitive option in mod_auth
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth (show other bugs)
Version: 2.4.3
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
 
Reported: 2013-01-22 06:47 UTC by Tianyin Xu
Modified: 2013-05-31 07:00 UTC (History)
1 user (show)



Attachments
Case insensitive for mod_auth (944 bytes, patch)
2013-01-22 06:47 UTC, Tianyin Xu
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tianyin Xu 2013-01-22 06:47:14 UTC
Created attachment 29878 [details]
Case insensitive for mod_auth

The "AuthGroupFile" and "AuthUserFile" in mod_auth use case sensitive string comparison function, i.e., strcmp, which conflicts with the case insensitivity of Apache's configuration design. According to my understanding, httpd champions case insensitivity for both configuration directive and configuration options, e.g., all boolean options and the options in the core module.

The fix is straightforward as follows:


--- modules/aaa/mod_authn_file.c        2011-12-04 16:08:01.000000000 -0800
+++ modules/aaa/mod_authn_file.c        2013-01-21 22:29:01.536197988 -0800
@@ -48,7 +48,7 @@
 static const char *set_authn_file_slot(cmd_parms *cmd, void *offset,
                                        const char *f, const char *t) 
 {
-    if (t && strcmp(t, "standard")) {
+    if (t && strcasecmp(t, "standard")) {
         return apr_pstrcat(cmd->pool, "Invalid auth file type: ", t, NULL);
     }   


--- modules/aaa/mod_authz_groupfile.c   2011-12-04 16:08:01.000000000 -0800
+++ modules/aaa/mod_authz_groupfile.c   2013-01-21 22:29:25.056198548 -0800
@@ -73,7 +73,7 @@
 static const char *set_authz_groupfile_slot(cmd_parms *cmd, void *offset, const char *f, 
                                  const char *t) 
 {
-    if (t && strcmp(t, "standard")) {
+    if (t && strcasecmp(t, "standard")) {
         return apr_pstrcat(cmd->pool, "Invalid auth file type: ", t, NULL);
     }
Comment 1 Christophe JAILLET 2013-04-04 20:58:27 UTC
Well, not sure this is the correct fix.

I really don't see the use of the 2nd optional parameter for these options. They are not documented and the code seems to be useless.

This has been this way for more than 10 years.



Should these parameters be defined with AP_INIT_TAKE1 (instead of AP_INIT_TAKE12) and/or the test against "standard" removed ?

This could break conf file compatibility, but I see no reason for someone to use this 2nd parameter anyway.
Comment 2 Christophe JAILLET 2013-05-20 08:30:07 UTC
"standard" option removed in trunk in r1484398
Comment 3 Christophe JAILLET 2013-05-31 07:00:30 UTC
Backported in 2.4.x: r1485737

Will be available in 2.4.5