Re: svn commit: r654958 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_auth_form.c

[Ruediger Pluem]

On 05/10/2008 12:15 AM, [EMAIL PROTECTED] wrote:

Author: minfrin
Date: Fri May  9 15:15:37 2008
New Revision: 654958

URL: http://svn.apache.org/viewvc?rev=654958&view=rev
Log:
mod_auth_form: Make sure the input filter stack is properly set
up before reading the login form. Make sure the kept body filter
is correctly inserted to ensure the body can be read a second
time safely should the authn be successful. [Graham Leggett,
Ruediger Pluem]

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/aaa/mod_auth_form.c

Modified: httpd/httpd/trunk/modules/aaa/mod_auth_form.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_form.c?rev=654958&r1=654957&r2=654958&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/aaa/mod_auth_form.c (original)
+++ httpd/httpd/trunk/modules/aaa/mod_auth_form.c Fri May  9 15:15:37 2008
@@ -912,19 +905,73 @@
      * type and with the given body.
      *
      * Otherwise access is denied.

+ * + * Reading the body requires some song and dance, because the input filters

+     * are not yet configured. To work around this problem, we create a
+     * subrequest and use that to create a sane filter stack we can read the
+     * form from.

+ * + * The main request is then capped with a kept_body input filter, which has

+     * the effect of guaranteeing the input stack can be safely read a second 
time.

+ * */

-    if (r->method_number == M_POST) {
-        rv2 = get_form_auth(r, conf->username, conf->password, conf->location,
-                            conf->method, conf->mimetype, conf->body,
-                            &sent_user, &sent_pw, &sent_loc, &sent_method,
-                            &sent_mimetype, conf);
-        if (OK == rv2) {
-            rv = check_auth(r, sent_user, sent_pw);
+    if (HTTP_UNAUTHORIZED == rv && r->method_number == M_POST && 
ap_is_initial_req(r)) {
+        request_rec *rr;
+        apr_bucket_brigade *sent_body = NULL;
+
+        /* create a subrequest of our current uri */
+        rr = ap_sub_req_lookup_uri(r->uri, r, r->input_filters);
+        rr->headers_in = r->headers_in;
+
+        /* run the insert_filters hook on the subrequest to ensure a body read 
can
+         * be done properly.
+         */
+        ap_run_insert_filter(rr);
+
+        /* parse the form by reading the subrequest */
+        rv = get_form_auth(rr, conf->username, conf->password, conf->location,
+                           conf->method, conf->mimetype, conf->body,
+                           &sent_user, &sent_pw, &sent_loc, &sent_method,
+                           &sent_mimetype, &sent_body, conf);
+
+        /* insert the kept_body filter on the main request to guarantee the
+         * input filter stack cannot be read a second time, optionally inject
+         * a saved body if one was specified in the login form.
+         */
+        if (sent_body && sent_mimetype) {
+            apr_table_set(r->headers_in, "Content-Type", sent_mimetype);
+            r->kept_body = sent_body;

Any reason why we do not need to adjust the Content-Length header any longer?

Regards

Rüdiger