On 11/20/23 1:07 PM, yla...@apache.org wrote:
> Author: ylavic
> Date: Mon Nov 20 12:07:11 2023
> New Revision: 1913977
>
> URL: http://svn.apache.org/viewvc?rev=1913977&view=rev
> Log:
> mod_authnz_ldap: Follow up to r1913962: r->user not used in
> ldapsearch_check_authorization().
>
>
> Modified:
> httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
>
> Modified: httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c?rev=1913977&r1=1913976&r2=1913977&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c (original)
> +++ httpd/httpd/trunk/modules/aaa/mod_authnz_ldap.c Mon Nov 20 12:07:11 2023
> @@ -1441,12 +1441,6 @@ static authz_status ldapsearch_check_aut
> * and populated with the userid and DN of the account in LDAP
> */
>
> - if (!*r->user) {
> - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10487)
> - "ldap authorize: Userid is blank, AuthType=%s",
> - r->ap_auth_type);
> - }
> -
We need r->user in get_dn_for_nonldap_authn -> authn_ldap_build_filter in case
req == NULL.
authn_ldap_build_filter will segfault if r->user is NULL. Hence I guess we
should apply the following
on top:
Index: modules/aaa/mod_authnz_ldap.c
===================================================================
--- modules/aaa/mod_authnz_ldap.c (revision 1913977)
+++ modules/aaa/mod_authnz_ldap.c (working copy)
@@ -1443,6 +1443,12 @@
if (!req) {
authz_status rv = AUTHZ_DENIED;
+ if (!r->user || !*r->user) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10487)
+ "ldap authorize: Userid is blank, AuthType=%s",
+ r->ap_auth_type);
+ return rv;
+ }
req = build_request_config(r);
ldc = get_connection_for_authz(r, LDAP_SEARCH);
if (AUTHZ_GRANTED != (rv = get_dn_for_nonldap_authn(r, ldc))) {
Or we need to ensure that authn_ldap_build_filter is NULL safe and returns in a
sensible way if user == NULL.
Regards
RĂ¼diger
