brian 96/06/12 20:49:22
Modified: src mod_auth_msql.c
Log:
Submitted by: "Dirk.vanGulik" <[EMAIL PROTECTED]>
Changes:
- Removed obsolete palloc checks, they get trapped in the
alloc.c
- Removed static msql-err string claim (to make future treading
easier; although the linked in libmsql still has quite a few)
- Be more strict on the group/user specifications; and output
some diagnostics to the error log file if the admin does not
specify a require (valid-)user with a group when the module
is authorative.
Revision Changes Path
1.7 +52 -43 apache/src/mod_auth_msql.c
Index: mod_auth_msql.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_auth_msql.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -C3 -r1.6 -r1.7
*** mod_auth_msql.c 1996/05/29 03:19:20 1.6
--- mod_auth_msql.c 1996/06/13 03:49:20 1.7
***************
*** 61,67 ****
* Addapted for use with the mSQL database
* (see ftp:/ftp.bond.edu.au/pub/Minerva/mSQL)
*
! * Version 0.9 May 1996 - Blame: [EMAIL PROTECTED]
*
* A (sometimes more up to date) version of the documentation
* can be found at the http://www.apache.org site or at
--- 61,67 ----
* Addapted for use with the mSQL database
* (see ftp:/ftp.bond.edu.au/pub/Minerva/mSQL)
*
! * Version 1.0 May 1996 - Blame: [EMAIL PROTECTED]
*
* A (sometimes more up to date) version of the documentation
* can be found at the http://www.apache.org site or at
***************
*** 282,287 ****
--- 282,289 ----
* msqlClose() statements added upon error. Support for persistent
* connections with the mSQL database (riscy). Escaping of ' and \.
* Replaced some MAX_STRING_LENGTH claims.
+ * 1.0 removed some error check as they where already done elsehwere
+ * NumFields -> NumRows (Thanks Vitek). More stack memory.
*/
***************
*** 390,395 ****
--- 392,398 ----
#include "http_log.h"
#include "http_protocol.h"
#include <msql.h>
+ #include <crypt.h>
typedef struct {
***************
*** 412,418 ****
void *create_msql_auth_dir_config (pool *p, char *d)
{
msql_auth_config_rec * sec= (msql_auth_config_rec *) pcalloc (p,
sizeof(msql_auth_config_rec));
- if (!sec) return NULL; /* no memory... */
sec->auth_msql_host = NULL; /* just to enforce the default
'localhost' behaviour */
--- 415,420 ----
***************
*** 440,446 ****
return sec;
}
- static
char *set_passwd_flag (cmd_parms *cmd, msql_auth_config_rec *sec, int arg) {
sec->auth_msql_nopasswd=arg;
return NULL;
--- 442,447 ----
***************
*** 538,554 ****
module msql_auth_module;
- char msql_errstr[MAX_STRING_LEN];
- /* global errno to be able to handle config/sql
- * failures separately
- */
-
-
/* boring little routine which escapes the ' and \ in the
* SQL query. See the mSQL FAQ for more information :-) on
* this very popular subject in the msql-mailing list.
*/
! char *msql_escape(char *out, char *in) {
register int i=0,j=0;
--- 539,549 ----
module msql_auth_module;
/* boring little routine which escapes the ' and \ in the
* SQL query. See the mSQL FAQ for more information :-) on
* this very popular subject in the msql-mailing list.
*/
! char *msql_escape(char *out, char *in, char *msql_errstr) {
register int i=0,j=0;
***************
*** 557,563 ****
if ( (in[i] == '\'') || (in[i] == '\\')) {
/* does this fit ? */
! if (j >= (MAX_FIELD_LEN-1)) return NULL;
out[j++] = '\\'; /* insert that escaping slash for good measure */
};
--- 552,561 ----
if ( (in[i] == '\'') || (in[i] == '\\')) {
/* does this fit ? */
! if (j >= (MAX_FIELD_LEN-1)) {
! sprintf(msql_errstr,"Could not escape '%s', longer than
%d",in,MAX_FIELD_LEN);
! return NULL;
! };
out[j++] = '\\'; /* insert that escaping slash for good measure */
};
***************
*** 574,580 ****
* into r. Assume that user is a string and stored
* as such in the mSQL database
*/
! char *do_msql_query(request_rec *r, char *query, msql_auth_config_rec *sec,
int once ) {
static int sock=-1;
int hit;
--- 572,578 ----
* into r. Assume that user is a string and stored
* as such in the mSQL database
*/
! char *do_msql_query(request_rec *r, char *query, msql_auth_config_rec *sec,
int once , char *msql_errstr) {
static int sock=-1;
int hit;
***************
*** 584,591 ****
char *result=NULL;
char *host=sec->auth_msql_host;
- msql_errstr[0]='\0';
-
#ifndef KEEP_MSQL_CONNECTION_OPEN
sock=-1;
#endif
--- 582,587 ----
***************
*** 640,646 ****
return NULL;
};
! hit=msqlNumFields(results);
if (( once ) && ( hit >1 )) {
/* complain if there are to many
--- 636,642 ----
return NULL;
};
! hit=msqlNumRows(results);
if (( once ) && ( hit >1 )) {
/* complain if there are to many
***************
*** 652,658 ****
/* if we have a it, try to get it
*/
if ( hit ) {
! if ((currow=msqlFetchRow(results))) {
/* copy the first matching field value */
if (!(result=palloc(r->pool,strlen(currow[0])+1))) {
sprintf (msql_errstr,"mSQL: Could not get
memory for mSQL %s (%s) with [%s]",
--- 648,654 ----
/* if we have a it, try to get it
*/
if ( hit ) {
! if ( (currow=msqlFetchRow(results)) != NULL) {
/* copy the first matching field value */
if (!(result=palloc(r->pool,strlen(currow[0])+1))) {
sprintf (msql_errstr,"mSQL: Could not get
memory for mSQL %s (%s) with [%s]",
***************
*** 682,688 ****
return result;
}
! char *get_msql_pw(request_rec *r, char *user, msql_auth_config_rec *sec) {
char query[MAX_QUERY_LEN];
char esc_user[MAX_FIELD_LEN];
--- 678,684 ----
return result;
}
! char *get_msql_pw(request_rec *r, char *user, msql_auth_config_rec *sec
,char *msql_errstr) {
char query[MAX_QUERY_LEN];
char esc_user[MAX_FIELD_LEN];
***************
*** 701,709 ****
return NULL;
};
! if (!(msql_escape(esc_user, user))) {
sprintf(msql_errstr,
! "mSQL: Could not cope/escape the '%s' user_id
value",user);
return NULL;
};
sprintf(query,"select %s from %s where %s='%s'",
--- 697,705 ----
return NULL;
};
! if (!(msql_escape(esc_user, user, msql_errstr))) {
sprintf(msql_errstr,
! "mSQL: Could not cope/escape the '%s' user_id value;
",user);
return NULL;
};
sprintf(query,"select %s from %s where %s='%s'",
***************
*** 713,722 ****
esc_user
);
! return do_msql_query(r,query,sec,ONLY_ONCE);
}
! char *get_msql_grp(request_rec *r, char *group,char *user,
msql_auth_config_rec *sec) {
char query[MAX_QUERY_LEN];
char esc_user[MAX_FIELD_LEN];
--- 709,718 ----
esc_user
);
! return do_msql_query(r,query,sec,ONLY_ONCE,msql_errstr);
}
! char *get_msql_grp(request_rec *r, char *group,char *user,
msql_auth_config_rec *sec, char *msql_errstr) {
char query[MAX_QUERY_LEN];
char esc_user[MAX_FIELD_LEN];
***************
*** 737,749 ****
return NULL;
};
! if (!(msql_escape(esc_user, user))) {
sprintf(msql_errstr,
"mSQL: Could not cope/escape the '%s' user_id
value",user);
return NULL;
};
! if (!(msql_escape(esc_group, group))) {
sprintf(msql_errstr,
"mSQL: Could not cope/escape the '%s' group_id
value",group);
--- 733,745 ----
return NULL;
};
! if (!(msql_escape(esc_user, user,msql_errstr))) {
sprintf(msql_errstr,
"mSQL: Could not cope/escape the '%s' user_id
value",user);
return NULL;
};
! if (!(msql_escape(esc_group, group,msql_errstr))) {
sprintf(msql_errstr,
"mSQL: Could not cope/escape the '%s' group_id
value",group);
***************
*** 757,763 ****
sec->auth_msql_grp_field, esc_group
);
! return do_msql_query(r,query,sec,0);
}
--- 753,759 ----
sec->auth_msql_grp_field, esc_group
);
! return do_msql_query(r,query,sec,0,msql_errstr);
}
***************
*** 766,775 ****
msql_auth_config_rec *sec =
(msql_auth_config_rec *)get_module_config (r->per_dir_config,
&msql_auth_module);
conn_rec *c = r->connection;
char *sent_pw, *real_pw;
int res;
!
if ((res = get_basic_auth_pw (r, &sent_pw)))
return res;
--- 762,772 ----
msql_auth_config_rec *sec =
(msql_auth_config_rec *)get_module_config (r->per_dir_config,
&msql_auth_module);
+ char msql_errstr[MAX_STRING_LEN];
conn_rec *c = r->connection;
char *sent_pw, *real_pw;
int res;
! msql_errstr[0]='\0';
if ((res = get_basic_auth_pw (r, &sent_pw)))
return res;
***************
*** 785,792 ****
(!sec->auth_msql_pwd_field)
) return DECLINED;
! msql_errstr[0]='\0';
! if(!(real_pw = get_msql_pw(r, c->user, sec ))) {
if ( msql_errstr[0] ) {
res = SERVER_ERROR;
} else {
--- 782,788 ----
(!sec->auth_msql_pwd_field)
) return DECLINED;
! if(!(real_pw = get_msql_pw(r, c->user, sec,msql_errstr ))) {
if ( msql_errstr[0] ) {
res = SERVER_ERROR;
} else {
***************
*** 854,879 ****
msql_auth_config_rec *sec =
(msql_auth_config_rec *)get_module_config (r->per_dir_config,
&msql_auth_module);
char *user = r->connection->user;
int m = r->method_number;
-
-
array_header *reqs_arr = requires (r);
require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
register int x;
char *t, *w;
!
!
! /* if we cannot do it; leave it to some other guy,
! */
!
! if ((!sec->auth_msql_grp_table)&&(!sec->auth_msql_grp_field))
! return DECLINED;
if (!reqs_arr) {
if (sec->auth_msql_authorative) {
sprintf(msql_errstr,"user %s denied, no access rules specified
(MSQL-Authorative) ",user);
note_basic_auth_failure(r);
return AUTH_REQUIRED;
};
--- 850,869 ----
msql_auth_config_rec *sec =
(msql_auth_config_rec *)get_module_config (r->per_dir_config,
&msql_auth_module);
+ char msql_errstr[MAX_STRING_LEN];
char *user = r->connection->user;
int m = r->method_number;
array_header *reqs_arr = requires (r);
require_line *reqs = reqs_arr ? (require_line *)reqs_arr->elts : NULL;
register int x;
char *t, *w;
! msql_errstr[0]='\0';
if (!reqs_arr) {
if (sec->auth_msql_authorative) {
sprintf(msql_errstr,"user %s denied, no access rules specified
(MSQL-Authorative) ",user);
+ log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
return AUTH_REQUIRED;
};
***************
*** 887,913 ****
t = reqs[x].requirement;
w = getword(r->pool, &t, ' ');
! if(!strcmp(w,"user")) {
while(t[0]) {
w = getword_conf (r->pool, &t);
! if (!strcmp(user,w))
user_result= OK;
}
if ((sec->auth_msql_authorative) && ( user_result != OK)) {
sprintf(msql_errstr,"User %s not found
(MSQL-Auhtorative)",user);
note_basic_auth_failure(r);
return AUTH_REQUIRED;
};
}
! if (!strcmp(w,"group")) {
/* look up the membership for each of the groups in the table
*/
! msql_errstr[0]='\0';
!
while ( (t[0]) && (group_result != OK) && (!msql_errstr[0]) ) {
! if (get_msql_grp(r,getword(r->pool, &t, ' '),user,sec)) {
group_result= OK;
};
};
--- 877,911 ----
t = reqs[x].requirement;
w = getword(r->pool, &t, ' ');
! if ((user_result != OK) && (!strcmp(w,"user"))) {
! user_result=AUTH_REQUIRED;
while(t[0]) {
w = getword_conf (r->pool, &t);
! if (!strcmp(user,w)) {
user_result= OK;
+ break;
+ };
}
if ((sec->auth_msql_authorative) && ( user_result != OK)) {
sprintf(msql_errstr,"User %s not found
(MSQL-Auhtorative)",user);
+ log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
return AUTH_REQUIRED;
};
}
! if ( (group_result != OK) &&
! (!strcmp(w,"group")) &&
! (sec->auth_msql_grp_table) &&
! (sec->auth_msql_grp_field)
! ) {
/* look up the membership for each of the groups in the table
*/
! group_result=AUTH_REQUIRED;
while ( (t[0]) && (group_result != OK) && (!msql_errstr[0]) ) {
! if (get_msql_grp(r,getword(r->pool, &t, '
'),user,sec,msql_errstr)) {
group_result= OK;
+ break;
};
};
***************
*** 918,930 ****
if ( (sec->auth_msql_authorative) && (group_result != OK) ) {
sprintf(msql_errstr,"user %s not in right groups
(MSQL-Authorative) ",user);
note_basic_auth_failure(r);
return AUTH_REQUIRED;
};
};
! if(!strcmp(w,"valid-user"))
user_result= OK;
}
/* we do not have to check the valid-ness of the group result as
--- 916,930 ----
if ( (sec->auth_msql_authorative) && (group_result != OK) ) {
sprintf(msql_errstr,"user %s not in right groups
(MSQL-Authorative) ",user);
+ log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
return AUTH_REQUIRED;
};
};
! if(!strcmp(w,"valid-user")) {
user_result= OK;
+ };
}
/* we do not have to check the valid-ness of the group result as
***************
*** 932,940 ****
--- 932,949 ----
*/
if ( (user_result != OK) && (sec->auth_msql_authorative) ) {
sprintf(msql_errstr,"User %s denied, no access rules applied
(MSQL-Authorative) ",user);
+ log_reason (msql_errstr, r->uri, r);
note_basic_auth_failure(r);
return AUTH_REQUIRED;
};
+
+
+ /* if the user is DECLINED, it is up to the group_result to tip
+ * the balance. But if the group result is AUTH_REQUIRED it should
+ * always override. A SERVER_ERROR should not get here.
+ */
+ if ( (user_result == DECLINED) || (group_result == AUTH_REQUIRED))
+ return group_result;
return user_result;
}
