DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21533>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21533 Apache may crash with digest authentication if sub-DocumentRoot .htaccess files override DocumentRoot .htaccess file's "Require valid-user" directive with "Require group testgroup" and the authenticated username is not listed as a member of the "testgroup" group Summary: Apache may crash with digest authentication if sub- DocumentRoot .htaccess files override DocumentRoot .htaccess file's "Require valid-user" directive with "Require group testgroup" and the authenticated username is not listed as a member of the "testgroup" group Product: Apache httpd-2.0 Version: HEAD Platform: PC OS/Version: Windows XP Status: NEW Severity: Normal Priority: Other Component: mod_auth_digest AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] When using Digest authentication along with .htaccess files, where the DocumentRoot contains an .htaccess file with "AuthDigestGroupFile" and "Require valid-user" directives, and some subdirectories contain .htaccess files with a "Require group testgroup" directive, Apache may crash when trying to access those group-restricted directories or the index of a directory directly above those IF the authenticated username does NOT appear among the usernames of that group in the AuthDigestGroupFile file. Example: * User to log in as "foo". * Group "testgroup" in AuthDigestGroupFile does NOT contain the user "foo". DocumentRoot | .htaccess with "AuthDigestGroupFile", "Require valid-user" | +-Files | +-Unrestricted | +-Restricted | .htaccess with "Require group testgroup" | Restricted files go here . . . In this example, the user may log in as "foo" using digest authentication and access the DocumentRoot. However, as soon as he/she accesses the "Files" directory (mod_autoindex is on), Apache crashes. Under normal circumstances, mod_autoindex should list the subdirectory "Unrestricted" (only), since there is no .htaccess in that directory - and more important - there is an .htaccess in the "Restricted" directory, requiring the user to be part of the group "testgroup" (which "foo" is not). I've spent quite some time experimenting with this, but still haven't figured out why this happens. To make things worse, it doesn't happen for all "examples" I've tried. The only consistent behavior I managed to track was that if the user "foo" DOES appear in the group file as a member of the "testgroup" group, everything works just fine. As soon as "foo" is removed from the group, no matter if there are other users left in the group or not, the problem appears. The problem also appears if the required group does not exist in the AuthDigestGroupFile file, no matter if other groups appear in the AuthDigestGroupFile file or not. My name-based virtual host configuration contains the following for the DocumentRoot: AllowOverride AuthConfig Indexes Limit Options Indexes MultiViews The DocumentRoot directory contains an .htaccess file with: AuthType Digest AuthName "myserver.dyndns.org" AuthDigestDomain / AuthDigestFile "custom/auth/.htdigest.pwd" AuthDigestGroupFile "custom/auth/.htdigest.group" Require valid-user Order Allow,Deny Allow from all Satisfy All The "Restricted" directory in the example contains an .htaccess file with: # Require user to be part of group "testgroup" Require group testgroup The Apache error log states that it denied the client access, just before Apache crashed: [Sat Jul 12 00:11:56 2003] [error] [client xx.xxx.xxx.xxx] Digest: access to /Files/Restricted/ failed, reason: user foo not allowed access, referer: http://myserver.dyndns.org/ On the client side, the connection of course hangs since Apache crashes. The crash information given by Dr. Watson on my Swedish Windows XP Professional SP-1 v5.1.2600 is (sorry for the long listing): szAppName : Apache.exe szAppVer : 2.0.47.0 szModName : mod_auth_digest.so szModVer : 2.0.47.0 offset : 0000259d [appcompat.txt] <?xml version="1.0" encoding="UTF-16"?> <DATABASE> <EXE NAME="Apache.exe" FILTER="GRABMI_FILTER_PRIVACY"> <MATCHING_FILE NAME="ab.exe" SIZE="65601" CHECKSUM="0xF5F7BB53" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="ApacheBench Utility" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="ab.exe.exe" INTERNAL_NAME="ab.exe" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 04:57:39" UPTO_LINK_DATE="07/09/2003 04:57:39" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="Apache.exe" SIZE="20541" CHECKSUM="0xBD1E49DF" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="Apache HTTP Server" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="Apache.exe.exe" INTERNAL_NAME="Apache.exe" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 05:02:14" UPTO_LINK_DATE="07/09/2003 05:02:14" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="ApacheMonitor.exe" SIZE="41042" CHECKSUM="0xC8BD35DD" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="Apache HTTP Server Monitor" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="ApacheMonitor.exe.exe" INTERNAL_NAME="ApacheMonitor.exe" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 04:57:46" UPTO_LINK_DATE="07/09/2003 04:57:46" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="htdbm.exe" SIZE="77892" CHECKSUM="0x8BBD3D38" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="htdbm Utility" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="htdbm.exe.exe" INTERNAL_NAME="htdbm.exe" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 04:57:40" UPTO_LINK_DATE="07/09/2003 04:57:40" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="htdigest.exe" SIZE="65607" CHECKSUM="0x2D18206F" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="htdigest Utility" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="htdigest.exe.exe" INTERNAL_NAME="htdigest.exe" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 04:57:40" UPTO_LINK_DATE="07/09/2003 04:57:40" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="htpasswd.exe" SIZE="73799" CHECKSUM="0xF2B639AE" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="htpasswd Utility" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="htpasswd.exe.exe" INTERNAL_NAME="htpasswd.exe" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 04:57:41" UPTO_LINK_DATE="07/09/2003 04:57:41" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="libapr.dll" SIZE="122952" CHECKSUM="0x9971AC84" BIN_FILE_VERSION="0.0.0.0" BIN_PRODUCT_VERSION="0.0.0.0" PRODUCT_VERSION="0.0.0.0" FILE_DESCRIPTION="Apache Portability Runtime Library" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache Portable Runtime" FILE_VERSION="0.0.0.0" ORIGINAL_FILENAME="libapr.dll" INTERNAL_NAME="libapr" LEGAL_COPYRIGHT="Copyright � 2000-2003 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.0.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="07/09/2003 04:53:02" UPTO_LINK_DATE="07/09/2003 04:53:02" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="libapriconv.dll" SIZE="36947" CHECKSUM="0x9E006DC2" BIN_FILE_VERSION="0.0.0.0" BIN_PRODUCT_VERSION="0.0.0.0" PRODUCT_VERSION="0.0.0.0" FILE_DESCRIPTION="Apache APR I18N Conversion Library" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache Portable Runtime" FILE_VERSION="0.0.0.0" ORIGINAL_FILENAME="libapriconv.dll" INTERNAL_NAME="libapriconv" LEGAL_COPYRIGHT="Copyright � 2000-2003 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.0.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="07/09/2003 04:53:08" UPTO_LINK_DATE="07/09/2003 04:53:08" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="libaprutil.dll" SIZE="168017" CHECKSUM="0x16072260" BIN_FILE_VERSION="0.0.0.0" BIN_PRODUCT_VERSION="0.0.0.0" PRODUCT_VERSION="0.0.0.0" FILE_DESCRIPTION="Apache APR Utility Library" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache Portable Runtime" FILE_VERSION="0.0.0.0" ORIGINAL_FILENAME="libaprutil.dll" INTERNAL_NAME="libaprutil" LEGAL_COPYRIGHT="Copyright � 2000-2003 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="0.0.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="07/09/2003 04:55:48" UPTO_LINK_DATE="07/09/2003 04:55:48" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="libhttpd.dll" SIZE="249919" CHECKSUM="0x1C2F6C94" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="Apache HTTP Server Core" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="libhttpd.dll.exe" INTERNAL_NAME="libhttpd.dll" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 05:02:13" UPTO_LINK_DATE="07/09/2003 05:02:13" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="logresolve.exe" SIZE="20553" CHECKSUM="0x5B12A316" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="logresolve Utility" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="logresolve.exe.exe" INTERNAL_NAME="logresolve.exe" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 04:57:42" UPTO_LINK_DATE="07/09/2003 04:57:42" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="rotatelogs.exe" SIZE="41033" CHECKSUM="0x943B360E" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="rotatelogs Utility" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="rotatelogs.exe.exe" INTERNAL_NAME="rotatelogs.exe" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 04:57:42" UPTO_LINK_DATE="07/09/2003 04:57:42" VER_LANGUAGE="Engelska (USA) [0x409]" /> <MATCHING_FILE NAME="wintty.exe" SIZE="20555" CHECKSUM="0xCB14B75A" BIN_FILE_VERSION="2.0.47.0" BIN_PRODUCT_VERSION="2.0.47.0" PRODUCT_VERSION="2.0.47" FILE_DESCRIPTION="wintty Console Utility" COMPANY_NAME="Apache Software Foundation" PRODUCT_NAME="Apache HTTP Server" FILE_VERSION="2.0.47" ORIGINAL_FILENAME="wintty.exe.exe" INTERNAL_NAME="wintty.exe" LEGAL_COPYRIGHT="Copyright � 2000-2002 The Apache Software Foundation." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.0.47.0" UPTO_BIN_PRODUCT_VERSION="2.0.47.0" LINK_DATE="07/09/2003 04:57:46" UPTO_LINK_DATE="07/09/2003 04:57:46" VER_LANGUAGE="Engelska (USA) [0x409]" /> </EXE> <EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY"> <MATCHING_FILE NAME="kernel32.dll" SIZE="944128" CHECKSUM="0xE974D2BD" BIN_FILE_VERSION="5.1.2600.1106" BIN_PRODUCT_VERSION="5.1.2600.1106" PRODUCT_VERSION="5.1.2600.1106" FILE_DESCRIPTION="Klient-DLL f�r Windows NT BASE API" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Operativsystemet Microsoft� Windows� " FILE_VERSION="5.1.2600.1106 (xpsp1.020828-1920)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="� Microsoft Corporation. Med ensamr�tt." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xE818D" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.1106" UPTO_BIN_PRODUCT_VERSION="5.1.2600.1106" LINK_DATE="09/09/2002 21:06:43" UPTO_LINK_DATE="09/09/2002 21:06:43" VER_LANGUAGE="Svenska [0x41d]" /> </EXE> </DATABASE> Please let me know if I can be of any further assistance. The temporary solution for me is not to use the group feature of digest authentication... :-/ Best regards, Bj�rn --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
