DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21533>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21533 Apache may crash with digest authentication if sub-DocumentRoot .htaccess files override DocumentRoot .htaccess file's "Require valid-user" directive with "Require group testgroup" and the authenticated username is not listed as a member of the "testgroup" group ------- Additional Comments From [EMAIL PROTECTED] 2003-08-11 03:49 ------- I reviewed the 1.3.28 code some more and have a proposed patch (should I have opened a separate bug report for 1.3.28?). If I understand things correctly the following is happening... request_req.request_config is being intialized in update_nonce_count. update_nonce_count appears to be called when the client sends authorization records. Since the call to digest_check_auth is comming from mod_autoindex's call to ap_sub_req_lookup_file and not from a browser request with authorization records, update_nonce_count is not being called and thus request_config is not being initialized. The following patch assumes that if request_config is NULL then the call to digest_check_auth must be coming from a non user request. If this is not true then maybe another solution may be better. However, if the assumption is correct then we know when a call to digest_check_auth has been initiated not by a user, so we don't need to log and note the failure. --- mod_auth_digest.c.orig Sat Feb 15 22:42:24 2003 +++ mod_auth_digest.c Sun Aug 10 23:03:16 2003 @@ -1788,6 +1788,7 @@ const digest_config_rec *conf = (digest_config_rec *) ap_get_module_config(r->per_dir_config, &digest_auth_module); + digest_header_rec *resp; const char *user = r->connection->user; int m = r->method_number; int method_restricted = 0; @@ -1851,15 +1852,21 @@ if (!method_restricted) return OK; - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, - "Digest: access to %s failed, reason: user %s not allowed access", - r->uri, user); + resp = (digest_header_rec *) ap_get_module_config(r->request_config, + &digest_auth_module); - note_digest_auth_failure(r, conf, - (digest_header_rec *) ap_get_module_config(r->request_config, - &digest_auth_module), - 0); - return AUTH_REQUIRED; + /* if there isn't a resp initalized then this check auth + didn't come from a user request (i.e. FancyIndexing) + so don't log it */ + if (resp != NULL) { + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "Digest: access to %s failed, reason: user %s not allowed access", + r->uri, user); + + note_digest_auth_failure(r, conf, resp, 0); + } + + return AUTH_REQUIRED; } Please excuse any white space style errors, I wasn't sure what the style was from the existing code and didn't take the time to see if there was a published style for apache. -Kurt --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
