Hi there,
another updated old patch, although this one was previously under a
different name (RevealSecretUrl, or something similar).
In an otherwise-accessible directory, I require authentication for the
file "thing.cgi". Currently, I can't advertise that under the the url
"thing". With this patch (and a config directive set) I can. So when I
replace it with "thing.html", links don't break.
More details, as well as warnings of where it might act unexpectedly, in
the docs patch at the end.
Against 2.0.44.
All the best,
f
--
Francis Daly [EMAIL PROTECTED]
--- modules/mappers/mod_negotiation.c 2002-11-25 19:03:26.000000000 +0000
+++ modules/mappers/mod_negotiation.c 2003-01-25 19:41:52.000000000 +0000
@@ -89,6 +89,7 @@
typedef struct {
int forcelangpriority;
+ int allow_unauth;
apr_array_header_t *language_priority;
} neg_dir_config;
@@ -101,6 +102,12 @@
#define FLP_DEFAULT FLP_PREFER
+/* allow_unauth flags
+ */
+#define AUA_UNDEF 0 /* "no explicit config" */
+#define AUA_ON 1
+#define AUA_OFF 2
+
module AP_MODULE_DECLARE_DATA negotiation_module;
static void *create_neg_dir_config(apr_pool_t *p, char *dummy)
@@ -108,6 +115,7 @@
neg_dir_config *new = (neg_dir_config *) apr_palloc(p, sizeof(neg_dir_config));
new->forcelangpriority = FLP_UNDEF;
+ new->allow_unauth = AUA_UNDEF;
new->language_priority = NULL;
return new;
}
@@ -122,6 +130,9 @@
new->forcelangpriority = (add->forcelangpriority != FLP_UNDEF)
? add->forcelangpriority
: base->forcelangpriority;
+ new->allow_unauth = (add->allow_unauth != AUA_UNDEF)
+ ? add->allow_unauth
+ : base->allow_unauth;
new->language_priority = add->language_priority
? add->language_priority
: base->language_priority;
@@ -142,6 +153,18 @@
return NULL;
}
+static const char *allow_unauth(cmd_parms *cmd, void *n_, int arg)
+{
+ neg_dir_config *n = n_;
+ const char *err = ap_check_cmd_context(cmd, NOT_IN_FILES);
+
+ if (err != NULL) {
+ return err;
+ }
+ n->allow_unauth = arg ? AUA_ON : AUA_OFF;
+ return NULL;
+}
+
static const char *set_force_priority(cmd_parms *cmd, void *n_, const char *w)
{
neg_dir_config *n = n_;
@@ -188,6 +211,8 @@
{
AP_INIT_FLAG("CacheNegotiatedDocs", cache_negotiated_docs, NULL, RSRC_CONF,
"Either 'on' or 'off' (default)"),
+ AP_INIT_FLAG("MultiviewsAllowUnauthorized", allow_unauth, NULL,
+RSRC_CONF|OR_AUTHCFG,
+ "Either 'on' or 'off' (default)"),
AP_INIT_ITERATE("LanguagePriority", set_language_priority, NULL, OR_FILEINFO,
"space-delimited list of MIME language abbreviations"),
AP_INIT_ITERATE("ForceLanguagePriority", set_force_priority, NULL, OR_FILEINFO,
@@ -1049,6 +1074,7 @@
struct accept_rec accept_info;
void *new_var;
int anymatch = 0;
+ int found_unauth = 0;
clean_var_rec(&mime_info);
@@ -1114,6 +1140,13 @@
if (sub_req->finfo.filetype != APR_REG)
continue;
+ /* Note if it failed UNAUTHORIZED. We may want to return this
+ * status, eventually
+ */
+ if (sub_req->status == HTTP_UNAUTHORIZED) {
+ found_unauth = 1;
+ }
+
/* If it has a handler, we'll pretend it's a CGI script,
* since that's a good indication of the sort of thing it
* might be doing.
@@ -1233,9 +1266,13 @@
/* We found some file names that matched. None could be served.
* Rather than fall out to autoindex or some other mapper, this
- * request must die.
+ * request must die, unless we can offer UNAUTHORIZED.
*/
if (anymatch && !neg->avail_vars->nelts) {
+ if (found_unauth && neg->conf->allow_unauth == AUA_ON) {
+ ap_note_basic_auth_failure(r);
+ return HTTP_UNAUTHORIZED;
+ }
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Negotiation: discovered file(s) matching request: %s"
" (None could be negotiated).",
--- docs/manual/mod/mod_negotiation.xml 2002-12-17 18:31:37.000000000 +0000
+++ docs/manual/mod/mod_negotiation.xml 2003-01-25 20:39:47.000000000 +0000
@@ -258,4 +258,36 @@
<seealso><directive module="mod_mime">AddLanguage</directive></seealso>
</directivesynopsis>
+<directivesynopsis>
+<name>MultiViewsAllowUnauthorized</name>
+<description>Allows some authentication-requiring files be
+MultiViews-matched</description>
+<syntax>MultiViewsAllowUnauthorized On|Off</syntax>
+<default>MultiViewsAllowUnauthorized Off</default>
+<contextlist><context>server config</context><context>virtual host</context>
+<context>directory</context><context>.htaccess</context></contextlist>
+<override>AuthConfig</override>
+<compatibility>Available in version 2.0.45 and later</compatibility>
+
+<usage>
+ <p>This directive only has an effect in directories where not all
+ files require the same authentication. In that case, a MultiViews
+ request that would otherwise return 404 Not Found can, with
+ MultiViewsAllowUnauthorized On, instead return 401 Authorization
+ Required, if there is a filename which might be acceptable when
+ the correct credentials are provided. Depending on the exact
+ configuration, subsequent authenticated responses may return success,
+ or even fail 406, 404, or 401 persistently. The last few may appear
+ surprising.</p>
+
+ <p>Additionally, if there is not exactly one realm (from <directive
+ module="core">AuthName</directive>) for the entire directory, the
+ wrong realm may be returned in the response headers.</p>
+
+ <p>This directive may reveal to unauthenticated clients that the
+ url they requested may match one requiring authentication. If that
+ information leakage is unacceptable, don't turn it on.</p>
+</usage>
+</directivesynopsis>
+
</modulesynopsis>
