On Thu, Jul 5, 2012 at 7:01 PM, <chr...@apache.org> wrote: > Author: chrisd > Date: Thu Jul 5 23:01:09 2012 > New Revision: 1357986 > > URL: http://svn.apache.org/viewvc?rev=1357986&view=rev > Log: > Avoid internal sub-requests and processing of Location headers when > in FCGI_AUTHORIZER mode, as the mod_fcgid_authenticator(), etc. hook > functions report an error if the script returned a Location header and > redirections are nonsensical in this mode. > > Previously, the handle_request_ipc() and handle_request() functions would > examine this header when in FCGI_AUTHORIZER mode and then possibly execute > an internal sub-request, which has no particular use, as its return value > is ignored and its output may conflict with that of the actual content > generation phase. >
>From the FastCGI spec (6.3): "For Authorizer response status values other than "200" (OK), the Web server denies access and sends the response status, headers, and content back to the HTTP client." I was initially confused when looking at this commit (nothing like reviewing one year later) wondering if it broke this requirement, but AFAICT 2.3.7 didn't support the feature anyway, so no regression. (Some iff statements in this code are what control it.) > Modified: > httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bridge.c > > Modified: httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bridge.c > URL: > http://svn.apache.org/viewvc/httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bridge.c?rev=1357986&r1=1357985&r2=1357986&view=diff > > ============================================================================== > --- httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bridge.c (original) > +++ httpd/mod_fcgid/trunk/modules/fcgid/fcgid_bridge.c Thu Jul 5 23:01:09 > 2012 > @@ -320,6 +320,10 @@ handle_request_ipc(request_rec *r, int r > return cond_status; > } > > + if (role == FCGI_AUTHORIZER) { > + return cond_status; > + } > + > /* Check redirect */ > location = apr_table_get(r->headers_out, "Location"); > > @@ -347,9 +351,8 @@ handle_request_ipc(request_rec *r, int r > } > > /* Now pass to output filter */ > - if (role == FCGI_RESPONDER > - && (rv = ap_pass_brigade(r->output_filters, > - brigade_stdout)) != APR_SUCCESS) { > + if ((rv = ap_pass_brigade(r->output_filters, > + brigade_stdout)) != APR_SUCCESS) { > if (!APR_STATUS_IS_ECONNABORTED(rv)) { > ap_log_rerror(APLOG_MARK, APLOG_WARNING, rv, r, > "mod_fcgid: ap_pass_brigade failed in " > > > -- Born in Roswell... married an alien... http://emptyhammock.com/
