-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 04 October 2002 12:26 pm, i.t wrote:
>it would be helpful, if you could provide some more actual details
Hi sir,
I'm developing in redhat 7.3 httpd 1.3.23-14; it's a very complex
infrastructure with mod_pubcookie, mod_proxy and mod_rewrite
it's noteasy to describe it; it's easier for me show you the piece of code that
in http allowed me to change parameter in post stuff, but not in https
int change_out_post(request_rec *r, char *username) {
char argsbuffer[HUGE_STRING_LEN];
int retval;
/* checkout http_protocols.c for reading the body info */
if ((retval = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
return retval;
if (ap_should_client_block(r)) {
char *p=r->connection->client->inptr;
int len_read;
ap_hard_timeout("copy script args", r);
;
if ((p=strstr(r->connection->client->inptr, "username")) !=
NULL) {
memcpy( p+strlen("username="), foo, 10);
p=r->connection->client->inptr;
}
libpbc_debug("change_out_post[%d]: inptr: %s\n", __LINE__, p);
ap_kill_timeout(r);
}
return(1);
}
i try to explain it:
Premise.
suppose that u want authenticate a user and after authentication u want to add
the username to hidden parameter
beacause application on backend (we are in rev-proxy architecture) needs it as
post parameters.
The misfact.
before autheticating using mod_pubcookie i add some hidden parameter
initialized to null
e.g. 'username=
'
u can see sufficient blanks after username=, to accomodate for username value
it's a low tricky, don't blame to me!
after authetication i try to valorize username...how?!?
with strstr i search the parameter name in post area pointed (if we are in
http!!!) by r->connection->client->inptr
i add 9 bytes to this pointer (strlen("username="))
i write the username in place of blanks
done!
this horrible trick worked until i pass to https...
Conclusion.
i fear that it's not portable (sure it doesn't work in apache 2.0!) and after
apache
rewriting for chunked exploit all my stuff is outdated, even i've not tested it;
i write this piece of code the days before 21 June!!!
My prayer.
now, i know well that this piece of sw cannot be a solution and i seraching for
some help to do something more robust and reliable.
thnx in advance!
- --
Maurizio Marini
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9nYLY4Q/49nIJTlwRAvyGAJ477retyJiKljXEpbDK6/R1C0js7gCfY9o1
cBcLKP/t/J0NITERpWOnl6I=
=2GFV
-----END PGP SIGNATURE-----
