More complete patch, thanks for the feedback. Other options
include
-> kill mod_digest.c
and/or
-> move mod_auth_digest.c from exp. into standard
as this fix requires a MM bump _or_ so much rewriting that
it may be easier to spend some cycles on mod_auth_digest.c.
Dw
Index: src/ApacheCore.def
===
RCS file: /home/cvs/apache-1.3/src/ApacheCore.def,v
retrieving revision 1.35
diff -u -r1.35 ApacheCore.def
--- src/ApacheCore.def 18 Jun 2002 04:19:46 - 1.35
+++ src/ApacheCore.def 18 Dec 2003 21:25:49 -
@@ -447,3 +447,4 @@
ap_getline @439
ap_get_chunk_size @440
ap_escape_logitem @441
+ ap_auth_nonce @442
Index: src/ApacheCoreOS2.def
===
RCS file: /home/cvs/apache-1.3/src/ApacheCoreOS2.def,v
retrieving revision 1.13
diff -u -r1.13 ApacheCoreOS2.def
--- src/ApacheCoreOS2.def 22 May 2003 09:45:28 - 1.13
+++ src/ApacheCoreOS2.def 18 Dec 2003 21:25:50 -
@@ -430,3 +430,4 @@
ap_escape_logitem @441
ap_popenf_ex @442
ap_psocket_ex @443
+ ap_auth_nonce @444
Index: src/CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1914
diff -u -r1.1914 CHANGES
--- src/CHANGES 14 Dec 2003 18:16:49 - 1.1914
+++ src/CHANGES 18 Dec 2003 21:25:56 -
@@ -1,5 +1,11 @@
Changes with Apache 1.3.30
+ *) SECURITY - verification as to wether the nonce returned in the
+ client response is one we issued ourselves by means of a
+ AuthNonce secret exposed as an md5(). See mod_digest documentation
+ for more details. The experimental/mod_auth_digest.c does not
+ have this issue. [Dirk-Willem van Gulik]
+
*) SECURITY [CAN-2003-0020]: Escape arbitrary data before writing
into the errorlog. [André Malo]
Index: src/include/ap_mmn.h
===
RCS file: /home/cvs/apache-1.3/src/include/ap_mmn.h,v
retrieving revision 1.65
diff -u -r1.65 ap_mmn.h
--- src/include/ap_mmn.h14 Dec 2003 18:16:49 - 1.65
+++ src/include/ap_mmn.h18 Dec 2003 21:25:56 -
@@ -244,6 +244,8 @@
*ap_popenf_ex() and ap_psocket_ex().
* 19990320.15 - ap_is_recursion_limit_exceeded()
* 19990320.16 - ap_escape_errorlog_item()
+ * 20031212 1.3.30-dev - ap_auth_nonce() and auth_nonce added
+ *in the request_rec.
*/
#define MODULE_MAGIC_COOKIE 0x41503133UL /* "AP13" */
Index: src/include/http_core.h
===
RCS file: /home/cvs/apache-1.3/src/include/http_core.h,v
retrieving revision 1.71
diff -u -r1.71 http_core.h
--- src/include/http_core.h 7 Jul 2003 00:34:09 - 1.71
+++ src/include/http_core.h 18 Dec 2003 21:25:56 -
@@ -162,6 +162,7 @@
API_EXPORT(const char *) ap_auth_type (request_rec *);
API_EXPORT(const char *) ap_auth_name (request_rec *);
+API_EXPORT(const char *) ap_auth_nonce (request_rec *);
API_EXPORT(int) ap_satisfies (request_rec *r);
API_EXPORT(const array_header *) ap_requires (request_rec *);
@@ -244,6 +245,7 @@
int satisfy;
char *ap_auth_type;
char *ap_auth_name;
+char *ap_auth_nonce; /* digest auth */
array_header *ap_requires;
/* Custom response config. These can contain text or a URL to redirect to.
Index: src/main/http_core.c
===
RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
retrieving revision 1.327
diff -u -r1.327 http_core.c
--- src/main/http_core.c17 Nov 2003 17:14:53 - 1.327
+++ src/main/http_core.c18 Dec 2003 21:25:58 -
@@ -236,6 +236,9 @@
if (new->ap_auth_name) {
conf->ap_auth_name = new->ap_auth_name;
}
+if (new->ap_auth_nonce) {
+conf->ap_auth_nonce= new->ap_auth_nonce;
+}
if (new->ap_requires) {
conf->ap_requires = new->ap_requires;
}
@@ -577,6 +580,29 @@
return conf->ap_auth_name;
}
+API_EXPORT(const char *) ap_auth_nonce(request_rec *r)
+{
+core_dir_config *conf;
+conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
+ &core_module);
+if (conf->ap_auth_nonce)
+ return conf->ap_auth_nonce;
+
+/* Ideally we'd want to mix in some per-directory style
+ * information; as we are likely to want to detect replay
+ * across those boundaries and some randomness. But that
+ * is harder due to the adhoc nature of .htaccess memory
+ * structures, restarts and forks.
+ *
+ * But then again - you should use AuthNonce in your config
+ * file if you care. So the adhoc value should do.
+ */
+return ap_psprintf(r->pool,"%lu%lu%lu%lu%lu%s",
+ *(unsi
