diff options
| author | Jeff Trawick <trawick@apache.org> | 2014-12-02 13:20:21 +0100 |
|---|---|---|
| committer | Jeff Trawick <trawick@apache.org> | 2014-12-02 13:20:21 +0100 |
| commit | d49e6f0ad9037ba42ce8510f8e7e61a8875183b7 (patch) | |
| tree | 8688e1c2dfed971351de0273c2ecc0e68c72324d | |
| parent | Fix curly braces style (diff) | |
| download | apache2-d49e6f0ad9037ba42ce8510f8e7e61a8875183b7.tar.xz apache2-d49e6f0ad9037ba42ce8510f8e7e61a8875183b7.zip | |
core: Add CGIPassAuth directive to control whether HTTP authorization
headers are passed to scripts as CGI variables.
PR: 56855
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1642847 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | CHANGES | 4 | ||||
| -rw-r--r-- | docs/manual/mod/core.xml | 37 | ||||
| -rw-r--r-- | include/ap_mmn.h | 4 | ||||
| -rw-r--r-- | include/http_core.h | 9 | ||||
| -rw-r--r-- | server/core.c | 16 | ||||
| -rw-r--r-- | server/util_script.c | 6 |
6 files changed, 74 insertions, 2 deletions
@@ -6,6 +6,10 @@ Changes with Apache 2.5.0 used in multiple Require directives with different arguments. PR57204 [Edward Lu <Chaosed0 gmail.com>] + *) core: Add CGIPassAuth directive to control whether HTTP authorization + headers are passed to scripts as CGI variables. PR 56855. [Jeff + Trawick] + *) mod_rewrite: Improve relative substitutions in per-directory/htaccess context for directories found by mod_userdir and mod_alias. These no loner require RewriteBase to be specified. [Eric Covener] diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index f4aff68944..a04834c82a 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -565,6 +565,43 @@ scripts</description> </directivesynopsis> <directivesynopsis> +<name>CGIPassAuth</name> +<description>Enables passing HTTP authorization headers to scripts as CGI +variables</description> +<syntax>CGIPassAuth On|Off</syntax> +<default>CGIPassAuth Off</default> +<contextlist><context>directory</context><context>.htaccess</context> +</contextlist> +<override>AuthConfig</override> +<compatibility>Available in Apache HTTP Server 2.5.0 and later</compatibility> + +<usage> + <p><directive>CGIPassAuth</directive> allows scripts access to HTTP + authorization headers such as <code>Authorization</code>, which is + required for scripts that implement HTTP Basic authentication. + Normally these HTTP headers are hidden from scripts, as it allows + scripts to see user ids and passwords used to access the server when + HTTP Basic authentication is enabled in the web server. This directive + should be used when scripts are allowed to implement HTTP Basic + authentication.</p> + + <p>This directive can be used instead of the compile-time setting + <code>SECURITY_HOLE_PASS_AUTHORIZATION</code> which has been available + in previous versions of Apache HTTP Server.</p> + + <p>The setting is respected by any modules which use + <code>ap_add_common_vars()</code>, such as <module>mod_cgi</module>, + <module>mod_cgid</module>, <module>mod_proxy_fcgi</module>, + <module>mod_proxy_scgi</module>, and so on. Notably, it affects + modules which don't handle the request in the usual sense but + still use this API; examples of this are <module>mod_include</module> + and <module>mod_ext_filter</module>. Third-party modules that don't + use <code>ap_add_common_vars()</code> may choose to respect the setting + as well.</p> +</usage> +</directivesynopsis> + +<directivesynopsis> <name>ContentDigest</name> <description>Enables the generation of <code>Content-MD5</code> HTTP Response headers</description> diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 17f83f6555..8991ce0587 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -473,6 +473,8 @@ * 20140627.8 (2.5.0-dev) Add ap_set_listencbratio(), ap_close_listeners_ex(), * ap_duplicate_listeners(), ap_num_listen_buckets and * ap_have_so_reuseport to ap_listen.h. + * 20140627.9 (2.5.0-dev) Add cgi_pass_auth and AP_CGI_PASS_AUTH_* to + * core_dir_config */ #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */ @@ -480,7 +482,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20140627 #endif -#define MODULE_MAGIC_NUMBER_MINOR 8 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 9 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/include/http_core.h b/include/http_core.h index 85ca580478..2143d5a74d 100644 --- a/include/http_core.h +++ b/include/http_core.h @@ -624,6 +624,15 @@ typedef struct { /** Named back references */ apr_array_header_t *refs; +#define AP_CGI_PASS_AUTH_OFF (0) +#define AP_CGI_PASS_AUTH_ON (1) +#define AP_CGI_PASS_AUTH_UNSET (2) + /** CGIPassAuth: Whether HTTP authorization headers will be passed to + * scripts as CGI variables; affects all modules calling + * ap_add_common_vars(), as well as any others using this field as + * advice + */ + unsigned int cgi_pass_auth : 2; } core_dir_config; /* macro to implement off by default behaviour */ diff --git a/server/core.c b/server/core.c index ace928ad03..693283c859 100644 --- a/server/core.c +++ b/server/core.c @@ -196,6 +196,8 @@ static void *create_core_dir_config(apr_pool_t *a, char *dir) conf->max_overlaps = AP_MAXRANGES_UNSET; conf->max_reversals = AP_MAXRANGES_UNSET; + conf->cgi_pass_auth = AP_CGI_PASS_AUTH_UNSET; + return (void *)conf; } @@ -421,6 +423,8 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv) conf->max_overlaps = new->max_overlaps != AP_MAXRANGES_UNSET ? new->max_overlaps : base->max_overlaps; conf->max_reversals = new->max_reversals != AP_MAXRANGES_UNSET ? new->max_reversals : base->max_reversals; + conf->cgi_pass_auth = new->cgi_pass_auth != AP_CGI_PASS_AUTH_UNSET ? new->cgi_pass_auth : base->cgi_pass_auth; + return (void*)conf; } @@ -1719,6 +1723,15 @@ static const char *set_override(cmd_parms *cmd, void *d_, const char *l) return NULL; } +static const char *set_cgi_pass_auth(cmd_parms *cmd, void *d_, int flag) +{ + core_dir_config *d = d_; + + d->cgi_pass_auth = flag ? AP_CGI_PASS_AUTH_ON : AP_CGI_PASS_AUTH_OFF; + + return NULL; +} + static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[]) { core_dir_config *d = d_; @@ -4324,6 +4337,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_limit, NULL, AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF, "maximum recursion depth of internal redirects and subrequests"), +AP_INIT_FLAG("CGIPassAuth", set_cgi_pass_auth, NULL, OR_AUTHCFG, + "Controls which HTTP authorization headers, normally hidden, will " + "be passed to scripts"), AP_INIT_TAKE1("ForceType", ap_set_string_slot_lower, (void *)APR_OFFSETOF(core_dir_config, mime_type), OR_FILEINFO, "a mime type that overrides other configured type"), diff --git a/server/util_script.c b/server/util_script.c index 87504fac32..a8d9ebc4f0 100644 --- a/server/util_script.c +++ b/server/util_script.c @@ -140,6 +140,8 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r) apr_table_t *e; server_rec *s = r->server; conn_rec *c = r->connection; + core_dir_config *conf = + (core_dir_config *)ap_get_core_module_config(r->per_dir_config); const char *env_temp; const apr_array_header_t *hdrs_arr = apr_table_elts(r->headers_in); const apr_table_entry_t *hdrs = (const apr_table_entry_t *) hdrs_arr->elts; @@ -188,7 +190,9 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r) #ifndef SECURITY_HOLE_PASS_AUTHORIZATION else if (!strcasecmp(hdrs[i].key, "Authorization") || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) { - continue; + if (conf->cgi_pass_auth == AP_CGI_PASS_AUTH_ON) { + add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val); + } } #endif else |