diff options
| author | Eric Covener <covener@apache.org> | 2017-05-26 23:29:59 +0200 |
|---|---|---|
| committer | Eric Covener <covener@apache.org> | 2017-05-26 23:29:59 +0200 |
| commit | 92ab67cbad4e148c4ed97bba713e7b320a4412f9 (patch) | |
| tree | 8ebe88999805856e23ea2f9ab0d768d69ea565a7 /server/request.c | |
| parent | mod_ssl: fix ctx passed to ssl_io_filter_error() (diff) | |
| download | apache2-92ab67cbad4e148c4ed97bba713e7b320a4412f9.tar.xz apache2-92ab67cbad4e148c4ed97bba713e7b320a4412f9.zip | |
core: deprecate and replace ap_get_basic_auth_pw
*) core: Deprecate ap_get_basic_auth_pw() and add
ap_get_basic_auth_components().
Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener
CVEID: CVE-2017-3167
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1796348 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to '')
| -rw-r--r-- | server/request.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/server/request.c b/server/request.c index 016504d1cd..55c32b276b 100644 --- a/server/request.c +++ b/server/request.c @@ -124,6 +124,8 @@ static int decl_die(int status, const char *phase, request_rec *r) AP_DECLARE(int) ap_some_authn_required(request_rec *r) { int access_status; + char *olduser = r->user; + int rv = FALSE; switch (ap_satisfies(r)) { case SATISFY_ALL: @@ -134,7 +136,7 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r) access_status = ap_run_access_checker_ex(r); if (access_status == DECLINED) { - return TRUE; + rv = TRUE; } break; @@ -145,13 +147,14 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r) access_status = ap_run_access_checker_ex(r); if (access_status == DECLINED) { - return TRUE; + rv = TRUE; } break; } - return FALSE; + r->user = olduser; + return rv; } /* This is the master logic for processing requests. Do NOT duplicate @@ -263,6 +266,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) r->ap_auth_type = r->main->ap_auth_type; } else { + /* A module using a confusing API (ap_get_basic_auth_pw) caused + ** r->user to be filled out prior to check_authn hook. We treat + ** it is inadvertent. + */ + if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) { + r->user = NULL; + } + switch (ap_satisfies(r)) { case SATISFY_ALL: case SATISFY_NOSPEC: |