- mod_auth_basic/mod_authn_file: if no provider is configured, and

AuthUserFile is not configured, decline to handle authn silently rather than failing noisily.
2006-02-06 14:58:12 +00:00 · 2006-02-06 14:58:12 +00:00 · bc53791ae4
commit bc53791ae4
parent 73a46bb6e8
2 changed files with 38 additions and 1 deletions
--- a/httpd-2.2.0-authnoprov.patch
+++ b/httpd-2.2.0-authnoprov.patch
@ -0,0 +1,30 @@
+--- httpd-2.2.0/modules/aaa/mod_authn_file.c.authnoprov
+++ httpd-2.2.0/modules/aaa/mod_authn_file.c
+@@ -70,6 +70,10 @@
+     apr_status_t status;
+     char *file_password = NULL;
+ 
+    if (!conf->pwfile) {
+        return AUTH_GENERAL_ERROR;
+    }
+
+     status = ap_pcfg_openfile(&f, r->pool, conf->pwfile);
+ 
+     if (status != APR_SUCCESS) {
+--- httpd-2.2.0/modules/aaa/mod_auth_basic.c.authnoprov
+++ httpd-2.2.0/modules/aaa/mod_auth_basic.c
+@@ -252,6 +252,14 @@
+             return DECLINED;
+         }
+ 
+        /* If no providers were configured, and the default file
+         * provider gave a general error (which will happen only if
+         * has not been configured), presume that a non-provider-based
+         * authn module is configured, and get out of the way. */
+        if (!conf->providers && auth_result == AUTH_GENERAL_ERROR) {
+            return DECLINED;
+        }
+
+         switch (auth_result) {
+         case AUTH_DENIED:
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
--- a/httpd.spec
+++ b/httpd.spec
@ -7,7 +7,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.2.0
-Release: 5
+Release: 5.1
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
 Source1: index.html
@ -43,6 +43,7 @@ Patch50: httpd-2.0.45-encode.patch
 Patch51: httpd-2.2.0-headclength.patch
 Patch52: httpd-2.2.0-ajpcookie.patch
 Patch53: httpd-2.2.0-cppheader.patch
+Patch54: httpd-2.2.0-authnoprov.patch
 # Security fixes
 Patch200: httpd-2.2.0-CVE-2005-3352.patch
 Patch201: httpd-2.2.0-CVE-2005-3357.patch
@ -126,6 +127,7 @@ Security (TLS) protocols.
 %patch51 -p1 -b .headclength
 %patch52 -p1 -b .ajpcookie
 %patch53 -p1 -b .cppheader
+%patch54 -p1 -b .authnoprov

 %patch200 -p1 -b .cve3352
 %patch201 -p1 -b .cve3352
@ -489,6 +491,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/httpd/build/*.sh

 %changelog
+* Mon Feb  6 2006 Joe Orton <jorton@redhat.com> 2.2.0-5.1
+- mod_auth_basic/mod_authn_file: if no provider is configured,
+  and AuthUserFile is not configured, decline to handle authn
+  silently rather than failing noisily.
+
 * Fri Feb  3 2006 Joe Orton <jorton@redhat.com> 2.2.0-5
 - mod_ssl: add security fix for CVE-2005-3357 (#177914)
 - mod_imagemap: add security fix for CVE-2005-3352 (#177913)