Summary: | Multiple levels of htacces files can cause mod_auth_digest to Crash | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Björn Wiberg <bjorn.wiberg> |
Component: | mod_auth_digest | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | ASSIGNED --- | ||
Severity: | critical | CC: | bugtracker |
Priority: | P3 | ||
Version: | 2.0-HEAD | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All |
Description
Björn Wiberg
2003-07-11 22:28:41 UTC
This bug also exists in 1.3.28. I've encounterd it without using groups, just requre user in the sub-DocumentRoot will cause apache to crash. It occurs if the sub-DocumentRoot is restricted using .htaccess or via httpd.conf. I've debugged this somewhat and found that it is related to FancyIndexing combined with auth digest. Here's a stack trace: note_digest_auth_failure(request_rec * 0x00860dc0, const digest_config_struct * 0x007c5e30, digest_header_struct * 0x00000000, int 0) line 1210 + 3 bytes digest_check_auth(request_rec * 0x00860dc0) line 1861 + 33 bytes run_method(request_rec * 0x00860dc0, int 7, int 0) line 370 + 7 bytes ap_check_auth(request_rec * 0x00860dc0) line 427 + 17 bytes ap_sub_req_lookup_file(const char * 0x00864f9e, const request_rec * 0x0085dad8) line 1027 + 186 bytes make_autoindex_entry(char * 0x00864f9e, int 1, autoindex_config_struct * 0x007b7478, request_rec * 0x0085dad8, char 78, char 65) line 1281 + 13 bytes index_directory(request_rec * 0x0085dad8, autoindex_config_struct * 0x007b7478) line 1762 + 32 bytes handle_autoindex(request_rec * 0x0085dad8) line 1822 + 13 bytes ap_invoke_handler(request_rec * 0x0085dad8) line 518 + 10 bytes process_request_internal(request_rec * 0x0085dad8) line 1324 + 9 bytes ap_process_request(request_rec * 0x0085dad8) line 1340 + 9 bytes child_sub_main(int 0) line 5992 child_main(int 0) line 6062 + 9 bytes _threadstartex(void * 0x007f3a48) line 212 + 13 bytes KERNEL32! 77e8b2d8() note_digest_auth_failure bombs because the third parameter (digest_header_rec *resp) is null. Here's the call to note_digest_auth_failure from digest_check_auth: note_digest_auth_failure(r, conf, (digest_header_rec *) ap_get_module_config(r->request_config, &digest_auth_module), 0); The third parameter is passed via ap_get_module_config which returns 0. This is as far as I got. I don't know enough about apache/mod_autoindex/mod_auth_digest to suggest a patch. I do have some questions though. Why is FancyIndexing checking auth for sub directories while building the index for the parrent? If this this valid, why would mod_auth_digest log an error in this case? The user hasn't even selected the sub directory, but the log file records it like they did: Digest: access to /webfolder/Kurt failed, reason: user kurt not allowed access Hope this helps somewhat. I will help testing any proposed patches. -Kurt Hello Kurt! Glad that someone else has encountered the same thing. Well, sort of. :-) The reason for mod_autoindex to look for .htaccess files in subdirectories is to exclude those subdirectories from the directory listing if the user isn't allowed access to them; a pretty nice feature. I have also noticed the "access failed" error messages in the error log, and they are somewhat annoying, although perhaps necessary to make things simple. Basic authentication (instead of digest authentication) seems to work fine, though, without any crashes and with the intended functionality. That's my temporary solution until this bug gets fixed. Best regards, Björn I reviewed the 1.3.28 code some more and have a proposed patch (should I have opened a separate bug report for 1.3.28?). If I understand things correctly the following is happening... request_req.request_config is being intialized in update_nonce_count. update_nonce_count appears to be called when the client sends authorization records. Since the call to digest_check_auth is comming from mod_autoindex's call to ap_sub_req_lookup_file and not from a browser request with authorization records, update_nonce_count is not being called and thus request_config is not being initialized. The following patch assumes that if request_config is NULL then the call to digest_check_auth must be coming from a non user request. If this is not true then maybe another solution may be better. However, if the assumption is correct then we know when a call to digest_check_auth has been initiated not by a user, so we don't need to log and note the failure. --- mod_auth_digest.c.orig Sat Feb 15 22:42:24 2003 +++ mod_auth_digest.c Sun Aug 10 23:03:16 2003 @@ -1788,6 +1788,7 @@ const digest_config_rec *conf = (digest_config_rec *) ap_get_module_config(r->per_dir_config, &digest_auth_module); + digest_header_rec *resp; const char *user = r->connection->user; int m = r->method_number; int method_restricted = 0; @@ -1851,15 +1852,21 @@ if (!method_restricted) return OK; - ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, - "Digest: access to %s failed, reason: user %s not allowed access", - r->uri, user); + resp = (digest_header_rec *) ap_get_module_config(r->request_config, + &digest_auth_module); - note_digest_auth_failure(r, conf, - (digest_header_rec *) ap_get_module_config(r->request_config, - &digest_auth_module), - 0); - return AUTH_REQUIRED; + /* if there isn't a resp initalized then this check auth + didn't come from a user request (i.e. FancyIndexing) + so don't log it */ + if (resp != NULL) { + ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r, + "Digest: access to %s failed, reason: user %s not allowed access", + r->uri, user); + + note_digest_auth_failure(r, conf, resp, 0); + } + + return AUTH_REQUIRED; } Please excuse any white space style errors, I wasn't sure what the style was from the existing code and didn't take the time to see if there was a published style for apache. -Kurt Changed severity according to classification recommendations ("crashes, loss of data, severe memory leak"). |