Bug 52644 - document how SSL FakeBasicAuth works with strange characters in DNs and with groupfiles
Summary: document how SSL FakeBasicAuth works with strange characters in DNs and with ...
Status: RESOLVED LATER
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 2.2.20
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: HTTP Server Documentation List
URL:
Keywords: MassUpdate
Depends on:
Blocks:
 
Reported: 2012-02-12 03:39 UTC by Christoph Anton Mitterer
Modified: 2018-11-07 21:08 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Anton Mitterer 2012-02-12 03:39:27 UTC
Hi.

Could you please share some light (and add to the documentation at https://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions if and how mod_ssl's FakeBasicAuth feature works with the following:

a) Special characters
A certificates DN can contain basically _ANY_ character, including “:”, “/”, “ ”, “"” or any weird Unicode character from any script.
As far as I can see this could affect us at least in the following places:
- user file
There at least the colon seems to have the special meaning of separating the username from the password, e.g.:
/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer:$apr1$7DksooGS$Mz9EkgYft12dREFb1gk8b.
Maybe “$”, “.” or the other characters mentioned above have also special meanigns?!

Given that this is really security relevant, could you please document whether all this is _always_ safe for any characters in the DN or not?!

Guess this would mean that the parsing has to work like this regexp ^(.*):(.*)$ and the matching must be "greedy" (i.e. the _last_ “:”) must be matched.


b) DNs in group files
Here things seem to be even more weird.
DNs typically contain “ ” characters (spaces).
The space however is the separation characters in the group files.

I found out that quoting the DN with “"” seems to work.
This is however not (yet) documented.
Further,.. is this safe? I mean, DNs could be made up tricky, containing “"” or “:” to confuse the parsing of the group files.
This could even be a security problem.


Cheers,
Chris.
Comment 1 Christoph Anton Mitterer 2012-02-18 00:18:03 UTC
From the code the following seems to be the case:
- groupname is parsed to the _FIRST_ occurence of ":"
- the quoting styles for users seem to be described in https://httpd.apache.org/dev/apidoc/apidoc_ap_getword_conf.html
(not yet sure what is meant by whitepace (i.e. which whitespace chars).


Cheers,
Chris.
Comment 2 Christoph Anton Mitterer 2012-02-18 00:21:32 UTC
From the code the following seems to be the case with respect to group file parsing:
- groupname is parsed to the _FIRST_ occurence of ":"
- the quoting styles for users seem to be described in https://httpd.apache.org/dev/apidoc/apidoc_ap_getword_conf.html
(not yet sure what is meant by whitepace (i.e. which whitespace chars).


Cheers,
Chris.
Comment 3 Joe Orton 2017-11-20 15:48:04 UTC
I've added a check in r1815592 for a colon, and a note in the manual about characters to use in r1815599. Though we could probably be more clear here it might be better to push people to use AuthBasicFake with mod_auth_basic now.
Comment 4 William A. Rowe Jr. 2018-11-07 21:08:59 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.