Received: (qmail 19031 invoked by uid 65534); 21 Jan 2000 19:13:19 -0000 Message-Id: <20000121191319.19030.qmail@locus.apache.org> Date: 21 Jan 2000 19:13:19 -0000 From: david zuhn Reply-To: zoo@mnnr.org To: submit@bugz.apache.org Subject: apache dumps core with malconfigured authentication X-Send-Pr-Version: 3.110 >Number: 5620 >Category: mod_auth-any >Synopsis: apache dumps core with malconfigured authentication >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: duplicate >Submitter-Id: apache >Arrival-Date: Fri Jan 21 11:20:00 PST 2000 >Closed-Date: Wed May 24 13:57:54 PDT 2000 >Last-Modified: Wed May 24 13:57:54 PDT 2000 >Originator: zoo@mnnr.org >Release: 1.3.9 >Organization: >Environment: Found on Linux 2.2.12 (RedHat 6.1), GCC 2.95, but also seen on Solaris 2.6 SPARC. This is a platform independent bug. mod_perl 1.21 installed on each, but the bug isn't specific to mod_perl. >Description: I'm using mod_perl, and building a new authentication system. I managed to make a configuration that called the authz handler in mod_auth.c, but without setting the user in the current connection data structure. This caused a strcmp with a NULL value in mod_auth.c. The patch below performs an explicit check that user is set before making the comparison. Yes, my mod_perl handlers were broken, but Apache shouldn't be dumping core in a case like this either. >How-To-Repeat: >Fix: --- orig/apache_1.3.9/src/modules/standard/mod_auth.c Mon Aug 2 15:50:22 1999 +++ apache_1.3.9/src/modules/standard/mod_auth.c Wed Jan 19 17:26:46 2000 @@ -270,5 +270,5 @@ while (t[0]) { w = ap_getword_conf(r->pool, &t); - if (!strcmp(user, w)) + if (user && !strcmp(user, w)) return OK; } >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: coar State-Changed-When: Wed May 24 13:57:53 PDT 2000 State-Changed-Why: [This is a standard response.] This issue has been reported before; please search the FAQ and the bug database. Thanks for using Apache! Class-Changed-From-To: sw-bug-duplicate Class-Changed-By: coar Class-Changed-When: Wed May 24 13:57:53 PDT 2000 >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]