Received: (qmail 16567 invoked by uid 501); 14 Aug 2000 10:33:48 -0000 Message-Id: <20000814103348.16566.qmail@locus.apache.org> Date: 14 Aug 2000 10:33:48 -0000 From: Jon Ribbens Reply-To: jon+apache@unequivocal.co.uk To: submit@bugz.apache.org Subject: check_user_access() does not check to see if this module is being used X-Send-Pr-Version: 3.110 >Number: 6414 >Category: mod_auth-any >Synopsis: check_user_access() does not check to see if this module is being used >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Aug 14 03:40:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: jon+apache@unequivocal.co.uk >Release: 1.3.12 >Organization: apache >Environment: N/A >Description: check_user_access() in mod_auth.c should have a line: if (!sec->auth_pwfile) return DECLINED; at the top as per authenticate_basic_user(). Otherwise it is parsing the 'require' directive for its particular mod_auth-specific syntax, and reporting it as a fatal error if it does not understand it, even if the web author is not using mod_auth in this directory. (Since 'authoritative' defaults to 'on'.) >How-To-Repeat: Create a new module which implements a new auth type which uses a require directive other than 'valid-user', 'user' and 'group'. Observe that it cannot be used due to mod_auth reporting it as a bad require directive even though mod_auth should not be sticking its nose in. Actually I noticed this when writing a auth module based on mod_auth which implemented *less* require directives (it does not allow 'group'). It stopped 'require group' working for mod_auth directories. >Fix: Add the line as described above to mod_auth.c. Fix all other auth modules. Tell everyone who has written a 3rd-party auth module based on mod_auth to fix their code too. >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]