Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
apache2.16436
apache2-CVE-2017-3167.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apache2-CVE-2017-3167.patch of Package apache2.16436
Index: httpd-2.4.23/server/protocol.c =================================================================== --- httpd-2.4.23.orig/server/protocol.c 2017-06-27 12:42:23.112719021 +0200 +++ httpd-2.4.23/server/protocol.c 2017-06-27 12:42:23.148719624 +0200 @@ -1605,6 +1605,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(req t = ap_pbase64decode(r->pool, auth_line); r->user = ap_getword_nulls (r->pool, &t, ':'); + apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1"); r->ap_auth_type = "Basic"; *pw = t; @@ -1612,6 +1613,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(req return OK; } +AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r, + const char **username, + const char **password) +{ + const char *auth_header; + const char *credentials; + const char *decoded; + const char *user; + + auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization" + : "Authorization"; + credentials = apr_table_get(r->headers_in, auth_header); + + if (!credentials) { + /* No auth header. */ + return APR_EINVAL; + } + + if (strcasecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) { + /* These aren't Basic credentials. */ + return APR_EINVAL; + } + + while (*credentials == ' ' || *credentials == '\t') { + credentials++; + } + + /* XXX Our base64 decoding functions don't actually error out if the string + * we give it isn't base64; they'll just silently stop and hand us whatever + * they've parsed up to that point. + * + * Since this function is supposed to be a drop-in replacement for the + * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x. + */ + decoded = ap_pbase64decode(r->pool, credentials); + user = ap_getword_nulls(r->pool, &decoded, ':'); + + if (username) { + *username = user; + } + if (password) { + *password = decoded; + } + + return APR_SUCCESS; +} + struct content_length_ctx { int data_sent; /* true if the C-L filter has already sent at * least one bucket on to the next output filter Index: httpd-2.4.23/server/request.c =================================================================== --- httpd-2.4.23.orig/server/request.c 2017-06-27 12:42:23.064718217 +0200 +++ httpd-2.4.23/server/request.c 2017-06-27 12:42:23.148719624 +0200 @@ -262,6 +262,14 @@ AP_DECLARE(int) ap_process_request_inter r->ap_auth_type = r->main->ap_auth_type; } else { + /* A module using a confusing API (ap_get_basic_auth_pw) caused + ** r->user to be filled out prior to check_authn hook. We treat + ** it is inadvertent. + */ + if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) { + r->user = NULL; + } + switch (ap_satisfies(r)) { case SATISFY_ALL: case SATISFY_NOSPEC: --- 2.4.x/include/http_protocol.h 2017/05/30 12:26:05 1796854 +++ 2.4.x/include/http_protocol.h 2017/05/30 12:27:41 1796855 @@ -558,7 +558,11 @@ AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type)) /** - * Get the password from the request headers + * Get the password from the request headers. This function has multiple side + * effects due to its prior use in the old authentication framework. + * ap_get_basic_auth_components() should be preferred. + * + * @deprecated @see ap_get_basic_auth_components * @param r The current request * @param pw The password as set in the headers * @return 0 (OK) if it set the 'pw' argument (and assured @@ -571,6 +575,25 @@ */ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw); +#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE" + +/** + * Get the username and/or password from the request's Basic authentication + * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side + * effects on the passed request_rec. + * + * @param r The current request + * @param username If not NULL, set to the username sent by the client + * @param password If not NULL, set to the password sent by the client + * @return APR_SUCCESS if the credentials were successfully parsed and returned; + * APR_EINVAL if there was no authentication header sent or if the + * client was not using the Basic authentication scheme. username and + * password are unchanged on failure. + */ +AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r, + const char **username, + const char **password); + /** * parse_uri: break apart the uri * @warning Side Effects:
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor