diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-06-14 22:13:08 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-06-14 22:13:08 -0400 |
| commit | a6c3370491ae1d3bc552e8de9353c82f73e510e3 (patch) | |
| tree | 9328f22e7d9a5401f8dc8e123307b36cbfd5c610 /nss_engine_kernel.c | |
| parent | f656ffc036af239a4236f1c1fc97e32a809d470d (diff) | |
| download | mod_nss-a6c3370491ae1d3bc552e8de9353c82f73e510e3.tar.gz mod_nss-a6c3370491ae1d3bc552e8de9353c82f73e510e3.tar.xz mod_nss-a6c3370491ae1d3bc552e8de9353c82f73e510e3.zip | |
Always copy in client certificate and fix FakeBasicAuth
When NSSOptions +FakeBasicAuth is set for a directory, and a certificate
is not provided with which the BasicAuth can be Faked, and the client
provides an Authorization header, the FakeBasicAuth code in mod_nss may
not properly reject an attempt to spoof.
BZ 702437
Diffstat (limited to 'nss_engine_kernel.c')
| -rw-r--r-- | nss_engine_kernel.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index ae56cf2..1f37d45 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r) nss_util_vhostid(r->pool, r->server)); } + if (sslconn->client_cert != NULL) + CERT_DestroyCertificate(sslconn->client_cert); + sslconn->client_cert = SSL_PeerCertificate(ssl); + sslconn->client_dn = NULL; + return DECLINED; } @@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r) } if (!sslconn->client_dn) { - char * cp = CERT_GetCommonName(&sslconn->client_cert->subject); - sslconn->client_dn = apr_pstrdup(r->connection->pool, cp); + char * cp = CERT_NameToAscii(&sslconn->client_cert->subject); + sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL); PORT_Free(cp); } |