diff options
| author | Isaac Boukris <iboukris@gmail.com> | 2016-12-17 23:17:00 +0200 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2017-01-11 14:43:08 -0500 |
| commit | a64a32f520884039be0a2240bfa2b5f4040c9c99 (patch) | |
| tree | 530cd2646932424e87e8127e0a81c5b99cac6d48 /src/mod_auth_gssapi.c | |
| parent | 63706efbbc75ae6fd928813cdd45242025c0fe61 (diff) | |
| download | mod_auth_gssapi-a64a32f520884039be0a2240bfa2b5f4040c9c99.tar.gz mod_auth_gssapi-a64a32f520884039be0a2240bfa2b5f4040c9c99.tar.xz mod_auth_gssapi-a64a32f520884039be0a2240bfa2b5f4040c9c99.zip | |
rewrite: implicitly handle internal redirects
Internal redirects are a special case of subrequest - they
have no req->main but req->prev instead, so we should check
for that too in case the request is not initial.
Also, make sure to export MAG environment variables to
subrequests and internal redirects.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reported-by: scopev24
Closes #119
Diffstat (limited to 'src/mod_auth_gssapi.c')
| -rw-r--r-- | src/mod_auth_gssapi.c | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/src/mod_auth_gssapi.c b/src/mod_auth_gssapi.c index 9f311c5..ed4342b 100644 --- a/src/mod_auth_gssapi.c +++ b/src/mod_auth_gssapi.c @@ -107,7 +107,10 @@ struct mag_conn *mag_new_conn_ctx(apr_pool_t *pool) struct mag_conn *mc; mc = apr_pcalloc(pool, sizeof(struct mag_conn)); + apr_pool_create(&mc->pool, pool); + mc->env = apr_table_make(mc->pool, 1); + /* register the context in the memory pool, so it can be freed * when the connection/request is terminated */ apr_pool_cleanup_register(mc->pool, (void *)mc, @@ -124,6 +127,7 @@ static void mag_conn_clear(struct mag_conn *mc) temp = mc->pool; memset(mc, 0, sizeof(struct mag_conn)); mc->pool = temp; + mc->env = apr_table_make(mc->pool, 1); } static bool mag_conn_is_https(conn_rec *c) @@ -823,20 +827,45 @@ static int mag_auth(request_rec *req) return HTTP_UNAUTHORIZED; } + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, req, + "URI: %s, %s main, %s prev", req->uri ?: "no-uri", + req->main ? "with" : "no", req->prev ? "with" : "no"); + /* implicit auth for subrequests if main auth already happened */ - if (!ap_is_initial_req(req) && req->main != NULL) { - type = ap_auth_type(req->main); + if (!ap_is_initial_req(req)) { + request_rec *main_req = req; + + /* Not initial means either a subrequest or an internal redirect */ + while (!ap_is_initial_req(main_req)) + if (main_req->main) + main_req = main_req->main; + else + main_req = main_req->prev; + + type = ap_auth_type(main_req); if ((type != NULL) && (strcasecmp(type, "GSSAPI") == 0)) { /* warn if the subrequest location and the main request * location have different configs */ - if (cfg != ap_get_module_config(req->main->per_dir_config, + if (cfg != ap_get_module_config(main_req->per_dir_config, &auth_gssapi_module)) { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, "Subrequest authentication bypass on " "location with different configuration!"); } - if (req->main->user) { - req->user = apr_pstrdup(req->pool, req->main->user); + if (main_req->user) { + apr_table_t *env; + + req->user = apr_pstrdup(req->pool, main_req->user); + req->ap_auth_type = main_req->ap_auth_type; + + env = ap_get_module_config(main_req->request_config, + &auth_gssapi_module); + if (!env) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, req, + "Failed to lookup env table in subrequest"); + } else + mag_export_req_env(req, env); + return OK; } else { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, req, |