diff options
| author | jorton <jorton@fedoraproject.org> | 2006-02-06 14:58:12 +0000 |
|---|---|---|
| committer | jorton <jorton@fedoraproject.org> | 2006-02-06 14:58:12 +0000 |
| commit | bc53791ae4e0ff5beef5c3d06fff7eb886738940 (patch) | |
| tree | bd60f85cc51d2f11b1cff2ba83e781e4bee1067b | |
| parent | 73a46bb6e8038074cbdfe05a2c827f1794e9d1cd (diff) | |
| download | httpd-bc53791ae4e0ff5beef5c3d06fff7eb886738940.tar.gz httpd-bc53791ae4e0ff5beef5c3d06fff7eb886738940.tar.xz httpd-bc53791ae4e0ff5beef5c3d06fff7eb886738940.zip | |
- mod_auth_basic/mod_authn_file: if no provider is configured, andhttpd-2_2_0-5_1
AuthUserFile is not configured, decline to handle authn silently rather
than failing noisily.
| -rw-r--r-- | httpd-2.2.0-authnoprov.patch | 30 | ||||
| -rw-r--r-- | httpd.spec | 9 |
2 files changed, 38 insertions, 1 deletions
diff --git a/httpd-2.2.0-authnoprov.patch b/httpd-2.2.0-authnoprov.patch new file mode 100644 index 0000000..c9cfe8b --- /dev/null +++ b/httpd-2.2.0-authnoprov.patch @@ -0,0 +1,30 @@ +--- httpd-2.2.0/modules/aaa/mod_authn_file.c.authnoprov ++++ httpd-2.2.0/modules/aaa/mod_authn_file.c +@@ -70,6 +70,10 @@ + apr_status_t status; + char *file_password = NULL; + ++ if (!conf->pwfile) { ++ return AUTH_GENERAL_ERROR; ++ } ++ + status = ap_pcfg_openfile(&f, r->pool, conf->pwfile); + + if (status != APR_SUCCESS) { +--- httpd-2.2.0/modules/aaa/mod_auth_basic.c.authnoprov ++++ httpd-2.2.0/modules/aaa/mod_auth_basic.c +@@ -252,6 +252,14 @@ + return DECLINED; + } + ++ /* If no providers were configured, and the default file ++ * provider gave a general error (which will happen only if ++ * has not been configured), presume that a non-provider-based ++ * authn module is configured, and get out of the way. */ ++ if (!conf->providers && auth_result == AUTH_GENERAL_ERROR) { ++ return DECLINED; ++ } ++ + switch (auth_result) { + case AUTH_DENIED: + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, @@ -7,7 +7,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.2.0 -Release: 5 +Release: 5.1 URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz Source1: index.html @@ -43,6 +43,7 @@ Patch50: httpd-2.0.45-encode.patch Patch51: httpd-2.2.0-headclength.patch Patch52: httpd-2.2.0-ajpcookie.patch Patch53: httpd-2.2.0-cppheader.patch +Patch54: httpd-2.2.0-authnoprov.patch # Security fixes Patch200: httpd-2.2.0-CVE-2005-3352.patch Patch201: httpd-2.2.0-CVE-2005-3357.patch @@ -126,6 +127,7 @@ Security (TLS) protocols. %patch51 -p1 -b .headclength %patch52 -p1 -b .ajpcookie %patch53 -p1 -b .cppheader +%patch54 -p1 -b .authnoprov %patch200 -p1 -b .cve3352 %patch201 -p1 -b .cve3352 @@ -489,6 +491,11 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/build/*.sh %changelog +* Mon Feb 6 2006 Joe Orton <jorton@redhat.com> 2.2.0-5.1 +- mod_auth_basic/mod_authn_file: if no provider is configured, + and AuthUserFile is not configured, decline to handle authn + silently rather than failing noisily. + * Fri Feb 3 2006 Joe Orton <jorton@redhat.com> 2.2.0-5 - mod_ssl: add security fix for CVE-2005-3357 (#177914) - mod_imagemap: add security fix for CVE-2005-3352 (#177913) |