-*- coding: utf-8 -*-
Changes with Apache 2.5.1
+ *) mod_ssl: Fail with 403 if the username for FakeBasicAuth mode
+ includes a colon character. PR 52644. [Joe Orton]
+
*) mod_md: v1.0.3, fixed various bugs in persisting job properties, so that status is
persisted accross child process changes and staging is reset on reloads. Changed
MDCertificateAgreement url checks. As long as the CA reports that the account has
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- char *user;
- const char *auth_line, *username, *password;
+ const char *user, *auth_line, *username, *password;
/*
* Additionally forbid access (again)
}
}
else {
- user = (char *)sslconn->client_dn;
+ user = sslconn->client_dn;
+ }
+
+ if (ap_strchr_c(user, ':') != NULL) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10096)
+ "Cannot use FakeBasicAuth for username "
+ "containing a colon: %s", user);
+ return HTTP_FORBIDDEN;
}
/*
projects / apache / commitdiff