request headers earlier. Adds "MergeTrailers" directive to restore
legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
+ *) core: Add CGIPassAuth directive to control whether HTTP authorization
+ headers are passed to scripts as CGI variables. PR 56855. [Jeff
+ Trawick]
+
*) mod_ssl: New directive SSLSessionTickets (On|Off).
The directive controls the use of TLS session tickets (RFC 5077),
default value is "On" (unchanged behavior).
2.4.x patch: trunk works (modulo CHANGES)
+1: ylavic, rjung, trawick
- *) core: Add CGIPassAuth directive to control whether HTTP authorization
- headers are passed to scripts as CGI variables. PR: 56855
- trunk patch: http://svn.apache.org/r1642847, http://svn.apache.org/r1673155
- 2.4.x patch: http://people.apache.org/~trawick/r1642847-r1673155-to-2.4.x.txt
- (trunk works if you do the normal CHANGES/ap_mmn/core_dir_config
- merge conflict resolution ;) )
- +1: trawick, rjung, ylavic
-
*) mod_logio: Log time-to-first-byte via %^FB
trunk patch: http://svn.apache.org/r1671918
http://svn.apache.org/r1673113
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>CGIPassAuth</name>
+<description>Enables passing HTTP authorization headers to scripts as CGI
+variables</description>
+<syntax>CGIPassAuth On|Off</syntax>
+<default>CGIPassAuth Off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+<compatibility>Available in Apache HTTP Server 2.4.13 and later</compatibility>
+
+<usage>
+ <p><directive>CGIPassAuth</directive> allows scripts access to HTTP
+ authorization headers such as <code>Authorization</code>, which is
+ required for scripts that implement HTTP Basic authentication.
+ Normally these HTTP headers are hidden from scripts, as it allows
+ scripts to see user ids and passwords used to access the server when
+ HTTP Basic authentication is enabled in the web server. This directive
+ should be used when scripts are allowed to implement HTTP Basic
+ authentication.</p>
+
+ <p>This directive can be used instead of the compile-time setting
+ <code>SECURITY_HOLE_PASS_AUTHORIZATION</code> which has been available
+ in previous versions of Apache HTTP Server.</p>
+
+ <p>The setting is respected by any modules which use
+ <code>ap_add_common_vars()</code>, such as <module>mod_cgi</module>,
+ <module>mod_cgid</module>, <module>mod_proxy_fcgi</module>,
+ <module>mod_proxy_scgi</module>, and so on. Notably, it affects
+ modules which don't handle the request in the usual sense but
+ still use this API; examples of this are <module>mod_include</module>
+ and <module>mod_ext_filter</module>. Third-party modules that don't
+ use <code>ap_add_common_vars()</code> may choose to respect the setting
+ as well.</p>
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>ContentDigest</name>
<description>Enables the generation of <code>Content-MD5</code> HTTP Response
* 20120211.41 (2.4.11-dev) Add ap_proxy_de_socketfy to mod_proxy.h
* 20120211.42 (2.4.13-dev) Add response_code_exprs to http_core.h
* 20120211.43 (2.4.13-dev) Add keep_alive_timeout_set to server_rec
+ * 20120211.44 (2.4.13-dev) Add cgi_pass_auth and AP_CGI_PASS_AUTH_* to
+ * core_dir_config
*/
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20120211
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 43 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 44 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
*/
apr_hash_t *response_code_exprs;
+#define AP_CGI_PASS_AUTH_OFF (0)
+#define AP_CGI_PASS_AUTH_ON (1)
+#define AP_CGI_PASS_AUTH_UNSET (2)
+ /** CGIPassAuth: Whether HTTP authorization headers will be passed to
+ * scripts as CGI variables; affects all modules calling
+ * ap_add_common_vars(), as well as any others using this field as
+ * advice
+ */
+ unsigned int cgi_pass_auth : 2;
} core_dir_config;
/* macro to implement off by default behaviour */
conf->max_overlaps = AP_MAXRANGES_UNSET;
conf->max_reversals = AP_MAXRANGES_UNSET;
+ conf->cgi_pass_auth = AP_CGI_PASS_AUTH_UNSET;
+
return (void *)conf;
}
conf->max_overlaps = new->max_overlaps != AP_MAXRANGES_UNSET ? new->max_overlaps : base->max_overlaps;
conf->max_reversals = new->max_reversals != AP_MAXRANGES_UNSET ? new->max_reversals : base->max_reversals;
+ conf->cgi_pass_auth = new->cgi_pass_auth != AP_CGI_PASS_AUTH_UNSET ? new->cgi_pass_auth : base->cgi_pass_auth;
+
return (void*)conf;
}
return NULL;
}
+static const char *set_cgi_pass_auth(cmd_parms *cmd, void *d_, int flag)
+{
+ core_dir_config *d = d_;
+
+ d->cgi_pass_auth = flag ? AP_CGI_PASS_AUTH_ON : AP_CGI_PASS_AUTH_OFF;
+
+ return NULL;
+}
+
static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[])
{
core_dir_config *d = d_;
AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF,
"maximum recursion depth of internal redirects and subrequests"),
+AP_INIT_FLAG("CGIPassAuth", set_cgi_pass_auth, NULL, OR_AUTHCFG,
+ "Controls whether HTTP authorization headers, normally hidden, will "
+ "be passed to scripts"),
AP_INIT_TAKE1("ForceType", ap_set_string_slot_lower,
(void *)APR_OFFSETOF(core_dir_config, mime_type), OR_FILEINFO,
"a mime type that overrides other configured type"),
apr_table_t *e;
server_rec *s = r->server;
conn_rec *c = r->connection;
+ core_dir_config *conf =
+ (core_dir_config *)ap_get_core_module_config(r->per_dir_config);
const char *env_temp;
const apr_array_header_t *hdrs_arr = apr_table_elts(r->headers_in);
const apr_table_entry_t *hdrs = (const apr_table_entry_t *) hdrs_arr->elts;
#ifndef SECURITY_HOLE_PASS_AUTHORIZATION
else if (!strcasecmp(hdrs[i].key, "Authorization")
|| !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {
- continue;
+ if (conf->cgi_pass_auth == AP_CGI_PASS_AUTH_ON) {
+ add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
+ }
}
#endif
else
projects / apache / commitdiff