If several parameters are used in a AuthzProviderAlias directive, if these parameters...

Add a message to warn about such a spurious configuration.
PR 62469

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1834209 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index c703953f6be81becf233e94be5d8c63c3090ec53..d434dabacfd793080356623d6f66af685907ad48 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
+  *) mod_authz_core: If several parameters are used in a AuthzProviderAlias
+     directive, if these parameters are not enclosed in quotation mark, only
+     the first one is handled. The other ones are silently ignored.
+     Add a message to warn about such a spurious configuration.
+     PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
 
   *) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
      PR 62480. [Lubos Uhliarik <luhliari redhat.com>}

diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index b9f8c0b81396cdefe520ef6a265bdd49b8859937..1519b4167f6ffd82334950eadabe7ef42f0906bc 100644 (file)
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-10142
+10143

diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml
index 27e71486043512eb984d6150361a80b82686e2e9..032fb954fa5192eef91542eebca35a7d8377bc92 100644 (file)
--- a/docs/manual/mod/mod_authz_core.xml
+++ b/docs/manual/mod/mod_authz_core.xml
@@ -600,6 +600,23 @@ alias</description>
     authorization directives that can be referenced by the alias name using the
     directive <directive module="mod_authz_core">Require</directive>.</p>
 
+    <p>If several parameters are needed in <var>Require-Parameters</var>,
+    they must be enclosed in quotation marks.  Otherwise, only the first one
+    is taken into account.</p>
+    
+    <highlight language="config">
+# In this example, for both addresses to be taken into account, they MUST be enclosed
+# between quotation marks
+&lt;AuthzProviderAlias ip blacklisted-ips "XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY"&gt;
+&lt;/AuthzProviderAlias&gt;
+
+&lt;Directory "/path/to/dir"&gt;
+    &lt;RequireAll&gt;
+        Require not blacklisted-ips
+        Require all granted
+    &lt;/RequireAll&gt;
+&lt;/Directory&gt;
+    </highlight>
 </usage>
 </directivesynopsis>
 

diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c
index c5e5969182aeeccb988a16e9dd031b1d5b2d288d..958511446efcf187ae0e685938c0f0d7ffcf85c4 100644 (file)
--- a/modules/aaa/mod_authz_core.c
+++ b/modules/aaa/mod_authz_core.c
@@ -253,7 +253,7 @@ static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig,
     const char *endp = ap_strrchr_c(args, '>');
     char *provider_name;
     char *provider_alias;
-    char *provider_args;
+    char *provider_args, *extra_args;
     ap_conf_vector_t *new_authz_config;
     int old_overrides = cmd->override;
     const char *errmsg;
@@ -279,11 +279,22 @@ static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig,
     provider_name = ap_getword_conf(cmd->pool, &args);
     provider_alias = ap_getword_conf(cmd->pool, &args);
     provider_args = ap_getword_conf(cmd->pool, &args);
+    extra_args = ap_getword_conf(cmd->pool, &args);
 
     if (!provider_name[0] || !provider_alias[0]) {
         return apr_pstrcat(cmd->pool, cmd->cmd->name,
                            "> directive requires additional arguments", NULL);
     }
+    
+    /* We only handle one "Require-Parameters" parameter.  If several parameters
+       are needed, they must be enclosed between quotes */
+    if (extra_args && *extra_args) {
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server, APLOGNO(10142)
+                     "When several arguments (%s %s...) are passed to a %s directive, "
+                     "they must be enclosed in quotation marks.  Otherwise, only the "
+                     "first one is taken into account",
+                     provider_args, extra_args, cmd->cmd->name);
+    }
 
     new_authz_config = ap_create_per_dir_config(cmd->pool);