used in multiple Require directives with different arguments.
PR57204 [Edward Lu <Chaosed0 gmail.com>]
+ *) core: Add CGIPassAuth directive to control whether HTTP authorization
+ headers are passed to scripts as CGI variables. PR 56855. [Jeff
+ Trawick]
+
*) mod_rewrite: Improve relative substitutions in per-directory/htaccess
context for directories found by mod_userdir and mod_alias. These no
loner require RewriteBase to be specified. [Eric Covener]
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>CGIPassAuth</name>
+<description>Enables passing HTTP authorization headers to scripts as CGI
+variables</description>
+<syntax>CGIPassAuth On|Off</syntax>
+<default>CGIPassAuth Off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+<compatibility>Available in Apache HTTP Server 2.5.0 and later</compatibility>
+
+<usage>
+ <p><directive>CGIPassAuth</directive> allows scripts access to HTTP
+ authorization headers such as <code>Authorization</code>, which is
+ required for scripts that implement HTTP Basic authentication.
+ Normally these HTTP headers are hidden from scripts, as it allows
+ scripts to see user ids and passwords used to access the server when
+ HTTP Basic authentication is enabled in the web server. This directive
+ should be used when scripts are allowed to implement HTTP Basic
+ authentication.</p>
+
+ <p>This directive can be used instead of the compile-time setting
+ <code>SECURITY_HOLE_PASS_AUTHORIZATION</code> which has been available
+ in previous versions of Apache HTTP Server.</p>
+
+ <p>The setting is respected by any modules which use
+ <code>ap_add_common_vars()</code>, such as <module>mod_cgi</module>,
+ <module>mod_cgid</module>, <module>mod_proxy_fcgi</module>,
+ <module>mod_proxy_scgi</module>, and so on. Notably, it affects
+ modules which don't handle the request in the usual sense but
+ still use this API; examples of this are <module>mod_include</module>
+ and <module>mod_ext_filter</module>. Third-party modules that don't
+ use <code>ap_add_common_vars()</code> may choose to respect the setting
+ as well.</p>
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>ContentDigest</name>
<description>Enables the generation of <code>Content-MD5</code> HTTP Response
* 20140627.8 (2.5.0-dev) Add ap_set_listencbratio(), ap_close_listeners_ex(),
* ap_duplicate_listeners(), ap_num_listen_buckets and
* ap_have_so_reuseport to ap_listen.h.
+ * 20140627.9 (2.5.0-dev) Add cgi_pass_auth and AP_CGI_PASS_AUTH_* to
+ * core_dir_config
*/
#define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20140627
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 8 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 9 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
/** Named back references */
apr_array_header_t *refs;
+#define AP_CGI_PASS_AUTH_OFF (0)
+#define AP_CGI_PASS_AUTH_ON (1)
+#define AP_CGI_PASS_AUTH_UNSET (2)
+ /** CGIPassAuth: Whether HTTP authorization headers will be passed to
+ * scripts as CGI variables; affects all modules calling
+ * ap_add_common_vars(), as well as any others using this field as
+ * advice
+ */
+ unsigned int cgi_pass_auth : 2;
} core_dir_config;
/* macro to implement off by default behaviour */
conf->max_overlaps = AP_MAXRANGES_UNSET;
conf->max_reversals = AP_MAXRANGES_UNSET;
+ conf->cgi_pass_auth = AP_CGI_PASS_AUTH_UNSET;
+
return (void *)conf;
}
conf->max_overlaps = new->max_overlaps != AP_MAXRANGES_UNSET ? new->max_overlaps : base->max_overlaps;
conf->max_reversals = new->max_reversals != AP_MAXRANGES_UNSET ? new->max_reversals : base->max_reversals;
+ conf->cgi_pass_auth = new->cgi_pass_auth != AP_CGI_PASS_AUTH_UNSET ? new->cgi_pass_auth : base->cgi_pass_auth;
+
return (void*)conf;
}
return NULL;
}
+static const char *set_cgi_pass_auth(cmd_parms *cmd, void *d_, int flag)
+{
+ core_dir_config *d = d_;
+
+ d->cgi_pass_auth = flag ? AP_CGI_PASS_AUTH_ON : AP_CGI_PASS_AUTH_OFF;
+
+ return NULL;
+}
+
static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[])
{
core_dir_config *d = d_;
AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF,
"maximum recursion depth of internal redirects and subrequests"),
+AP_INIT_FLAG("CGIPassAuth", set_cgi_pass_auth, NULL, OR_AUTHCFG,
+ "Controls which HTTP authorization headers, normally hidden, will "
+ "be passed to scripts"),
AP_INIT_TAKE1("ForceType", ap_set_string_slot_lower,
(void *)APR_OFFSETOF(core_dir_config, mime_type), OR_FILEINFO,
"a mime type that overrides other configured type"),
apr_table_t *e;
server_rec *s = r->server;
conn_rec *c = r->connection;
+ core_dir_config *conf =
+ (core_dir_config *)ap_get_core_module_config(r->per_dir_config);
const char *env_temp;
const apr_array_header_t *hdrs_arr = apr_table_elts(r->headers_in);
const apr_table_entry_t *hdrs = (const apr_table_entry_t *) hdrs_arr->elts;
#ifndef SECURITY_HOLE_PASS_AUTHORIZATION
else if (!strcasecmp(hdrs[i].key, "Authorization")
|| !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {
- continue;
+ if (conf->cgi_pass_auth == AP_CGI_PASS_AUTH_ON) {
+ add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
+ }
}
#endif
else
projects / apache / commitdiff