If an expression in "Require expr" returns denied and

author Stefan Fritsch <sf@apache.org>

Sun, 17 Jun 2012 08:39:45 +0000 (08:39 +0000)

committer Stefan Fritsch <sf@apache.org>

Sun, 17 Jun 2012 08:39:45 +0000 (08:39 +0000)
author Stefan Fritsch <sf@apache.org>
Sun, 17 Jun 2012 08:39:45 +0000 (08:39 +0000)
committer Stefan Fritsch <sf@apache.org>
Sun, 17 Jun 2012 08:39:45 +0000 (08:39 +0000)
diff --git a/CHANGES b/CHANGES

index e43b479346b3d770702ad7f84f0761423ea5034f..1dffc0fcd2d47fb4f777064c9a0b30b809691703 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@ Changes with Apache 2.5.0
       possible XSS for a site where untrusted users can upload files to
       a location with MultiViews enabled. [Niels Heinen <heinenn google.com>]
  
+  *) mod_authz_core: If an expression in "Require expr" returns denied and
+     references %{REMOTE_USER}, trigger authentication and retry. PR 52892.
+     [Stefan Fritsch]
+
    *) mod_lua: Add new directive LuaAuthzProvider to allow implementing an
       authorization provider in lua. [Stefan Fritsch]
  
diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml

index 07f6262d057f9a0f446a57bfa2d5aa7fe63c1ba5..1f7a48d07e1de0748af42e9774ef75c27c8c2185 100644 (file)
--- a/docs/manual/mod/mod_authz_core.xml
+++ b/docs/manual/mod/mod_authz_core.xml
@@ -224,6 +224,11 @@ SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
    <p>The syntax is described in the <a href="../expr.html">ap_expr</a>
    documentation.</p>
  
+  <p>Normally, the expression is evaluated before authentication. However, if
+  the expression returns false and references the variable
+  <code>%{REMOTE_USER}</code>, authentication will be performed and
+  the expression will be re-evaluated.</p>
+
    </section>
  
  
diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c

index cf642653062565e8ac1ee93a5b7c25700d5746ba..2aeda266813d21e9c5a28a2a2ee4d680e5e5eac1 100644 (file)
--- a/modules/aaa/mod_authz_core.c
+++ b/modules/aaa/mod_authz_core.c
@@ -1037,13 +1037,54 @@ static const authz_provider authz_method_provider =
      &method_parse_config,
  };
  
+/*
+ * expr authz provider
+ */
+
+#define REQUIRE_EXPR_NOTE "Require_expr_info"
+struct require_expr_info {
+    ap_expr_info_t *expr;
+    int want_user;
+};
+
+static int expr_lookup_fn(ap_expr_lookup_parms *parms)
+{
+    if (parms->type == AP_EXPR_FUNC_VAR
+        && strcasecmp(parms->name, "REMOTE_USER") == 0) {
+        struct require_expr_info *info;
+        apr_pool_userdata_get((void**)&info, REQUIRE_EXPR_NOTE, parms->ptemp);
+        AP_DEBUG_ASSERT(info != NULL);
+        info->want_user = 1;
+    }
+    return ap_expr_lookup_default(parms);
+}
+
+static const char *expr_parse_config(cmd_parms *cmd, const char *require_line,
+                                     const void **parsed_require_line)
+{
+    const char *expr_err = NULL;
+    struct require_expr_info *info = apr_pcalloc(cmd->pool, sizeof(*info));
+
+    apr_pool_userdata_setn(info, REQUIRE_EXPR_NOTE, apr_pool_cleanup_null,
+                          cmd->temp_pool);
+    info->expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err,
+                                   expr_lookup_fn);
+
+    if (expr_err)
+        return "Cannot parse expression in require line";
+
+    *parsed_require_line = info;
+
+    return NULL;
+}
+
  static authz_status expr_check_authorization(request_rec *r,
                                               const char *require_line,
                                               const void *parsed_require_line)
  {
      const char *err = NULL;
-    const ap_expr_info_t *expr = parsed_require_line;
-    int rc = ap_expr_exec(r, expr, &err);
+    const struct require_expr_info *info = parsed_require_line;
+    int rc = ap_expr_exec(r, info->expr, &err);
  
      if (rc < 0) {
          ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02320)
@@ -1052,28 +1093,16 @@ static authz_status expr_check_authorization(request_rec *r,
          return AUTHZ_GENERAL_ERROR;
      }
      else if (rc == 0) {
-        return AUTHZ_DENIED;
+        if (info->want_user)
+            return AUTHZ_DENIED_NO_USER;
+        else
+            return AUTHZ_DENIED;
      }
      else {
          return AUTHZ_GRANTED;
      }
  }
  
-static const char *expr_parse_config(cmd_parms *cmd, const char *require_line,
-                                     const void **parsed_require_line)
-{
-    const char *expr_err = NULL;
-    ap_expr_info_t *expr = ap_expr_parse_cmd(cmd, require_line, 0, &expr_err,
-                                             NULL);
-
-    if (expr_err)
-        return "Cannot parse expression in require line";
-
-    *parsed_require_line = expr;
-
-    return NULL;
-}
-
  static const authz_provider authz_expr_provider =
  {
      &expr_check_authorization,
author	Stefan Fritsch <sf@apache.org>
	Sun, 17 Jun 2012 08:39:45 +0000 (08:39 +0000)
committer	Stefan Fritsch <sf@apache.org>
	Sun, 17 Jun 2012 08:39:45 +0000 (08:39 +0000)
CHANGES		patch \| blob \| history
docs/manual/mod/mod_authz_core.xml		patch \| blob \| history
modules/aaa/mod_authz_core.c		patch \| blob \| history