From: Rainer Jung
Date: Tue, 11 Dec 2012 10:21:11 +0000 (+0000)
Subject: mod_auth_form: Support the expr parser in the
X-Git-Tag: 2.4.4~339
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d3380cfa2eae27b313b2a14d4de3f10b37bd7735;p=apache
mod_auth_form: Support the expr parser in the
AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation
and AuthFormLogoutLocation directives.
mod_auth_form: Make sure 500 Internal Server Error is
returned should an error occur while parsing an expression.
Submitted by: minfrin
Backported by: minfrin
Reviewed by: minfrin, sf, rjung
Backports of r1388648 and r1418721 from trunk.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1420071 13f79535-47bb-0310-9956-ffa450edef68
---
diff --git a/CHANGES b/CHANGES
index 39e017eb6c..a7b7b5189b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
Changes with Apache 2.4.4
+ *) mod_auth_form: Support the expr parser in the
+ AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
+ AuthFormLogoutLocation directives. [Graham Leggett]
+
*) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange
for TLS, RFC 5054). PR 51075. [Quinn Slack ,
Christophe Renou, Peter Sylvester]
diff --git a/STATUS b/STATUS
index dc166f9bc4..d4249a2c86 100644
--- a/STATUS
+++ b/STATUS
@@ -91,16 +91,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_auth_form: Support the expr parser in the
- AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and
- AuthFormLogoutLocation directives.
- trunk patch: http://svn.apache.org/viewvc?rev=1388648&view=rev
- http://svn.apache.org/viewvc?rev=1418721&view=rev
- 2.4.x patch: trunk patches work (minus next-number, CHANGES)
- +1: minfrin, sf, rjung
- rjung: please add compatibility note to docs about expr only supported
- since 2.4.4.
-
* mod_proxy_balancer: Bring XML output up to date.
http://svn.apache.org/viewvc?view=revision&revision=1392345
http://svn.apache.org/viewvc?view=revision&revision=1392346
diff --git a/docs/manual/mod/mod_auth_form.xml b/docs/manual/mod/mod_auth_form.xml
index 23966b8b07..65aeaae914 100644
--- a/docs/manual/mod/mod_auth_form.xml
+++ b/docs/manual/mod/mod_auth_form.xml
@@ -552,13 +552,15 @@ lower level modules
none
directory
-Available in Apache HTTP Server 2.3.0 and later
+Available in Apache HTTP Server 2.3.0 and later. The use of the expression
+parser hass been added in 2.4.4.
The AuthFormLoginRequiredLocation directive
- specifies the URL to redirect to should the user not be authorised to view a page. By default,
- if a user is not authorised to view a page, the HTTP response code HTTP_UNAUTHORIZED
- will be returned with the page specified by the
+ specifies the URL to redirect to should the user not be authorised to view a page. The value
+ is parsed using the ap_expr parser before being sent to the client.
+ By default, if a user is not authorised to view a page, the HTTP response code
+ HTTP_UNAUTHORIZED
will be returned with the page specified by the
ErrorDocument directive. This directive overrides this
default.
@@ -574,13 +576,15 @@ lower level modules
none
directory
-Available in Apache HTTP Server 2.3.0 and later
+Available in Apache HTTP Server 2.3.0 and later. The use of the expression
+parser hass been added in 2.4.4.
The AuthFormLoginSuccessLocation directive
- specifies the URL to redirect to should the user have logged in successfully. This directive
- can be overridden if a form field has been defined containing another URL using the
- AuthFormLocation directive.
+ specifies the URL to redirect to should the user have logged in successfully. The value is
+ parsed using the ap_expr parser before being sent to the client.
+ This directive can be overridden if a form field has been defined containing another URL
+ using the AuthFormLocation directive.
Use this directive if you have a dedicated login URL, and you have not embedded the
destination page in the login form.
@@ -614,11 +618,14 @@ lower level modules
none
directory
-Available in Apache HTTP Server 2.3.0 and later
+Available in Apache HTTP Server 2.3.0 and later. The use of the expression
+parser hass been added in 2.4.4.
The AuthFormLogoutLocation directive
- specifies the URL of a page on the server to redirect to should the user attempt to log out.
+ specifies the URL of a page on the server to redirect to should the user attempt to log
+ out. The value is parsed using the ap_expr parser before
+ being sent to the client.
When a URI is accessed that is served by the handler form-logout-handler
,
the page specified by this directive will be shown to the end user. For example:
diff --git a/modules/aaa/mod_auth_form.c b/modules/aaa/mod_auth_form.c
index 9cdaed0fbf..7c305f150b 100644
--- a/modules/aaa/mod_auth_form.c
+++ b/modules/aaa/mod_auth_form.c
@@ -30,6 +30,7 @@
#include "http_request.h"
#include "ap_provider.h"
#include "util_md5.h"
+#include "ap_expr.h"
#include "mod_auth.h"
#include "mod_session.h"
@@ -73,11 +74,11 @@ typedef struct {
int body_set;
int disable_no_store;
int disable_no_store_set;
- const char *loginsuccess;
+ ap_expr_info_t *loginsuccess;
int loginsuccess_set;
- const char *loginrequired;
+ ap_expr_info_t *loginrequired;
int loginrequired_set;
- const char *logout;
+ ap_expr_info_t *logout;
int logout_set;
} auth_form_config_rec;
@@ -289,24 +290,51 @@ static const char *set_cookie_form_size(cmd_parms * cmd, void *config,
static const char *set_login_required_location(cmd_parms * cmd, void *config, const char *loginrequired)
{
auth_form_config_rec *conf = (auth_form_config_rec *) config;
- conf->loginrequired = loginrequired;
+ const char *err;
+
+ conf->loginrequired = ap_expr_parse_cmd(cmd, loginrequired, AP_EXPR_FLAG_STRING_RESULT,
+ &err, NULL);
+ if (err) {
+ return apr_psprintf(cmd->pool,
+ "Could not parse login required expression '%s': %s",
+ loginrequired, err);
+ }
conf->loginrequired_set = 1;
+
return NULL;
}
static const char *set_login_success_location(cmd_parms * cmd, void *config, const char *loginsuccess)
{
auth_form_config_rec *conf = (auth_form_config_rec *) config;
- conf->loginsuccess = loginsuccess;
+ const char *err;
+
+ conf->loginsuccess = ap_expr_parse_cmd(cmd, loginsuccess, AP_EXPR_FLAG_STRING_RESULT,
+ &err, NULL);
+ if (err) {
+ return apr_psprintf(cmd->pool,
+ "Could not parse login success expression '%s': %s",
+ loginsuccess, err);
+ }
conf->loginsuccess_set = 1;
+
return NULL;
}
static const char *set_logout_location(cmd_parms * cmd, void *config, const char *logout)
{
auth_form_config_rec *conf = (auth_form_config_rec *) config;
- conf->logout = logout;
+ const char *err;
+
+ conf->logout = ap_expr_parse_cmd(cmd, logout, AP_EXPR_FLAG_STRING_RESULT,
+ &err, NULL);
+ if (err) {
+ return apr_psprintf(cmd->pool,
+ "Could not parse logout required expression '%s': %s",
+ logout, err);
+ }
conf->logout_set = 1;
+
return NULL;
}
@@ -851,6 +879,7 @@ static int authenticate_form_authn(request_rec * r)
const char *sent_user = NULL, *sent_pw = NULL, *sent_hash = NULL;
const char *sent_loc = NULL, *sent_method = "GET", *sent_mimetype = NULL;
const char *current_auth = NULL;
+ const char *err;
apr_status_t res;
int rv = HTTP_UNAUTHORIZED;
@@ -1001,8 +1030,17 @@ static int authenticate_form_authn(request_rec * r)
return HTTP_MOVED_TEMPORARILY;
}
if (conf->loginsuccess) {
- apr_table_set(r->headers_out, "Location", conf->loginsuccess);
- return HTTP_MOVED_TEMPORARILY;
+ const char *loginsuccess = ap_expr_str_exec(r,
+ conf->loginsuccess, &err);
+ if (!err) {
+ apr_table_set(r->headers_out, "Location", loginsuccess);
+ return HTTP_MOVED_TEMPORARILY;
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02339)
+ "Can't evaluate login success expression: %s", err);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
}
}
}
@@ -1014,8 +1052,17 @@ static int authenticate_form_authn(request_rec * r)
* instead?
*/
if (HTTP_UNAUTHORIZED == rv && conf->loginrequired) {
- apr_table_set(r->headers_out, "Location", conf->loginrequired);
- return HTTP_MOVED_TEMPORARILY;
+ const char *loginrequired = ap_expr_str_exec(r,
+ conf->loginrequired, &err);
+ if (!err) {
+ apr_table_set(r->headers_out, "Location", loginrequired);
+ return HTTP_MOVED_TEMPORARILY;
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02340)
+ "Can't evaluate login required expression: %s", err);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
}
/* did the user ask to be redirected on login success? */
@@ -1059,6 +1106,7 @@ static int authenticate_form_authn(request_rec * r)
static int authenticate_form_login_handler(request_rec * r)
{
auth_form_config_rec *conf;
+ const char *err;
const char *sent_user = NULL, *sent_pw = NULL, *sent_loc = NULL;
int rv;
@@ -1089,8 +1137,17 @@ static int authenticate_form_login_handler(request_rec * r)
return HTTP_MOVED_TEMPORARILY;
}
if (conf->loginsuccess) {
- apr_table_set(r->headers_out, "Location", conf->loginsuccess);
- return HTTP_MOVED_TEMPORARILY;
+ const char *loginsuccess = ap_expr_str_exec(r,
+ conf->loginsuccess, &err);
+ if (!err) {
+ apr_table_set(r->headers_out, "Location", loginsuccess);
+ return HTTP_MOVED_TEMPORARILY;
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02341)
+ "Can't evaluate login success expression: %s", err);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
}
return HTTP_OK;
}
@@ -1098,8 +1155,17 @@ static int authenticate_form_login_handler(request_rec * r)
/* did we prefer to be redirected to the login page on failure instead? */
if (HTTP_UNAUTHORIZED == rv && conf->loginrequired) {
- apr_table_set(r->headers_out, "Location", conf->loginrequired);
- return HTTP_MOVED_TEMPORARILY;
+ const char *loginrequired = ap_expr_str_exec(r,
+ conf->loginrequired, &err);
+ if (!err) {
+ apr_table_set(r->headers_out, "Location", loginrequired);
+ return HTTP_MOVED_TEMPORARILY;
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02342)
+ "Can't evaluate login required expression: %s", err);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
}
return rv;
@@ -1120,6 +1186,7 @@ static int authenticate_form_login_handler(request_rec * r)
static int authenticate_form_logout_handler(request_rec * r)
{
auth_form_config_rec *conf;
+ const char *err;
if (strcmp(r->handler, FORM_LOGOUT_HANDLER)) {
return DECLINED;
@@ -1139,8 +1206,17 @@ static int authenticate_form_logout_handler(request_rec * r)
/* if set, internal redirect to the logout page */
if (conf->logout) {
- apr_table_addn(r->headers_out, "Location", conf->logout);
- return HTTP_TEMPORARY_REDIRECT;
+ const char *logout = ap_expr_str_exec(r,
+ conf->logout, &err);
+ if (!err) {
+ apr_table_addn(r->headers_out, "Location", logout);
+ return HTTP_TEMPORARY_REDIRECT;
+ }
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02343)
+ "Can't evaluate logout expression: %s", err);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
}
return HTTP_OK;