From bccf84f76f2c47f9dd8bb83d82495fe88025cd2b Mon Sep 17 00:00:00 2001 From: Jeff Trawick Date: Wed, 15 Apr 2015 16:42:46 +0000 Subject: [PATCH] Merge r1642847 and r1673155 from trunk so that yesterday's ApacheCon talk is valid: core: Add CGIPassAuth directive to control whether HTTP authorization headers are passed to scripts as CGI variables. PR: 56855 Reviewed by: rjung, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673860 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 8 -------- docs/manual/mod/core.xml | 37 +++++++++++++++++++++++++++++++++++++ include/ap_mmn.h | 4 +++- include/http_core.h | 9 +++++++++ server/core.c | 16 ++++++++++++++++ server/util_script.c | 6 +++++- 7 files changed, 74 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index d3a219d29f..2c7bb58b43 100644 --- a/CHANGES +++ b/CHANGES @@ -141,6 +141,10 @@ Changes with Apache 2.4.11 request headers earlier. Adds "MergeTrailers" directive to restore legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] + *) core: Add CGIPassAuth directive to control whether HTTP authorization + headers are passed to scripts as CGI variables. PR 56855. [Jeff + Trawick] + *) mod_ssl: New directive SSLSessionTickets (On|Off). The directive controls the use of TLS session tickets (RFC 5077), default value is "On" (unchanged behavior). diff --git a/STATUS b/STATUS index ac72b9e8b1..2f0241b463 100644 --- a/STATUS +++ b/STATUS @@ -138,14 +138,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: 2.4.x patch: trunk works (modulo CHANGES) +1: ylavic, rjung, trawick - *) core: Add CGIPassAuth directive to control whether HTTP authorization - headers are passed to scripts as CGI variables. PR: 56855 - trunk patch: http://svn.apache.org/r1642847, http://svn.apache.org/r1673155 - 2.4.x patch: http://people.apache.org/~trawick/r1642847-r1673155-to-2.4.x.txt - (trunk works if you do the normal CHANGES/ap_mmn/core_dir_config - merge conflict resolution ;) ) - +1: trawick, rjung, ylavic - *) mod_logio: Log time-to-first-byte via %^FB trunk patch: http://svn.apache.org/r1671918 http://svn.apache.org/r1673113 diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml index 8187a037d9..838e0d4c06 100644 --- a/docs/manual/mod/core.xml +++ b/docs/manual/mod/core.xml @@ -560,6 +560,43 @@ scripts + +CGIPassAuth +Enables passing HTTP authorization headers to scripts as CGI +variables +CGIPassAuth On|Off +CGIPassAuth Off +directory.htaccess + +AuthConfig +Available in Apache HTTP Server 2.4.13 and later + + +

CGIPassAuth allows scripts access to HTTP + authorization headers such as Authorization, which is + required for scripts that implement HTTP Basic authentication. + Normally these HTTP headers are hidden from scripts, as it allows + scripts to see user ids and passwords used to access the server when + HTTP Basic authentication is enabled in the web server. This directive + should be used when scripts are allowed to implement HTTP Basic + authentication.

+ +

This directive can be used instead of the compile-time setting + SECURITY_HOLE_PASS_AUTHORIZATION which has been available + in previous versions of Apache HTTP Server.

+ +

The setting is respected by any modules which use + ap_add_common_vars(), such as mod_cgi, + mod_cgid, mod_proxy_fcgi, + mod_proxy_scgi, and so on. Notably, it affects + modules which don't handle the request in the usual sense but + still use this API; examples of this are mod_include + and mod_ext_filter. Third-party modules that don't + use ap_add_common_vars() may choose to respect the setting + as well.

+ + + ContentDigest Enables the generation of Content-MD5 HTTP Response diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 96d2d1b9aa..ea3d71ee17 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -439,6 +439,8 @@ * 20120211.41 (2.4.11-dev) Add ap_proxy_de_socketfy to mod_proxy.h * 20120211.42 (2.4.13-dev) Add response_code_exprs to http_core.h * 20120211.43 (2.4.13-dev) Add keep_alive_timeout_set to server_rec + * 20120211.44 (2.4.13-dev) Add cgi_pass_auth and AP_CGI_PASS_AUTH_* to + * core_dir_config */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ @@ -446,7 +448,7 @@ #ifndef MODULE_MAGIC_NUMBER_MAJOR #define MODULE_MAGIC_NUMBER_MAJOR 20120211 #endif -#define MODULE_MAGIC_NUMBER_MINOR 43 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 44 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/include/http_core.h b/include/http_core.h index 23db3cfce0..8171823a08 100644 --- a/include/http_core.h +++ b/include/http_core.h @@ -621,6 +621,15 @@ typedef struct { */ apr_hash_t *response_code_exprs; +#define AP_CGI_PASS_AUTH_OFF (0) +#define AP_CGI_PASS_AUTH_ON (1) +#define AP_CGI_PASS_AUTH_UNSET (2) + /** CGIPassAuth: Whether HTTP authorization headers will be passed to + * scripts as CGI variables; affects all modules calling + * ap_add_common_vars(), as well as any others using this field as + * advice + */ + unsigned int cgi_pass_auth : 2; } core_dir_config; /* macro to implement off by default behaviour */ diff --git a/server/core.c b/server/core.c index 4c7976e1ad..b00a8f04fc 100644 --- a/server/core.c +++ b/server/core.c @@ -190,6 +190,8 @@ static void *create_core_dir_config(apr_pool_t *a, char *dir) conf->max_overlaps = AP_MAXRANGES_UNSET; conf->max_reversals = AP_MAXRANGES_UNSET; + conf->cgi_pass_auth = AP_CGI_PASS_AUTH_UNSET; + return (void *)conf; } @@ -401,6 +403,8 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv) conf->max_overlaps = new->max_overlaps != AP_MAXRANGES_UNSET ? new->max_overlaps : base->max_overlaps; conf->max_reversals = new->max_reversals != AP_MAXRANGES_UNSET ? new->max_reversals : base->max_reversals; + conf->cgi_pass_auth = new->cgi_pass_auth != AP_CGI_PASS_AUTH_UNSET ? new->cgi_pass_auth : base->cgi_pass_auth; + return (void*)conf; } @@ -1685,6 +1689,15 @@ static const char *set_override(cmd_parms *cmd, void *d_, const char *l) return NULL; } +static const char *set_cgi_pass_auth(cmd_parms *cmd, void *d_, int flag) +{ + core_dir_config *d = d_; + + d->cgi_pass_auth = flag ? AP_CGI_PASS_AUTH_ON : AP_CGI_PASS_AUTH_OFF; + + return NULL; +} + static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[]) { core_dir_config *d = d_; @@ -4121,6 +4134,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_limit, NULL, AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF, "maximum recursion depth of internal redirects and subrequests"), +AP_INIT_FLAG("CGIPassAuth", set_cgi_pass_auth, NULL, OR_AUTHCFG, + "Controls whether HTTP authorization headers, normally hidden, will " + "be passed to scripts"), AP_INIT_TAKE1("ForceType", ap_set_string_slot_lower, (void *)APR_OFFSETOF(core_dir_config, mime_type), OR_FILEINFO, "a mime type that overrides other configured type"), diff --git a/server/util_script.c b/server/util_script.c index 87504fac32..a8d9ebc4f0 100644 --- a/server/util_script.c +++ b/server/util_script.c @@ -140,6 +140,8 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r) apr_table_t *e; server_rec *s = r->server; conn_rec *c = r->connection; + core_dir_config *conf = + (core_dir_config *)ap_get_core_module_config(r->per_dir_config); const char *env_temp; const apr_array_header_t *hdrs_arr = apr_table_elts(r->headers_in); const apr_table_entry_t *hdrs = (const apr_table_entry_t *) hdrs_arr->elts; @@ -188,7 +190,9 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r) #ifndef SECURITY_HOLE_PASS_AUTHORIZATION else if (!strcasecmp(hdrs[i].key, "Authorization") || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) { - continue; + if (conf->cgi_pass_auth == AP_CGI_PASS_AUTH_ON) { + add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val); + } } #endif else -- 2.40.0