From be7dfb3ad3fedc051a4e494b829762eb03e4076f Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Mon, 2 Jul 2018 12:48:17 +0000
Subject: [PATCH] Merge r1834209 from trunk:

If several parameters are used in a AuthzProviderAlias directive, if these
parameters are not enclosed in quotation mark, only the first one is handled.
The other ones are silently ignored.

Add a message to warn about such a spurious configuration.
PR 62469

Inspired by: Hank Ibell <hwibell gmail.com>
Submitted by: jailletc36
Reviewed by: jailletc36, covener, jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1834843 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                            |  5 +++++
 STATUS                             |  9 ---------
 docs/manual/mod/mod_authz_core.xml | 17 +++++++++++++++++
 modules/aaa/mod_authz_core.c       | 13 ++++++++++++-
 4 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6646821f58..aef58a70f8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.34
+  *) mod_authz_core: If several parameters are used in a AuthzProviderAlias
+     directive, if these parameters are not enclosed in quotation mark, only
+     the first one is handled. The other ones are silently ignored.
+     Add a message to warn about such a spurious configuration.
+     PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
 
   *) mod_md: improvements and bugfixes
      - MDNotifyCmd now takes additional parameter that are passed on to the called command.
diff --git a/STATUS b/STATUS
index 85be42f4a5..896eb97fa9 100644
--- a/STATUS
+++ b/STATUS
@@ -141,15 +141,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_authz_core: If several parameters are used in a AuthzProviderAlias directive,
-     if these parameters are not enclosed in quotation mark, only the first one is
-     handled. The other ones are silently ignored.
-     PR 62469.
-     trunk patch: http://svn.apache.org/r1834209
-     2.4.x patch: trunk works (modulo CHANGES and next-number)
-                  svn merge -c 1834209 ^/httpd/httpd/trunk .
-     +1: jailletc36, covener, jim
-
   *) Easy patches: synch 2.4.x and trunk
      - mod_env: remove an empty line
      - mod_ssl: Simplify code, no functional change
diff --git a/docs/manual/mod/mod_authz_core.xml b/docs/manual/mod/mod_authz_core.xml
index 93b86a715d..0df8c22ba2 100644
--- a/docs/manual/mod/mod_authz_core.xml
+++ b/docs/manual/mod/mod_authz_core.xml
@@ -600,6 +600,23 @@ alias</description>
     authorization directives that can be referenced by the alias name using the
     directive <directive module="mod_authz_core">Require</directive>.</p>
 
+    <p>If several parameters are needed in <var>Require-Parameters</var>,
+    they must be enclosed in quotation marks.  Otherwise, only the first one
+    is taken into account.</p>
+    
+    <highlight language="config">
+# In this example, for both addresses to be taken into account, they MUST be enclosed
+# between quotation marks
+&lt;AuthzProviderAlias ip blacklisted-ips "XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY"&gt;
+&lt;/AuthzProviderAlias&gt;
+
+&lt;Directory "/path/to/dir"&gt;
+    &lt;RequireAll&gt;
+        Require not blacklisted-ips
+        Require all granted
+    &lt;/RequireAll&gt;
+&lt;/Directory&gt;
+    </highlight>
 </usage>
 </directivesynopsis>
 
diff --git a/modules/aaa/mod_authz_core.c b/modules/aaa/mod_authz_core.c
index c5e5969182..958511446e 100644
--- a/modules/aaa/mod_authz_core.c
+++ b/modules/aaa/mod_authz_core.c
@@ -253,7 +253,7 @@ static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig,
     const char *endp = ap_strrchr_c(args, '>');
     char *provider_name;
     char *provider_alias;
-    char *provider_args;
+    char *provider_args, *extra_args;
     ap_conf_vector_t *new_authz_config;
     int old_overrides = cmd->override;
     const char *errmsg;
@@ -279,11 +279,22 @@ static const char *authz_require_alias_section(cmd_parms *cmd, void *mconfig,
     provider_name = ap_getword_conf(cmd->pool, &args);
     provider_alias = ap_getword_conf(cmd->pool, &args);
     provider_args = ap_getword_conf(cmd->pool, &args);
+    extra_args = ap_getword_conf(cmd->pool, &args);
 
     if (!provider_name[0] || !provider_alias[0]) {
         return apr_pstrcat(cmd->pool, cmd->cmd->name,
                            "> directive requires additional arguments", NULL);
     }
+    
+    /* We only handle one "Require-Parameters" parameter.  If several parameters
+       are needed, they must be enclosed between quotes */
+    if (extra_args && *extra_args) {
+        ap_log_error(APLOG_MARK, APLOG_WARNING, 0, cmd->server, APLOGNO(10142)
+                     "When several arguments (%s %s...) are passed to a %s directive, "
+                     "they must be enclosed in quotation marks.  Otherwise, only the "
+                     "first one is taken into account",
+                     provider_args, extra_args, cmd->cmd->name);
+    }
 
     new_authz_config = ap_create_per_dir_config(cmd->pool);
 
-- 
2.40.0