From d3380cfa2eae27b313b2a14d4de3f10b37bd7735 Mon Sep 17 00:00:00 2001 From: Rainer Jung Date: Tue, 11 Dec 2012 10:21:11 +0000 Subject: [PATCH] mod_auth_form: Support the expr parser in the AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and AuthFormLogoutLocation directives. mod_auth_form: Make sure 500 Internal Server Error is returned should an error occur while parsing an expression. Submitted by: minfrin Backported by: minfrin Reviewed by: minfrin, sf, rjung Backports of r1388648 and r1418721 from trunk. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1420071 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++ STATUS | 10 --- docs/manual/mod/mod_auth_form.xml | 27 +++++--- modules/aaa/mod_auth_form.c | 108 +++++++++++++++++++++++++----- 4 files changed, 113 insertions(+), 36 deletions(-) diff --git a/CHANGES b/CHANGES index 39e017eb6c..a7b7b5189b 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,10 @@ Changes with Apache 2.4.4 + *) mod_auth_form: Support the expr parser in the + AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and + AuthFormLogoutLocation directives. [Graham Leggett] + *) mod_ssl: Add support for TLS-SRP (Secure Remote Password key exchange for TLS, RFC 5054). PR 51075. [Quinn Slack , Christophe Renou, Peter Sylvester] diff --git a/STATUS b/STATUS index dc166f9bc4..d4249a2c86 100644 --- a/STATUS +++ b/STATUS @@ -91,16 +91,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_auth_form: Support the expr parser in the - AuthFormLoginRequiredLocation, AuthFormLoginSuccessLocation and - AuthFormLogoutLocation directives. - trunk patch: http://svn.apache.org/viewvc?rev=1388648&view=rev - http://svn.apache.org/viewvc?rev=1418721&view=rev - 2.4.x patch: trunk patches work (minus next-number, CHANGES) - +1: minfrin, sf, rjung - rjung: please add compatibility note to docs about expr only supported - since 2.4.4. - * mod_proxy_balancer: Bring XML output up to date. http://svn.apache.org/viewvc?view=revision&revision=1392345 http://svn.apache.org/viewvc?view=revision&revision=1392346 diff --git a/docs/manual/mod/mod_auth_form.xml b/docs/manual/mod/mod_auth_form.xml index 23966b8b07..65aeaae914 100644 --- a/docs/manual/mod/mod_auth_form.xml +++ b/docs/manual/mod/mod_auth_form.xml @@ -552,13 +552,15 @@ lower level modules none directory -Available in Apache HTTP Server 2.3.0 and later +Available in Apache HTTP Server 2.3.0 and later. The use of the expression +parser hass been added in 2.4.4.

The AuthFormLoginRequiredLocation directive - specifies the URL to redirect to should the user not be authorised to view a page. By default, - if a user is not authorised to view a page, the HTTP response code HTTP_UNAUTHORIZED - will be returned with the page specified by the + specifies the URL to redirect to should the user not be authorised to view a page. The value + is parsed using the ap_expr parser before being sent to the client. + By default, if a user is not authorised to view a page, the HTTP response code + HTTP_UNAUTHORIZED will be returned with the page specified by the ErrorDocument directive. This directive overrides this default.

@@ -574,13 +576,15 @@ lower level modules none directory -Available in Apache HTTP Server 2.3.0 and later +Available in Apache HTTP Server 2.3.0 and later. The use of the expression +parser hass been added in 2.4.4.

The AuthFormLoginSuccessLocation directive - specifies the URL to redirect to should the user have logged in successfully. This directive - can be overridden if a form field has been defined containing another URL using the - AuthFormLocation directive.

+ specifies the URL to redirect to should the user have logged in successfully. The value is + parsed using the ap_expr parser before being sent to the client. + This directive can be overridden if a form field has been defined containing another URL + using the AuthFormLocation directive.

Use this directive if you have a dedicated login URL, and you have not embedded the destination page in the login form.

@@ -614,11 +618,14 @@ lower level modules none directory -Available in Apache HTTP Server 2.3.0 and later +Available in Apache HTTP Server 2.3.0 and later. The use of the expression +parser hass been added in 2.4.4.

The AuthFormLogoutLocation directive - specifies the URL of a page on the server to redirect to should the user attempt to log out.

+ specifies the URL of a page on the server to redirect to should the user attempt to log + out. The value is parsed using the ap_expr parser before + being sent to the client.

When a URI is accessed that is served by the handler form-logout-handler, the page specified by this directive will be shown to the end user. For example:

diff --git a/modules/aaa/mod_auth_form.c b/modules/aaa/mod_auth_form.c index 9cdaed0fbf..7c305f150b 100644 --- a/modules/aaa/mod_auth_form.c +++ b/modules/aaa/mod_auth_form.c @@ -30,6 +30,7 @@ #include "http_request.h" #include "ap_provider.h" #include "util_md5.h" +#include "ap_expr.h" #include "mod_auth.h" #include "mod_session.h" @@ -73,11 +74,11 @@ typedef struct { int body_set; int disable_no_store; int disable_no_store_set; - const char *loginsuccess; + ap_expr_info_t *loginsuccess; int loginsuccess_set; - const char *loginrequired; + ap_expr_info_t *loginrequired; int loginrequired_set; - const char *logout; + ap_expr_info_t *logout; int logout_set; } auth_form_config_rec; @@ -289,24 +290,51 @@ static const char *set_cookie_form_size(cmd_parms * cmd, void *config, static const char *set_login_required_location(cmd_parms * cmd, void *config, const char *loginrequired) { auth_form_config_rec *conf = (auth_form_config_rec *) config; - conf->loginrequired = loginrequired; + const char *err; + + conf->loginrequired = ap_expr_parse_cmd(cmd, loginrequired, AP_EXPR_FLAG_STRING_RESULT, + &err, NULL); + if (err) { + return apr_psprintf(cmd->pool, + "Could not parse login required expression '%s': %s", + loginrequired, err); + } conf->loginrequired_set = 1; + return NULL; } static const char *set_login_success_location(cmd_parms * cmd, void *config, const char *loginsuccess) { auth_form_config_rec *conf = (auth_form_config_rec *) config; - conf->loginsuccess = loginsuccess; + const char *err; + + conf->loginsuccess = ap_expr_parse_cmd(cmd, loginsuccess, AP_EXPR_FLAG_STRING_RESULT, + &err, NULL); + if (err) { + return apr_psprintf(cmd->pool, + "Could not parse login success expression '%s': %s", + loginsuccess, err); + } conf->loginsuccess_set = 1; + return NULL; } static const char *set_logout_location(cmd_parms * cmd, void *config, const char *logout) { auth_form_config_rec *conf = (auth_form_config_rec *) config; - conf->logout = logout; + const char *err; + + conf->logout = ap_expr_parse_cmd(cmd, logout, AP_EXPR_FLAG_STRING_RESULT, + &err, NULL); + if (err) { + return apr_psprintf(cmd->pool, + "Could not parse logout required expression '%s': %s", + logout, err); + } conf->logout_set = 1; + return NULL; } @@ -851,6 +879,7 @@ static int authenticate_form_authn(request_rec * r) const char *sent_user = NULL, *sent_pw = NULL, *sent_hash = NULL; const char *sent_loc = NULL, *sent_method = "GET", *sent_mimetype = NULL; const char *current_auth = NULL; + const char *err; apr_status_t res; int rv = HTTP_UNAUTHORIZED; @@ -1001,8 +1030,17 @@ static int authenticate_form_authn(request_rec * r) return HTTP_MOVED_TEMPORARILY; } if (conf->loginsuccess) { - apr_table_set(r->headers_out, "Location", conf->loginsuccess); - return HTTP_MOVED_TEMPORARILY; + const char *loginsuccess = ap_expr_str_exec(r, + conf->loginsuccess, &err); + if (!err) { + apr_table_set(r->headers_out, "Location", loginsuccess); + return HTTP_MOVED_TEMPORARILY; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02339) + "Can't evaluate login success expression: %s", err); + return HTTP_INTERNAL_SERVER_ERROR; + } } } } @@ -1014,8 +1052,17 @@ static int authenticate_form_authn(request_rec * r) * instead? */ if (HTTP_UNAUTHORIZED == rv && conf->loginrequired) { - apr_table_set(r->headers_out, "Location", conf->loginrequired); - return HTTP_MOVED_TEMPORARILY; + const char *loginrequired = ap_expr_str_exec(r, + conf->loginrequired, &err); + if (!err) { + apr_table_set(r->headers_out, "Location", loginrequired); + return HTTP_MOVED_TEMPORARILY; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02340) + "Can't evaluate login required expression: %s", err); + return HTTP_INTERNAL_SERVER_ERROR; + } } /* did the user ask to be redirected on login success? */ @@ -1059,6 +1106,7 @@ static int authenticate_form_authn(request_rec * r) static int authenticate_form_login_handler(request_rec * r) { auth_form_config_rec *conf; + const char *err; const char *sent_user = NULL, *sent_pw = NULL, *sent_loc = NULL; int rv; @@ -1089,8 +1137,17 @@ static int authenticate_form_login_handler(request_rec * r) return HTTP_MOVED_TEMPORARILY; } if (conf->loginsuccess) { - apr_table_set(r->headers_out, "Location", conf->loginsuccess); - return HTTP_MOVED_TEMPORARILY; + const char *loginsuccess = ap_expr_str_exec(r, + conf->loginsuccess, &err); + if (!err) { + apr_table_set(r->headers_out, "Location", loginsuccess); + return HTTP_MOVED_TEMPORARILY; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02341) + "Can't evaluate login success expression: %s", err); + return HTTP_INTERNAL_SERVER_ERROR; + } } return HTTP_OK; } @@ -1098,8 +1155,17 @@ static int authenticate_form_login_handler(request_rec * r) /* did we prefer to be redirected to the login page on failure instead? */ if (HTTP_UNAUTHORIZED == rv && conf->loginrequired) { - apr_table_set(r->headers_out, "Location", conf->loginrequired); - return HTTP_MOVED_TEMPORARILY; + const char *loginrequired = ap_expr_str_exec(r, + conf->loginrequired, &err); + if (!err) { + apr_table_set(r->headers_out, "Location", loginrequired); + return HTTP_MOVED_TEMPORARILY; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02342) + "Can't evaluate login required expression: %s", err); + return HTTP_INTERNAL_SERVER_ERROR; + } } return rv; @@ -1120,6 +1186,7 @@ static int authenticate_form_login_handler(request_rec * r) static int authenticate_form_logout_handler(request_rec * r) { auth_form_config_rec *conf; + const char *err; if (strcmp(r->handler, FORM_LOGOUT_HANDLER)) { return DECLINED; @@ -1139,8 +1206,17 @@ static int authenticate_form_logout_handler(request_rec * r) /* if set, internal redirect to the logout page */ if (conf->logout) { - apr_table_addn(r->headers_out, "Location", conf->logout); - return HTTP_TEMPORARY_REDIRECT; + const char *logout = ap_expr_str_exec(r, + conf->logout, &err); + if (!err) { + apr_table_addn(r->headers_out, "Location", logout); + return HTTP_TEMPORARY_REDIRECT; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02343) + "Can't evaluate logout expression: %s", err); + return HTTP_INTERNAL_SERVER_ERROR; + } } return HTTP_OK; -- 2.40.0