From d49e6f0ad9037ba42ce8510f8e7e61a8875183b7 Mon Sep 17 00:00:00 2001
From: Jeff Trawick <trawick@apache.org>
Date: Tue, 2 Dec 2014 12:20:21 +0000
Subject: [PATCH] core: Add CGIPassAuth directive to control whether HTTP
 authorization headers are passed to scripts as CGI variables.

PR: 56855


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1642847 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                  |  4 ++++
 docs/manual/mod/core.xml | 37 +++++++++++++++++++++++++++++++++++++
 include/ap_mmn.h         |  4 +++-
 include/http_core.h      |  9 +++++++++
 server/core.c            | 16 ++++++++++++++++
 server/util_script.c     |  6 +++++-
 6 files changed, 74 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 6cd420f931..5743938860 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@ Changes with Apache 2.5.0
      used in multiple Require directives with different arguments.
      PR57204 [Edward Lu <Chaosed0 gmail.com>]
 
+  *) core: Add CGIPassAuth directive to control whether HTTP authorization
+     headers are passed to scripts as CGI variables.  PR 56855.  [Jeff 
+     Trawick]
+
   *) mod_rewrite: Improve relative substitutions in per-directory/htaccess
      context for directories found by mod_userdir and mod_alias.  These no
      loner require RewriteBase to be specified. [Eric Covener]
diff --git a/docs/manual/mod/core.xml b/docs/manual/mod/core.xml
index f4aff68944..a04834c82a 100644
--- a/docs/manual/mod/core.xml
+++ b/docs/manual/mod/core.xml
@@ -564,6 +564,43 @@ scripts</description>
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>CGIPassAuth</name>
+<description>Enables passing HTTP authorization headers to scripts as CGI
+variables</description>
+<syntax>CGIPassAuth On|Off</syntax>
+<default>CGIPassAuth Off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+<compatibility>Available in Apache HTTP Server 2.5.0 and later</compatibility>
+
+<usage>
+    <p><directive>CGIPassAuth</directive> allows scripts access to HTTP
+    authorization headers such as <code>Authorization</code>, which is
+    required for scripts that implement HTTP Basic authentication.
+    Normally these HTTP headers are hidden from scripts, as it allows
+    scripts to see user ids and passwords used to access the server when
+    HTTP Basic authentication is enabled in the web server.  This directive
+    should be used when scripts are allowed to implement HTTP Basic
+    authentication.</p>
+
+    <p>This directive can be used instead of the compile-time setting
+    <code>SECURITY_HOLE_PASS_AUTHORIZATION</code> which has been available
+    in previous versions of Apache HTTP Server.</p>
+
+    <p>The setting is respected by any modules which use
+    <code>ap_add_common_vars()</code>, such as <module>mod_cgi</module>,
+    <module>mod_cgid</module>, <module>mod_proxy_fcgi</module>,
+    <module>mod_proxy_scgi</module>, and so on.  Notably, it affects
+    modules which don't handle the request in the usual sense but
+    still use this API; examples of this are <module>mod_include</module>
+    and <module>mod_ext_filter</module>.  Third-party modules that don't
+    use <code>ap_add_common_vars()</code> may choose to respect the setting
+    as well.</p>
+</usage>
+</directivesynopsis>
+
 <directivesynopsis>
 <name>ContentDigest</name>
 <description>Enables the generation of <code>Content-MD5</code> HTTP Response
diff --git a/include/ap_mmn.h b/include/ap_mmn.h
index 17f83f6555..8991ce0587 100644
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@@ -473,6 +473,8 @@
  * 20140627.8 (2.5.0-dev)  Add ap_set_listencbratio(), ap_close_listeners_ex(),
  *                         ap_duplicate_listeners(), ap_num_listen_buckets and
  *                         ap_have_so_reuseport to ap_listen.h.
+ * 20140627.9 (2.5.0-dev)  Add cgi_pass_auth and AP_CGI_PASS_AUTH_* to 
+ *                         core_dir_config
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */
@@ -480,7 +482,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20140627
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 8                 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 9                 /* 0...n */
 
 /**
  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
diff --git a/include/http_core.h b/include/http_core.h
index 85ca580478..2143d5a74d 100644
--- a/include/http_core.h
+++ b/include/http_core.h
@@ -624,6 +624,15 @@ typedef struct {
     /** Named back references */
     apr_array_header_t *refs;
 
+#define AP_CGI_PASS_AUTH_OFF     (0)
+#define AP_CGI_PASS_AUTH_ON      (1)
+#define AP_CGI_PASS_AUTH_UNSET   (2)
+    /** CGIPassAuth: Whether HTTP authorization headers will be passed to
+     * scripts as CGI variables; affects all modules calling
+     * ap_add_common_vars(), as well as any others using this field as 
+     * advice
+     */
+    unsigned int cgi_pass_auth : 2;
 } core_dir_config;
 
 /* macro to implement off by default behaviour */
diff --git a/server/core.c b/server/core.c
index ace928ad03..693283c859 100644
--- a/server/core.c
+++ b/server/core.c
@@ -196,6 +196,8 @@ static void *create_core_dir_config(apr_pool_t *a, char *dir)
     conf->max_overlaps = AP_MAXRANGES_UNSET;
     conf->max_reversals = AP_MAXRANGES_UNSET;
 
+    conf->cgi_pass_auth = AP_CGI_PASS_AUTH_UNSET;
+
     return (void *)conf;
 }
 
@@ -421,6 +423,8 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv)
     conf->max_overlaps = new->max_overlaps != AP_MAXRANGES_UNSET ? new->max_overlaps : base->max_overlaps;
     conf->max_reversals = new->max_reversals != AP_MAXRANGES_UNSET ? new->max_reversals : base->max_reversals;
 
+    conf->cgi_pass_auth = new->cgi_pass_auth != AP_CGI_PASS_AUTH_UNSET ? new->cgi_pass_auth : base->cgi_pass_auth;
+
     return (void*)conf;
 }
 
@@ -1719,6 +1723,15 @@ static const char *set_override(cmd_parms *cmd, void *d_, const char *l)
     return NULL;
 }
 
+static const char *set_cgi_pass_auth(cmd_parms *cmd, void *d_, int flag)
+{
+    core_dir_config *d = d_;
+
+    d->cgi_pass_auth = flag ? AP_CGI_PASS_AUTH_ON : AP_CGI_PASS_AUTH_OFF;
+
+    return NULL;
+}
+
 static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[])
 {
     core_dir_config *d = d_;
@@ -4324,6 +4337,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_limit, NULL,
 AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF,
               "maximum recursion depth of internal redirects and subrequests"),
 
+AP_INIT_FLAG("CGIPassAuth", set_cgi_pass_auth, NULL, OR_AUTHCFG,
+             "Controls which HTTP authorization headers, normally hidden, will "
+             "be passed to scripts"),
 AP_INIT_TAKE1("ForceType", ap_set_string_slot_lower,
        (void *)APR_OFFSETOF(core_dir_config, mime_type), OR_FILEINFO,
      "a mime type that overrides other configured type"),
diff --git a/server/util_script.c b/server/util_script.c
index 87504fac32..a8d9ebc4f0 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -140,6 +140,8 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
     apr_table_t *e;
     server_rec *s = r->server;
     conn_rec *c = r->connection;
+    core_dir_config *conf =
+        (core_dir_config *)ap_get_core_module_config(r->per_dir_config);
     const char *env_temp;
     const apr_array_header_t *hdrs_arr = apr_table_elts(r->headers_in);
     const apr_table_entry_t *hdrs = (const apr_table_entry_t *) hdrs_arr->elts;
@@ -188,7 +190,9 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
 #ifndef SECURITY_HOLE_PASS_AUTHORIZATION
         else if (!strcasecmp(hdrs[i].key, "Authorization")
                  || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {
-            continue;
+            if (conf->cgi_pass_auth == AP_CGI_PASS_AUTH_ON) {
+                add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
+            }
         }
 #endif
         else
-- 
2.50.1