diff options
author | Eric Covener <covener@apache.org> | 2017-05-26 21:29:59 +0000 |
---|---|---|
committer | Eric Covener <covener@apache.org> | 2017-05-26 21:29:59 +0000 |
commit | 92ab67cbad4e148c4ed97bba713e7b320a4412f9 (patch) | |
tree | 8ebe88999805856e23ea2f9ab0d768d69ea565a7 /include/http_protocol.h | |
parent | 11250ebd61ba9173b172ab253f5634ba19fad205 (diff) | |
download | httpd-92ab67cbad4e148c4ed97bba713e7b320a4412f9.tar.gz |
core: deprecate and replace ap_get_basic_auth_pw
*) core: Deprecate ap_get_basic_auth_pw() and add
ap_get_basic_auth_components().
Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener
CVEID: CVE-2017-3167
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1796348 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'include/http_protocol.h')
-rw-r--r-- | include/http_protocol.h | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/include/http_protocol.h b/include/http_protocol.h index 63c3b0cc65..c5a6a60e3e 100644 --- a/include/http_protocol.h +++ b/include/http_protocol.h @@ -576,7 +576,11 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r); AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type)) /** - * Get the password from the request headers + * Get the password from the request headers. This function has multiple side + * effects due to its prior use in the old authentication framework. + * ap_get_basic_auth_components() should be preferred. + * + * @deprecated @see ap_get_basic_auth_components * @param r The current request * @param pw The password as set in the headers * @return 0 (OK) if it set the 'pw' argument (and assured @@ -589,6 +593,25 @@ AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type)) */ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw); +#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE" + +/** + * Get the username and/or password from the request's Basic authentication + * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side + * effects on the passed request_rec. + * + * @param r The current request + * @param username If not NULL, set to the username sent by the client + * @param password If not NULL, set to the password sent by the client + * @return APR_SUCCESS if the credentials were successfully parsed and returned; + * APR_EINVAL if there was no authentication header sent or if the + * client was not using the Basic authentication scheme. username and + * password are unchanged on failure. + */ +AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r, + const char **username, + const char **password); + /** * parse_uri: break apart the uri * @warning Side Effects: |