diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | src/mod_auth.c | 14 | ||||
| -rw-r--r-- | src/mod_fastcgi.c | 29 | ||||
| -rw-r--r-- | tests/lighttpd.conf | 13 | ||||
| -rwxr-xr-x | tests/mod-fastcgi.t | 22 |
5 files changed, 48 insertions, 31 deletions
@@ -12,6 +12,7 @@ NEWS * Fix handling of empty header list entries in http_request_split_value, fixing invalid read in valgrind (fixes #2413) * Fix access log escaping of " and \\ (fixes #1551) * [mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410) + * [auth] Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround, add fastcgi test case (fixes #889) - 1.4.30 - 2011-12-18 * Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331) diff --git a/src/mod_auth.c b/src/mod_auth.c index 0abde92f..d9818927 100644 --- a/src/mod_auth.c +++ b/src/mod_auth.c @@ -181,6 +181,7 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) { size_t k; int auth_required = 0, auth_satisfied = 0; char *http_authorization = NULL; + const char *auth_type = NULL; data_string *ds; mod_auth_plugin_data *p = p_d; array *req; @@ -245,12 +246,14 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) { if ((auth_type_len == 5) && (0 == strncasecmp(http_authorization, "Basic", auth_type_len))) { + auth_type = "Basic"; if (0 == strcmp(method->value->ptr, "basic")) { auth_satisfied = http_auth_basic_check(srv, con, p, req, con->uri.path, auth_realm+1); } } else if ((auth_type_len == 6) && (0 == strncasecmp(http_authorization, "Digest", auth_type_len))) { + auth_type = "Digest"; if (0 == strcmp(method->value->ptr, "digest")) { if (-1 == (auth_satisfied = http_auth_digest_check(srv, con, p, req, con->uri.path, auth_realm+1))) { con->http_status = 400; @@ -302,6 +305,17 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) { /* the REMOTE_USER header */ buffer_copy_string_buffer(con->authed_user, p->auth_user); + + /* AUTH_TYPE environment */ + + if (NULL == (ds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) { + ds = data_string_init(); + } + + buffer_copy_string(ds->key, "AUTH_TYPE"); + buffer_copy_string(ds->value, auth_type); + + array_insert_unique(con->environment, (data_unset *)ds); } return HANDLER_GO_ON; diff --git a/src/mod_fastcgi.c b/src/mod_fastcgi.c index 18a433fc..335c246a 100644 --- a/src/mod_fastcgi.c +++ b/src/mod_fastcgi.c @@ -1910,36 +1910,7 @@ static int fcgi_create_env(server *srv, handler_ctx *hctx, size_t request_id) { FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_ADDR"), s, strlen(s)),con) if (!buffer_is_empty(con->authed_user)) { - /* AUTH_TYPE fix by Troy Kruthoff (tkruthoff@gmail.com) - * section 4.1.1 of RFC 3875 (cgi spec) requires the server to set a AUTH_TYPE env - * declaring the type of authentication used. (see http://tools.ietf.org/html/rfc3875#page-11) - * - * I copied this code from mod_auth.c where it extracts auth info from the "Authorization" - * header to authenticate the user before allowing the request to proceed. I'm guessing it makes - * sense to re-parse the header here, as mod_auth is unaware if the request is headed for cgi/fcgi. - * Someone more familiar with the lighty internals should be able to quickly determine if we are - * better storing AUTH_TYPE on the initial parse in mod_auth. - */ - char *http_authorization = NULL; - data_string *ds; - FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_USER"), CONST_BUF_LEN(con->authed_user)),con) - - if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "Authorization"))) { - http_authorization = ds->value->ptr; - } - - if (ds && ds->value && ds->value->used) { - char *auth_realm; - if (NULL != (auth_realm = strchr(http_authorization, ' '))) { - int auth_type_len = auth_realm - http_authorization; - if ((auth_type_len == 5) && (0 == strncmp(http_authorization, "Basic", auth_type_len))) { - fcgi_env_add(p->fcgi_env, CONST_STR_LEN("AUTH_TYPE"), CONST_STR_LEN("Basic")); - } else if ((auth_type_len == 6) && (0 == strncmp(http_authorization, "Digest", auth_type_len))) { - fcgi_env_add(p->fcgi_env, CONST_STR_LEN("AUTH_TYPE"), CONST_STR_LEN("Digest")); - } - } - } } if (con->request.content_length > 0 && host->mode != FCGI_AUTHORIZER) { diff --git a/tests/lighttpd.conf b/tests/lighttpd.conf index 8608fdd6..a4b5cd84 100644 --- a/tests/lighttpd.conf +++ b/tests/lighttpd.conf @@ -175,6 +175,19 @@ $HTTP["host"] !~ "(no-simple\.example\.org)" { simple-vhost.default-host = "www.example.org" } +$HTTP["host"] == "auth.example.org" { + server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/" + server.name = "auth.example.org" + auth.backend = "htpasswd" + auth.require = ( "" => + ( + "method" => "basic", + "realm" => "download archiv", + "require" => "valid-user" + ) + ) +} + $HTTP["host"] =~ "(vvv).example.org" { url.redirect = ( "^/redirect/$" => "http://localhost:2048/" ) } diff --git a/tests/mod-fastcgi.t b/tests/mod-fastcgi.t index 64cf63da..691bce2e 100755 --- a/tests/mod-fastcgi.t +++ b/tests/mod-fastcgi.t @@ -7,7 +7,7 @@ BEGIN { } use strict; -use Test::More tests => 56; +use Test::More tests => 58; use LightyTest; my $tf = LightyTest->new(); @@ -25,7 +25,7 @@ SKIP: { } SKIP: { - skip "no PHP running on port 1026", 33 unless $tf->listening_on(1026); + skip "no PHP running on port 1026", 35 unless $tf->listening_on(1026); ok($tf->start_proc == 0, "Starting lighttpd") or goto cleanup; @@ -188,6 +188,24 @@ EOF $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Length' => 4348 } ]; ok($tf->handle_http($t) == 0, 'X-Sendfile2'); + $t->{REQUEST} = ( <<EOF +GET /get-server-env.php?env=REMOTE_USER HTTP/1.0 +Host: auth.example.org +Authorization: Basic ZGVzOmRlcw== +EOF + ); + $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'des' } ]; + ok($tf->handle_http($t) == 0, '$_SERVER["REMOTE_USER"]'); + + $t->{REQUEST} = ( <<EOF +GET /get-server-env.php?env=AUTH_TYPE HTTP/1.0 +Host: auth.example.org +Authorization: Basic ZGVzOmRlcw== +EOF + ); + $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'Basic' } ]; + ok($tf->handle_http($t) == 0, '$_SERVER["AUTH_TYPE"]'); + ok($tf->stop_proc == 0, "Stopping lighttpd"); |