Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Bugs

[Bug 52892] Require expr and %{REMOTE_USER}

 

 

Apache bugs RSS feed   Index | Next | Previous | View Threaded


bugzilla at apache

Mar 13, 2012, 12:44 AM

Post #1 of 3 (246 views)
Permalink
[Bug 52892] Require expr and %{REMOTE_USER}

https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

--- Comment #1 from Stefan Fritsch <sf [at] sfritsch> 2012-03-13 07:44:36 UTC ---
The require statements are actually executed twice, once before auth and once
after auth. Auth is only triggered if a Require statement says that its result
may change after auth and the change of this statement would actually make a
difference in the end result. However, Require expr currently lacks the
necessary logic for this.

You could try (untested):

<RequireAll>
Require ssl-verify-client
Require valid-user
<RequireAny>
Require user workaround_for_PR_52892
Require expr ...
</RequireAny>
</RequireAll>

Then the Require user would trigger auth. Of course, workaround_for_PR_52892
must not exist as a user or you have a security problem.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Mar 13, 2012, 10:33 AM

Post #2 of 3 (227 views)
Permalink
[Bug 52892] Require expr and %{REMOTE_USER} [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

--- Comment #2 from Jorge Schrauwen <registration [at] blackdot> 2012-03-13 17:33:47 UTC ---
(In reply to comment #1)
> The require statements are actually executed twice, once before auth and once
> after auth. Auth is only triggered if a Require statement says that its result
> may change after auth and the change of this statement would actually make a
> difference in the end result. However, Require expr currently lacks the
> necessary logic for this.
>
Will it support it in the future?

> You could try (untested):
>
> <RequireAll>
> Require ssl-verify-client
> Require valid-user
> <RequireAny>
> Require user workaround_for_PR_52892
> Require expr ...
> </RequireAny>
> </RequireAll>
>
> Then the Require user would trigger auth. Of course, workaround_for_PR_52892
> must not exist as a user or you have a security problem.

I've tested it and it works!
cert for user1 with user2 as login --> fail
cert for user1 with user1 as login --> success

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd


bugzilla at apache

Mar 13, 2012, 12:30 PM

Post #3 of 3 (229 views)
Permalink
[Bug 52892] Require expr and %{REMOTE_USER} [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=52892

--- Comment #3 from Stefan Fritsch <sf [at] sfritsch> 2012-03-13 19:30:37 UTC ---
(In reply to comment #2)
> > However, Require expr currently lacks the
> > necessary logic for this.
> >
> Will it support it in the future?

yes

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

Apache bugs RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.