Mailing List Archive: Apache: Dev

Re: svn commit: r654958 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_auth_form.c

Index | Next | Previous | View Threaded

rpluem at apache

May 9, 2008, 11:13 PM

Post #1 of 2 (87 views)
Permalink

Re: svn commit: r654958 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_auth_form.c

On 05/10/2008 12:15 AM, minfrin[at]apache.org wrote:
> Author: minfrin
> Date: Fri May 9 15:15:37 2008
> New Revision: 654958
>
> URL: http://svn.apache.org/viewvc?rev=654958&view=rev
> Log:
> mod_auth_form: Make sure the input filter stack is properly set
> up before reading the login form. Make sure the kept body filter
> is correctly inserted to ensure the body can be read a second
> time safely should the authn be successful. [Graham Leggett,
> Ruediger Pluem]
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/modules/aaa/mod_auth_form.c
>

> Modified: httpd/httpd/trunk/modules/aaa/mod_auth_form.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/mod_auth_form.c?rev=654958&r1=654957&r2=654958&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/aaa/mod_auth_form.c (original)
> +++ httpd/httpd/trunk/modules/aaa/mod_auth_form.c Fri May 9 15:15:37 2008
> @@ -912,19 +905,73 @@
> * type and with the given body.
> *
> * Otherwise access is denied.
> + *
> + * Reading the body requires some song and dance, because the input filters
> + * are not yet configured. To work around this problem, we create a
> + * subrequest and use that to create a sane filter stack we can read the
> + * form from.
> + *
> + * The main request is then capped with a kept_body input filter, which has
> + * the effect of guaranteeing the input stack can be safely read a second time.
> + *
> */
> - if (r->method_number == M_POST) {
> - rv2 = get_form_auth(r, conf->username, conf->password, conf->location,
> - conf->method, conf->mimetype, conf->body,
> - &sent_user, &sent_pw, &sent_loc, &sent_method,
> - &sent_mimetype, conf);
> - if (OK == rv2) {
> - rv = check_auth(r, sent_user, sent_pw);
> + if (HTTP_UNAUTHORIZED == rv && r->method_number == M_POST && ap_is_initial_req(r)) {
> + request_rec *rr;
> + apr_bucket_brigade *sent_body = NULL;
> +
> + /* create a subrequest of our current uri */
> + rr = ap_sub_req_lookup_uri(r->uri, r, r->input_filters);
> + rr->headers_in = r->headers_in;
> +
> + /* run the insert_filters hook on the subrequest to ensure a body read can
> + * be done properly.
> + */
> + ap_run_insert_filter(rr);
> +
> + /* parse the form by reading the subrequest */
> + rv = get_form_auth(rr, conf->username, conf->password, conf->location,
> + conf->method, conf->mimetype, conf->body,
> + &sent_user, &sent_pw, &sent_loc, &sent_method,
> + &sent_mimetype, &sent_body, conf);
> +
> + /* insert the kept_body filter on the main request to guarantee the
> + * input filter stack cannot be read a second time, optionally inject
> + * a saved body if one was specified in the login form.
> + */
> + if (sent_body && sent_mimetype) {
> + apr_table_set(r->headers_in, "Content-Type", sent_mimetype);
> + r->kept_body = sent_body;

Any reason why we do not need to adjust the Content-Length header any longer?

Regards

Rüdiger

minfrin at sharp

May 10, 2008, 4:51 AM

Post #2 of 2 (77 views)
Permalink

Re: svn commit: r654958 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_auth_form.c [In reply to]

Ruediger Pluem wrote:

>> + if (sent_body && sent_mimetype) {
>> + apr_table_set(r->headers_in, "Content-Type", sent_mimetype);
>> + r->kept_body = sent_body;
>
> Any reason why we do not need to adjust the Content-Length header any
> longer?

That's done inside the init function for kept_body filter now. Ideally,
mod_auth_form shouldn't care how kept_body works, the older code
"spilled over" into auth_form, which wasn't ideal.

Regards,
Graham
--

Attachments:

smime.p7s (3.21 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com