Note patch http://people.apache.org/~jim/mod_auth_ldap-2.0.patch

which protects against bad stuff when mod_auth_ldap's check_user_id
hook doesn't complete or isn't called, but auth_checker is.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@231033 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index c8682bb88e9b25a018576a55ee276461ef304d33..91ecfb505dcc5c6efdcdff9c3ed56742306956f7 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -205,6 +205,13 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are! ]
 
+    *) Prevent bad dereferencing of non-existent req struct in
+       mod_auth_ldap's mod_auth_ldap_auth_checker() if
+       mod_auth_ldap_check_user_id() was never (fully) called.
+       Similar behavior to that in 2.1/2.2.
+         http://people.apache.org/~jim/mod_auth_ldap-2.0.patch
+       +1: jim
+
     *) Correct RFC 2616 non-compliance by refusing to proxy a request body 
        in a TRACE request, unless TraceEnable extended is configured.
        Introduces TraceEnable [on|off|extended] to give the administrator