Changes with Apache 2.0.48
+ *) mod_ssl: Fix FakeBasicAuth for subrequest. Log an error when an
+ identity spoof is encountered.
+ [Sander Striker]
+
*) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
containing the .htaccess file is requested without a trailing slash.
PR 20195. [André Malo]
APACHE 2.0 STATUS: -*-text-*-
-Last modified at [$Date: 2003/08/08 07:38:39 $]
+Last modified at [$Date: 2003/08/08 09:37:53 $]
Release:
+1: nd, trawick
(gstein likes the concept, but needs to review...)
- * mod_ssl: Fix FakeBasicAuth for subrequests, by declining check_user_id.
- Otherwise it would run into the check that was to protect from externally
- fabricated Authorization headers, which would choke on the one added
- by mod_ssl itself.
- modules/ssl/ssl_engine_kernel.c: r1.97
- +1: striker, trawick, gstein
-
- * mod_ssl: Add error msg for the case when FakeBasicAuth is tried to be
- tricked. IOW, when someone tries to spoof his identity.
- modules/ssl/ssl_engine_kernel.c: r1.98
- +1: striker, gstein, trawick
-
* fix extern "C" declaration of util_ebcdic.h. PR: 22203
include/util_ebcdic.h: r1.15
+1: nd, trawick
return HTTP_FORBIDDEN;
}
+ /*
+ * We decline when we are in a subrequest. The Authorization header
+ * would already be present if it was added in the main request.
+ */
+ if (!ap_is_initial_req(r)) {
+ return DECLINED;
+ }
+
/*
* Make sure the user is not able to fake the client certificate
* based authentication by just entering an X.509 Subject DN
password = auth_line;
if ((username[0] == '/') && strEQ(password, "password")) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Encountered FakeBasicAuth spoof: %s", username);
return HTTP_FORBIDDEN;
}
}
projects / thirdparty / apache / httpd.git / commitdiff
