From: Stefan Fritsch Date: Thu, 7 Oct 2010 17:28:46 +0000 (+0000) Subject: backport r902654 from trunk: X-Git-Tag: 2.2.17~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3282f448563ca985f624c3cff8da7fdf29903281;p=thirdparty%2Fapache%2Fhttpd.git backport r902654 from trunk: mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the password to UTF-8. PR: 45318 Adapted patch from Johannes Mueller git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1005537 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index f98c17a5fc9..e4e8ebcc2a4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.17 + *) mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the + password to UTF-8. PR 45318. + [Johannes Müller , Stefan Fritsch] + *) core: check symlink ownership if both FollowSymlinks and SymlinksIfOwnerMatch are set [Nick Kew] diff --git a/STATUS b/STATUS index 826dd609d2f..2c5d3ec2684 100644 --- a/STATUS +++ b/STATUS @@ -102,12 +102,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: +1: trawick, wrowe niq: +1 to the 2.2.x patch, but why r951900 and r987379 in trunk patches? - * mod_authnz_ldap: If AuthLDAPCharsetConfig is set, also convert the password to - UTF-8. - Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=902654 - 2.2 patch: trunk patch works - +1: sf, rpluem, wrowe - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/aaa/mod_authnz_ldap.c b/modules/aaa/mod_authnz_ldap.c index bb08d20f406..037bbcffdab 100644 --- a/modules/aaa/mod_authnz_ldap.c +++ b/modules/aaa/mod_authnz_ldap.c @@ -154,6 +154,29 @@ static apr_xlate_t* get_conv_set (request_rec *r) } +static const char* authn_ldap_xlate_password(request_rec *r, + const char* sent_password) +{ + apr_xlate_t *convset = NULL; + apr_size_t inbytes; + apr_size_t outbytes; + char *outbuf; + + if (charset_conversions && (convset = get_conv_set(r)) ) { + inbytes = strlen(sent_password); + outbytes = (inbytes+1)*3; + outbuf = apr_pcalloc(r->pool, outbytes); + + /* Convert the password to UTF-8. */ + if (apr_xlate_conv_buffer(convset, sent_password, &inbytes, outbuf, + &outbytes) == APR_SUCCESS) + return outbuf; + } + + return sent_password; +} + + /* * Build the search filter, or at least as much of the search filter that * will fit in the buffer. We don't worry about the buffer not being able @@ -344,6 +367,7 @@ static authn_status authn_ldap_check_password(request_rec *r, const char *user, int result = 0; int remote_user_attribute_set = 0; const char *dn = NULL; + const char *utfpassword; authn_ldap_request_t *req = (authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t)); @@ -397,9 +421,13 @@ start_over: /* build the username filter */ authn_ldap_build_filter(filtbuf, r, user, NULL, sec); + /* convert password to utf-8 */ + utfpassword = authn_ldap_xlate_password(r, password); + /* do the user search */ result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope, - sec->attributes, filtbuf, password, &dn, &vals); + sec->attributes, filtbuf, utfpassword, + &dn, &vals); util_ldap_connection_close(ldc); /* sanity check - if server is down, retry it up to 5 times */