From: Sander Striker <striker@apache.org>
Date: Fri, 8 Aug 2003 09:37:54 +0000 (+0000)
Subject: Backports:
X-Git-Tag: 2.0.48~144
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=75a249a245aaa7fb5f642d3a9042b0e5284e2dcb;p=thirdparty%2Fapache%2Fhttpd.git

Backports:

 * mod_ssl: Fix FakeBasicAuth for subrequests, by declining check_user_id.
   Otherwise it would run into the check that was to protect from externally
   fabricated Authorization headers, which would choke on the one added
   by mod_ssl itself.

 * mod_ssl: Add error msg for the case when FakeBasicAuth is tried to be
   tricked.  IOW, when someone tries to spoof his identity.

Reviewed by: Jeff Trawick, Greg Stein


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@100942 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 7a7c65d651a..f60f944b057 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
 Changes with Apache 2.0.48
 
+  *) mod_ssl: Fix FakeBasicAuth for subrequest.  Log an error when an
+     identity spoof is encountered.
+     [Sander Striker]
+
   *) mod_rewrite: Ignore RewriteRules in .htaccess files if the directory
      containing the .htaccess file is requested without a trailing slash.
      PR 20195.  [André Malo]
diff --git a/STATUS b/STATUS
index 7a3a0eab612..7646dd3a5d1 100644
--- a/STATUS
+++ b/STATUS
@@ -1,5 +1,5 @@
 APACHE 2.0 STATUS:                                              -*-text-*-
-Last modified at [$Date: 2003/08/08 07:38:39 $]
+Last modified at [$Date: 2003/08/08 09:37:53 $]
 
 Release:
 
@@ -293,18 +293,6 @@ PATCHES TO PORT FROM 2.1
       +1: nd, trawick
       (gstein likes the concept, but needs to review...)
 
-    * mod_ssl: Fix FakeBasicAuth for subrequests, by declining check_user_id.
-      Otherwise it would run into the check that was to protect from externally
-      fabricated Authorization headers, which would choke on the one added
-      by mod_ssl itself.
-        modules/ssl/ssl_engine_kernel.c: r1.97
-      +1: striker, trawick, gstein
-    
-    * mod_ssl: Add error msg for the case when FakeBasicAuth is tried to be
-      tricked.  IOW, when someone tries to spoof his identity.
-        modules/ssl/ssl_engine_kernel.c: r1.98
-      +1: striker, gstein, trawick
-
     * fix extern "C" declaration of util_ebcdic.h. PR: 22203
         include/util_ebcdic.h: r1.15
       +1: nd, trawick
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 2d628b85298..76154dcc768 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -839,6 +839,14 @@ int ssl_hook_UserCheck(request_rec *r)
         return HTTP_FORBIDDEN;
     }
 
+    /*
+     * We decline when we are in a subrequest.  The Authorization header
+     * would already be present if it was added in the main request.
+     */
+    if (!ap_is_initial_req(r)) {
+        return DECLINED;
+    }
+
     /*
      * Make sure the user is not able to fake the client certificate
      * based authentication by just entering an X.509 Subject DN
@@ -856,6 +864,8 @@ int ssl_hook_UserCheck(request_rec *r)
             password = auth_line;
 
             if ((username[0] == '/') && strEQ(password, "password")) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                    "Encountered FakeBasicAuth spoof: %s", username);
                 return HTTP_FORBIDDEN;
             }
         }