Browse Source

[auth] Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround, add fastcgi test case (fixes #889)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2833 152afb58-edef-0310-8abb-c4023f1b3aa9
svn/tags/lighttpd-1.4.31
Stefan Bühler 10 years ago
parent
commit
7187271fb6
  1. 1
      NEWS
  2. 14
      src/mod_auth.c
  3. 29
      src/mod_fastcgi.c
  4. 13
      tests/lighttpd.conf
  5. 22
      tests/mod-fastcgi.t

1
NEWS

@ -12,6 +12,7 @@ NEWS
* Fix handling of empty header list entries in http_request_split_value, fixing invalid read in valgrind (fixes #2413)
* Fix access log escaping of " and \\ (fixes #1551)
* [mod_auth] Fix digest "md5-sess" implementation (Errata ID 1649, RFC 2617) (fixes #2410)
* [auth] Add "AUTH_TYPE" environment (for *cgi), remove fastcgi specific workaround, add fastcgi test case (fixes #889)
- 1.4.30 - 2011-12-18
* Always use our 'own' md5 implementation, fixes linking issues on MacOS (fixes #2331)

14
src/mod_auth.c

@ -181,6 +181,7 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
size_t k;
int auth_required = 0, auth_satisfied = 0;
char *http_authorization = NULL;
const char *auth_type = NULL;
data_string *ds;
mod_auth_plugin_data *p = p_d;
array *req;
@ -245,12 +246,14 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
if ((auth_type_len == 5) &&
(0 == strncasecmp(http_authorization, "Basic", auth_type_len))) {
auth_type = "Basic";
if (0 == strcmp(method->value->ptr, "basic")) {
auth_satisfied = http_auth_basic_check(srv, con, p, req, con->uri.path, auth_realm+1);
}
} else if ((auth_type_len == 6) &&
(0 == strncasecmp(http_authorization, "Digest", auth_type_len))) {
auth_type = "Digest";
if (0 == strcmp(method->value->ptr, "digest")) {
if (-1 == (auth_satisfied = http_auth_digest_check(srv, con, p, req, con->uri.path, auth_realm+1))) {
con->http_status = 400;
@ -302,6 +305,17 @@ static handler_t mod_auth_uri_handler(server *srv, connection *con, void *p_d) {
/* the REMOTE_USER header */
buffer_copy_string_buffer(con->authed_user, p->auth_user);
/* AUTH_TYPE environment */
if (NULL == (ds = (data_string *)array_get_unused_element(con->environment, TYPE_STRING))) {
ds = data_string_init();
}
buffer_copy_string(ds->key, "AUTH_TYPE");
buffer_copy_string(ds->value, auth_type);
array_insert_unique(con->environment, (data_unset *)ds);
}
return HANDLER_GO_ON;

29
src/mod_fastcgi.c

@ -1910,36 +1910,7 @@ static int fcgi_create_env(server *srv, handler_ctx *hctx, size_t request_id) {
FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_ADDR"), s, strlen(s)),con)
if (!buffer_is_empty(con->authed_user)) {
/* AUTH_TYPE fix by Troy Kruthoff (tkruthoff@gmail.com)
* section 4.1.1 of RFC 3875 (cgi spec) requires the server to set a AUTH_TYPE env
* declaring the type of authentication used. (see http://tools.ietf.org/html/rfc3875#page-11)
*
* I copied this code from mod_auth.c where it extracts auth info from the "Authorization"
* header to authenticate the user before allowing the request to proceed. I'm guessing it makes
* sense to re-parse the header here, as mod_auth is unaware if the request is headed for cgi/fcgi.
* Someone more familiar with the lighty internals should be able to quickly determine if we are
* better storing AUTH_TYPE on the initial parse in mod_auth.
*/
char *http_authorization = NULL;
data_string *ds;
FCGI_ENV_ADD_CHECK(fcgi_env_add(p->fcgi_env, CONST_STR_LEN("REMOTE_USER"), CONST_BUF_LEN(con->authed_user)),con)
if (NULL != (ds = (data_string *)array_get_element(con->request.headers, "Authorization"))) {
http_authorization = ds->value->ptr;
}
if (ds && ds->value && ds->value->used) {
char *auth_realm;
if (NULL != (auth_realm = strchr(http_authorization, ' '))) {
int auth_type_len = auth_realm - http_authorization;
if ((auth_type_len == 5) && (0 == strncmp(http_authorization, "Basic", auth_type_len))) {
fcgi_env_add(p->fcgi_env, CONST_STR_LEN("AUTH_TYPE"), CONST_STR_LEN("Basic"));
} else if ((auth_type_len == 6) && (0 == strncmp(http_authorization, "Digest", auth_type_len))) {
fcgi_env_add(p->fcgi_env, CONST_STR_LEN("AUTH_TYPE"), CONST_STR_LEN("Digest"));
}
}
}
}
if (con->request.content_length > 0 && host->mode != FCGI_AUTHORIZER) {

13
tests/lighttpd.conf

@ -175,6 +175,19 @@ $HTTP["host"] !~ "(no-simple\.example\.org)" {
simple-vhost.default-host = "www.example.org"
}
$HTTP["host"] == "auth.example.org" {
server.document-root = env.SRCDIR + "/tmp/lighttpd/servers/www.example.org/pages/"
server.name = "auth.example.org"
auth.backend = "htpasswd"
auth.require = ( "" =>
(
"method" => "basic",
"realm" => "download archiv",
"require" => "valid-user"
)
)
}
$HTTP["host"] =~ "(vvv).example.org" {
url.redirect = ( "^/redirect/$" => "http://localhost:2048/" )
}

22
tests/mod-fastcgi.t

@ -7,7 +7,7 @@ BEGIN {
}
use strict;
use Test::More tests => 56;
use Test::More tests => 58;
use LightyTest;
my $tf = LightyTest->new();
@ -25,7 +25,7 @@ SKIP: {
}
SKIP: {
skip "no PHP running on port 1026", 33 unless $tf->listening_on(1026);
skip "no PHP running on port 1026", 35 unless $tf->listening_on(1026);
ok($tf->start_proc == 0, "Starting lighttpd") or goto cleanup;
@ -188,6 +188,24 @@ EOF
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'Content-Length' => 4348 } ];
ok($tf->handle_http($t) == 0, 'X-Sendfile2');
$t->{REQUEST} = ( <<EOF
GET /get-server-env.php?env=REMOTE_USER HTTP/1.0
Host: auth.example.org
Authorization: Basic ZGVzOmRlcw==
EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'des' } ];
ok($tf->handle_http($t) == 0, '$_SERVER["REMOTE_USER"]');
$t->{REQUEST} = ( <<EOF
GET /get-server-env.php?env=AUTH_TYPE HTTP/1.0
Host: auth.example.org
Authorization: Basic ZGVzOmRlcw==
EOF
);
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => 'Basic' } ];
ok($tf->handle_http($t) == 0, '$_SERVER["AUTH_TYPE"]');
ok($tf->stop_proc == 0, "Stopping lighttpd");

Loading…
Cancel
Save