[PATCH] Apache w/o authentication + AuthzForceUsernameCase crashes Apache

From: <roderich.schupp_at_googlemail.com>
Date: Fri, 22 Jul 2011 04:17:54 -0700 (PDT)

Hi,

if you have an Apache configuration that doesn't request
authentication,
but still uses AuthzForceUsernameCase, this will crash Apache on each
request:

<Location /svn/no-auth>
    DAV svn
    SVNPath /repos/no-auth
    AuthzSVNAccessFile /admin/no-auth.txt
    AuthzForceUsernameCase lower
</Location>

(and no "require ..." stuff in any enclosing Location either).
I know, it's a silly configuration - I stumbled upon it by accident.

Reason is that get_username_to_authorize() tries to lowercase a NULL r-
>user string.
Suggested patch (against 1.7.0-beta1, but that code hasn't changed in
a long time):

--- subversion/mod_authz_svn/mod_authz_svn.c.orig 2011-07-21
16:00:39.663920000 +0200
+++ subversion/mod_authz_svn/mod_authz_svn.c 2011-07-21
16:00:55.006891000 +0200
@@ -245,7 +245,7 @@
get_username_to_authorize(request_rec *r, authz_svn_config_rec *conf)
{
   char *username_to_authorize = r->user;
- if (conf->force_username_case)
+ if (username_to_authorize && conf->force_username_case)
     {
       username_to_authorize = apr_pstrdup(r->pool, r->user);
       convert_case(username_to_authorize,

Cheers, Roderich
Received on 2011-07-22 13:18:37 CEST

This message: [ Message body ]
Next message: Philip Martin: "Re: [PATCH] Apache w/o authentication + AuthzForceUsernameCase crashes Apache"
Previous message: Stefan Sperling: "Re: svn commit: r1149543 - /subversion/trunk/subversion/libsvn_client/mergeinfo.c"
Next in thread: Philip Martin: "Re: [PATCH] Apache w/o authentication + AuthzForceUsernameCase crashes Apache"
Reply: Philip Martin: "Re: [PATCH] Apache w/o authentication + AuthzForceUsernameCase crashes Apache"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]