[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Apache w/o authentication + AuthzForceUsernameCase crashes Apache

From: <roderich.schupp_at_googlemail.com>
Date: Fri, 22 Jul 2011 04:17:54 -0700 (PDT)


if you have an Apache configuration that doesn't request
but still uses AuthzForceUsernameCase, this will crash Apache on each

<Location /svn/no-auth>
    DAV svn
    SVNPath /repos/no-auth
    AuthzSVNAccessFile /admin/no-auth.txt
    AuthzForceUsernameCase lower

(and no "require ..." stuff in any enclosing Location either).
I know, it's a silly configuration - I stumbled upon it by accident.

Reason is that get_username_to_authorize() tries to lowercase a NULL r-
>user string.
Suggested patch (against 1.7.0-beta1, but that code hasn't changed in
a long time):

--- subversion/mod_authz_svn/mod_authz_svn.c.orig 2011-07-21
16:00:39.663920000 +0200
+++ subversion/mod_authz_svn/mod_authz_svn.c 2011-07-21
16:00:55.006891000 +0200
@@ -245,7 +245,7 @@
 get_username_to_authorize(request_rec *r, authz_svn_config_rec *conf)
   char *username_to_authorize = r->user;
- if (conf->force_username_case)
+ if (username_to_authorize && conf->force_username_case)
       username_to_authorize = apr_pstrdup(r->pool, r->user);

Cheers, Roderich
Received on 2011-07-22 13:18:37 CEST

This is an archived mail posted to the Subversion Dev mailing list.