>Number: 2924
>Category: mod_auth-any
>Synopsis: segfault due to collaboration of mod_dir, mod_auth, mod_perl,
>and AuthenDBI
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Sat Aug 29 05:20:00 PDT 1998
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.1
>Environment:
Solaris 2.6 x86 (105182-06),
gcc version egcs-2.90.29 980515 (egcs-1.0.3 release),
mod_perl 1.15, ApacheDBI 0.80
>Description:
The docroot contains a directory auth-required that is protected by:
AuthType Basic
PerlAuthenHandler Apache::AuthenDBI
Because the docroot contains no index.html, mod_dir is used to provide
an index page. Doing so, it calls for authorisation on auth-required
even though that directory is not accessed, only listed (this might also
be a bug, dunno).
Unless AuthenDBI is used, this works OK. With AuthenDBI, the Apache process
segfaults like this:
Program received signal SIGSEGV, Segmentation fault.
0xdfeec75c in strcmp ()
(gdb) where
#0 0xdfeec75c in strcmp ()
#1 0x80a3eba in check_user_access (r=0x82f8038) at mod_auth.c:279
#2 0x80a99ac in run_method (r=0x82f8038, offset=8, run_all=0) at
http_config.c:357
#3 0x80a9bac in ap_check_auth (r=0x82f8038) at http_config.c:414
#4 0x80bdd69 in ap_sub_req_lookup_file (new_file=0x821b856 "auth-required",
r=0x82f4038) at http_request.c:840
#5 0x809b96d in make_autoindex_entry (name=0x821b856 "auth-required",
autoindex_opts=7, d=0x81ed830, r=0x82f4038, keyid=78 'N', direction=65 'A')
at mod_autoindex.c:754
#6 0x809c9a4 in index_directory (r=0x82f4038, autoindex_conf=0x81ed830) at
mod_autoindex.c:1158
#7 0x809cc06 in handle_autoindex (r=0x82f4038) at mod_autoindex.c:1223
#8 0x80a9f23 in ap_invoke_handler (r=0x82f4038) at http_config.c:505
#9 0x80be975 in process_request_internal (r=0x82f4038) at http_request.c:1174
#10 0x80be9cf in ap_process_request (r=0x82f4038) at http_request.c:1191
#11 0x80b5d9d in child_main (child_num_arg=0) at http_main.c:3665
#12 0x80b5f54 in make_child (s=0x81ec838, slot=0, now=904201492) at
http_main.c:3738
#13 0x80b60e3 in startup_children (number_to_start=1) at http_main.c:3812
#14 0x80b6760 in standalone_main (argc=4, argv=0x8046f14) at http_main.c:4090
#15 0x80b6f8b in main (argc=4, argv=0x8046f14) at http_main.c:4367
(gdb) up
#1 0x80a3eba in check_user_access (r=0x82f8038) at mod_auth.c:279
279 if (!strcmp(user, w))
(gdb) p user
$1 = 0x0
(gdb) p w
$2 = 0x82f89d0 "lupe"
This is because AuthenDBI does not do authorisation for auth-required
and returns like this:
return OK unless $r->is_initial_req; # only the first internal
request
mod_auth gets handed a NULL pointer, and crashes.
More details available on request.
>How-To-Repeat:
Install mod_perl 1.15 and ApacheDBI 0.80, plus some database, plus DBI, plus
DBD::<whatever>.
This is the config fragment:
<Directory /sw/www-turkey/auth-required>
order deny,allow
deny from all
allow from alanya.m.isar.de
allow from 192.168.0.1
allow from localhost
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
Options Indexes FollowSymLinks ExecCGI
AllowOverride AuthConfig
<Limit GET POST>
AuthType Basic
AuthName Turkey
PerlAuthenHandler Apache::AuthenDBI
PerlSetVar Auth_DBI_data_source DBI:mysql:www
PerlSetVar Auth_DBI_username auth
PerlSetVar Auth_DBI_password auth
PerlSetVar Auth_DBI_pwd_table auth
PerlSetVar Auth_DBI_uid_field name
PerlSetVar Auth_DBI_pwd_field pw
require user lupe
</Limit>
</Directory>
>Fix:
I have asked Doug McEachern and the mod_perl list first. This is
what Doug said:
ouch, something should be fixed in mod_auth.c
Either mod_dir should not try to authenticate (even with mod_auth, the
user is not required to authenticate; it just returns somehow), or mod_auth
should check for NULL pointers.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <[EMAIL PROTECTED]> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]
