brian 96/06/30 15:36:59
Modified: src mod_auth_msql.c Log: Submitted by: "Dirk.vanGulik" <[EMAIL PROTECTED]> Updated module from Dirk - more backwards-Vitek-compatibility issues addressed. Revision Changes Path 1.9 +25 -19 apache/src/mod_auth_msql.c Index: mod_auth_msql.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_auth_msql.c,v retrieving revision 1.8 retrieving revision 1.9 diff -C3 -r1.8 -r1.9 *** mod_auth_msql.c 1996/06/17 20:52:05 1.8 --- mod_auth_msql.c 1996/06/30 22:36:57 1.9 *************** *** 284,289 **** --- 284,295 ---- * Replaced some MAX_STRING_LENGTH claims. * 1.0 removed some error check as they where already done elsehwere * NumFields -> NumRows (Thanks Vitek). More stack memory. + * 1.1 no logging of empty password strings. + * 1.2 Problem with the Backward vitek which cause it to check + * even if msql_auth was not configured; Also more carefull + * with the authorative stuff; caught by [EMAIL PROTECTED] + * 1.3 Even more changes to get it right; that BACKWARD thing was a bad + * idea. */ *************** *** 392,400 **** #include "http_log.h" #include "http_protocol.h" #include <msql.h> - #ifdef HAVE_CRYPT_H #include <crypt.h> - #endif typedef struct { --- 398,404 ---- *************** *** 778,788 **** * We do not check on dbase, group, userid or host name, as it is * perfectly possible to only do group control with mSQL and leave * user control to the next (dbm) guy in line. */ ! if ( ! (!sec->auth_msql_pwd_table) && ! (!sec->auth_msql_pwd_field) ! ) return DECLINED; if(!(real_pw = get_msql_pw(r, c->user, sec,msql_errstr ))) { if ( msql_errstr[0] ) { --- 782,791 ---- * We do not check on dbase, group, userid or host name, as it is * perfectly possible to only do group control with mSQL and leave * user control to the next (dbm) guy in line. + * We no longer check on the user field name; to avoid problems + * with Backward VITEK. */ ! if (!sec->auth_msql_pwd_table) return DECLINED; if(!(real_pw = get_msql_pw(r, c->user, sec,msql_errstr ))) { if ( msql_errstr[0] ) { *************** *** 809,816 **** --- 812,821 ---- */ if ((sec->auth_msql_nopasswd) && (!strlen(real_pw))) { + /* sprintf(msql_errstr,"mSQL: user %s: Empty/'any' password accepted",c->user); log_reason (msql_errstr, r->uri, r); + */ return OK; }; *************** *** 862,867 **** --- 867,875 ---- char *t, *w; msql_errstr[0]='\0'; + /* If we are not configured, ignore */ + if (!sec->auth_msql_pwd_table) return DECLINED; + if (!reqs_arr) { if (sec->auth_msql_authorative) { sprintf(msql_errstr,"user %s denied, no access rules specified (MSQL-Authorative) ",user); *************** *** 929,953 **** }; } ! /* we do not have to check the valid-ness of the group result as ! * have not (yet) a 'valid-group' token */ ! if ( (user_result != OK) && (sec->auth_msql_authorative) ) { ! sprintf(msql_errstr,"User %s denied, no access rules applied (MSQL-Authorative) ",user); log_reason (msql_errstr, r->uri, r); - note_basic_auth_failure(r); return AUTH_REQUIRED; }; ! /* if the user is DECLINED, it is up to the group_result to tip ! * the balance. But if the group result is AUTH_REQUIRED it should ! * always override. A SERVER_ERROR should not get here. ! */ ! if ( (user_result == DECLINED) || (group_result == AUTH_REQUIRED)) ! return group_result; ! ! return user_result; } --- 937,959 ---- }; } ! /* Get serious if we are authorative, previous ! * returns are only if msql yielded a correct result. ! * This really is not needed. */ ! if (((group_result == AUTH_REQUIRED) || (user_result == AUTH_REQUIRED)) && (sec->auth_msql_authorative) ) { ! sprintf(msql_errstr,"mSQL-Authorative: Access denied on %s %s rule(s) ", ! (group_result == AUTH_REQUIRED) ? "USER" : "", ! (user_result == AUTH_REQUIRED) ? "GROUP" : "" ! ); log_reason (msql_errstr, r->uri, r); return AUTH_REQUIRED; }; + if ( (user_result == OK) || (group_result == OK)) + return OK; ! return DECLINED; }