Customizing mod_include -- Print virtual or file attribute in handle_include method
Apache Development Gurus:
I've worked with Apache for awhile now, but this is my first time tinkering
with the source code for one of its modules. I'd like to alter mod_include
to print out as a HTML comment all server side include references. My
apologies if this is a trivial matter.
For instance, if an HTML page has an SSI:
Mod_include outputs the content of /foo/bar.html:
(Content from /foo/bar.html)
I'd like to tweak mod_include to also output the fragment path:
(Content from /foo/bar.html)
I've been able to successfully print out the include path *after* the filter
has processed the SSI, but I'd like to add a comment before processing of
the SSI.Here's a snippet of the handle_include method from mod_include.c
that I've changed:
//..etc..
parsed_string = ap_ssi_parse_string(ctx, tag_val, NULL, 0,
SSI_EXPAND_DROP_NAME);
//New code
APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pool_create(, strlen(' --),
ctx-pool, f-c-bucket_alloc));
//End new code
//Original source code -- continues to process include
if (tag[0] == 'f') {
char *newpath;
apr_status_t rv;
/* be safe; only files in this directory or below allowed */
rv = apr_filepath_merge(newpath, NULL, parsed_string,
APR_FILEPATH_SECUREROOTTEST |
APR_FILEPATH_NOTABSOLUTE, ctx-dpool);
if (rv != APR_SUCCESS) {
error_fmt = unable to include file \%s\ in parsed file
%s;
}
else {
rr = ap_sub_req_lookup_file(newpath, r, f-next);
}
}
else {
rr = ap_sub_req_lookup_uri(parsed_string, r, f-next);
}
//etc...
The modifications above will print the fragment path after the SSI content:
(Content from /foo/bar.html)
What updates do I need to make to this code to force the fragment path to be
printed before the SSI content:
(Content from /foo/bar.html)
Any guidance on this matter would be greatly appreciated. Thanks,
Travis
--
View this message in context:
http://old.nabble.com/Customizing-mod_includePrint-%22virtual%22-or-%22file%22-attribute-in-handle_include-method-tp29671909p29671909.html
Sent from the Apache HTTP Server - Module Writers mailing list archive at
Nabble.com.
Customizing mod_include -- Print virtual or file attribute in handle_include method
Apache Development Gurus:
I've worked with Apache for awhile now, but this is my first time tinkering
with
the source code for one of its modules. I'd like to alter mod_include to
print
out as a HTML comment all server side include references. My apologies if
this
is a trivial matter.
For instance, if an HTML page has an SSI:
body
!--#include virtual=”/foo/bar.html” --
/body
Mod_include outputs the content of /foo/bar.html:
body
(Content from /foo/bar.html)
/body
I'd like to tweak mod_include to also output the fragment path:
body
!—fragment=”/foo/bar.html” --
(Content from /foo/bar.html)/body
I've been able to successfully print out the include path *after* the filter
has
processed the SSI, but I'd like to add a comment before processing of the SSI.
Here's a snippet of the handle_include method from mod_include.c that I've
changed:
//..etc..
parsed_string = ap_ssi_parse_string(ctx, tag_val, NULL, 0,
SSI_EXPAND_DROP_NAME);
//New code
APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pool_create(!-- fragment=',
strlen(!-- fragment='),
ctx-pool, f-c-bucket_alloc));
APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pool_create(parsed_string,
strlen(parsed_string),
ctx-pool, f-c-bucket_alloc));
APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pool_create(' --, strlen(' --),
ctx-pool, f-c-bucket_alloc));
//End new code
//Original source code -- continues to process include
if (tag[0] == 'f') {
char *newpath;
apr_status_t rv;
/* be safe; only files in this directory or below allowed */
rv = apr_filepath_merge(newpath, NULL, parsed_string,
APR_FILEPATH_SECUREROOTTEST |
APR_FILEPATH_NOTABSOLUTE, ctx-dpool);
if (rv != APR_SUCCESS) {
error_fmt = unable to include file \%s\ in parsed file %s;
}
else {
rr = ap_sub_req_lookup_file(newpath, r, f-next);
}
}
else {
rr = ap_sub_req_lookup_uri(parsed_string, r, f-next);
}
//etc...
The modifications above will print the fragment path after the SSI content:
body
(Content from /foo/bar.html)
!—fragment=”/foo/bar.html” --
/body
What updates do I need to make to this code to force the fragment path to be
printed before the SSI content:
body
!—fragment=”/foo/bar.html” --
(Content from /foo/bar.html)
/body
Any guidance on this matter would be greatly appreciated. Thanks,
Travis
RE: Fake Basic Authentication
-Original Message- From: Nick Kew Sent: Donnerstag, 9. September 2010 01:01 To: dev@httpd.apache.org Subject: Fake Basic Authentication Someone asked on IRC today about seemlessly mixing SSL Client authentication (FakeBasicAuth) with normal basic authn. As I understood it, users without a client cert should authenticate, but those with one would be spared the authn dialogue. You confuse me. Doesn't this already work with Basic Auth if the user that presents the certificate is registered in the Authn provider with the password 'password'? Of course this also means that if someone knows the username in the certificate of one of the users he can log in WITHOUT certificate using the username and 'password' (provided that client certs are not mandatory of course). Maybe it would be helpful to post an example configuration snippet to be sure that we are really talking about the same thing. A quick look at mod_ssl reveals that FakeBasicAuth sets r-user in an Access hook, so it's set before authn. So what the user In the case that FakeBasicAuth is turned on r-user is not set by mod_ssl. In this case it only adds a fake Basic auth header to r-headers_in in ssl_hook_UserCheck (which is the same hook that mod_auth_basic runs in but earlier) and leaves the job of setting r-user to mod_auth_basic. Regards Rüdiger
suEXEC - chroot PATCH
Hi all,
I run Apache with ChrootDir option, and would like to use FastCGI
instead of mod_php.
But FastCGI forks the process before the chroot, so php scripts would
run outside the chroot.
Despite the note on the documentation about not altering suexec, I've
successfully solved my problem with a very small patch.
On my system,it works as intended and processes are correctly chrooted
(checked with lsof) and run with correct uid.
Does it create more security problems than it can solve? Do you suggest
to keep it or remove it from my system?
Can it become useful for others?
I know that's a very raw solution.
Massimo Maggi
Inline patch:
--- suexec-orig/suexec.c2010-09-09 14:11:44.0 +0200
+++ suexec-mod/suexec.c 2010-09-09 14:14:01.0 +0200
@@ -465,7 +465,15 @@
log_err(cannot run as forbidden gid (%d/%s)\n, gid, cmd);
exit(108);
}
+getcwd(cwd, AP_MAXPATH);
+if(chroot(DIR_CHROOT)!=0){
+log_err(chroot failed!\n);
+exit(208);
+};
+chdir(cwd);
/*
* Change UID/GID here so that the following tests work over NFS.
*
diff -ruN suexec-orig/suexec.h suexec-mod/suexec.h
--- suexec-orig/suexec.h2010-09-09 14:11:44.0 +0200
+++ suexec-mod/suexec.h 2010-09-09 14:06:25.0 +0200
@@ -23,7 +23,7 @@
#ifndef _SUEXEC_H
#define _SUEXEC_H
-
+#define DIR_CHROOT /chroots/apache/
/*
* Include ap_config_layout so we can work out where the default htdocsdir
* and logsdir are.
Re: Fake Basic Authentication
Am 09.09.2010 01:00, schrieb Nick Kew: Someone asked on IRC today about seemlessly mixing SSL Client authentication (FakeBasicAuth) with normal basic authn. As I understood it, users without a client cert should authenticate, but those with one would be spared the authn dialogue. A quick look at mod_ssl reveals that FakeBasicAuth sets r-user in an Access hook, so it's set before authn. So what the user asks is trivial: all it needs is an authn provider that accepts any request in which r-user is set. I've just hacked up the smallest-ever(?) module (attached) to do that. This could also give users flexibility to mix-and-match basic auth with other schemes in mod_rewrite style. Or no doubt shoot themselves in the foot. Thoughts? isnt this already something similar? http://sourceforge.net/projects/modauthcertific/ Gün.
Re: Fake Basic Authentication
On Thu, 09 Sep 2010 16:51:00 +0200 Guenter Knauf fua...@apache.org wrote: Am 09.09.2010 01:00, schrieb Nick Kew: Someone asked on IRC today about seemlessly mixing SSL Client authentication (FakeBasicAuth) with normal basic authn. As I understood it, users without a client cert should authenticate, but those with one would be spared the authn dialogue. A quick look at mod_ssl reveals that FakeBasicAuth sets r-user in an Access hook, so it's set before authn. So what the user asks is trivial: all it needs is an authn provider that accepts any request in which r-user is set. I've just hacked up the smallest-ever(?) module (attached) to do that. This could also give users flexibility to mix-and-match basic auth with other schemes in mod_rewrite style. Or no doubt shoot themselves in the foot. Thoughts? isnt this already something similar? http://sourceforge.net/projects/modauthcertific/ Looking at that, I see it implements its own protocol and hooks, including changing r-ap_auth_type on-the-fly. I could be wrong, but it doesn't look like something that'll integrate well with mod_auth_basic and authn providers. -- Nick Kew
