#46005 [Com]: [PATCH] User not consistently logged under Apache2
ID: 46005 Comment by: admorten at umich dot edu Reported By: admorten at umich dot edu Status: Open Bug Type: Apache2 related Operating System: Linux 2.6.21.3 PHP Version: 5.2.6 New Comment: Do you have a backtrace? Previous Comments: [2008-11-05 10:16:01] k at kelvinlim dot com I encountered this bug as well, as our Apache configuration uses a custom single sign-on authentication module. admorten's patches successfully resolved the issue--but only after I switched back to the use of estrdup. apr_pstrdup does *not* work; instead, it causes my Apache processes (prefork MPM) to segfault. [2008-10-10 15:52:32] admorten at umich dot edu I've updated both patches to use apr_pstrdup instead of estrdup when copying r-user into SG(request_info).auth_user, which is how the rest of the request info is copied. URLs are still the same. [2008-09-05 20:01:05] admorten at umich dot edu Patch URLs got mangled. Shortened patch names: http://rsug.itd.umich.edu/~admorten/apache2filter_user_logging.patch http://rsug.itd.umich.edu/~admorten/apache2handler_user_logging.patch [2008-09-05 19:57:04] admorten at umich dot edu Description: The apache2 handler and filter strip the user (r-user) from the request if there's no Authorization header in the request. This breaks user logging for authorization filters like mod_auth_kerb, mod_authnz_ldap and mod_cosign, which do not use the Authorization header. The patches linked to below check to see r-user is set and ensures that the user remains attached to the request, which Apache2 can then use to log the user properly. This should fix the issues reported previously in bug #44631. The issue was partially fixed with the patch in bug #22672, but that patch continued to rely on Authorization headers, and was only applied to the apache2 handler. Patches (apply to 5.2.6): http://rsug.itd.umich.edu/~admorten/sapi_apache2filter_user_logging_f ix.patch http://rsug.itd.umich.edu/~admorten/sapi_apache2handler_user_logging_ fix.patch -- Edit this bug report at http://bugs.php.net/?id=46005edit=1
#46005 [Opn]: [PATCH] User not consistently logged under Apache2
ID: 46005 User updated by: admorten at umich dot edu Reported By: admorten at umich dot edu Status: Open Bug Type: Apache2 related Operating System: Linux 2.6.21.3 PHP Version: 5.2.6 New Comment: I've updated both patches to use apr_pstrdup instead of estrdup when copying r-user into SG(request_info).auth_user, which is how the rest of the request info is copied. URLs are still the same. Previous Comments: [2008-09-05 20:01:05] admorten at umich dot edu Patch URLs got mangled. Shortened patch names: http://rsug.itd.umich.edu/~admorten/apache2filter_user_logging.patch http://rsug.itd.umich.edu/~admorten/apache2handler_user_logging.patch [2008-09-05 19:57:04] admorten at umich dot edu Description: The apache2 handler and filter strip the user (r-user) from the request if there's no Authorization header in the request. This breaks user logging for authorization filters like mod_auth_kerb, mod_authnz_ldap and mod_cosign, which do not use the Authorization header. The patches linked to below check to see r-user is set and ensures that the user remains attached to the request, which Apache2 can then use to log the user properly. This should fix the issues reported previously in bug #44631. The issue was partially fixed with the patch in bug #22672, but that patch continued to rely on Authorization headers, and was only applied to the apache2 handler. Patches (apply to 5.2.6): http://rsug.itd.umich.edu/~admorten/sapi_apache2filter_user_logging_f ix.patch http://rsug.itd.umich.edu/~admorten/sapi_apache2handler_user_logging_ fix.patch -- Edit this bug report at http://bugs.php.net/?id=46005edit=1
#46005 [NEW]: User not consistently logged under Apache2
From: admorten at umich dot edu Operating system: Linux 2.6.21.3 PHP version: 5.2.6 PHP Bug Type: Apache2 related Bug description: User not consistently logged under Apache2 Description: The apache2 handler and filter strip the user (r-user) from the request if there's no Authorization header in the request. This breaks user logging for authorization filters like mod_auth_kerb, mod_authnz_ldap and mod_cosign, which do not use the Authorization header. The patches linked to below check to see r-user is set and ensures that the user remains attached to the request, which Apache2 can then use to log the user properly. This should fix the issues reported previously in bug #44631. The issue was partially fixed with the patch in bug #22672, but that patch continued to rely on Authorization headers, and was only applied to the apache2 handler. Patches (apply to 5.2.6): http://rsug.itd.umich.edu/~admorten/sapi_apache2filter_user_logging_f ix.patch http://rsug.itd.umich.edu/~admorten/sapi_apache2handler_user_logging_ fix.patch -- Edit bug report at http://bugs.php.net/?id=46005edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46005r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46005r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46005r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=46005r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=46005r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=46005r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=46005r=needscript Try newer version:http://bugs.php.net/fix.php?id=46005r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=46005r=support Expected behavior:http://bugs.php.net/fix.php?id=46005r=notwrong Not enough info: http://bugs.php.net/fix.php?id=46005r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=46005r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=46005r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46005r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=46005r=dst IIS Stability:http://bugs.php.net/fix.php?id=46005r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=46005r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=46005r=float No Zend Extensions: http://bugs.php.net/fix.php?id=46005r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=46005r=mysqlcfg
#46005 [Opn]: User not consistently logged under Apache2
ID: 46005 User updated by: admorten at umich dot edu Reported By: admorten at umich dot edu Status: Open Bug Type: Apache2 related Operating System: Linux 2.6.21.3 PHP Version: 5.2.6 New Comment: Patch URLs got mangled. Shortened patch names: http://rsug.itd.umich.edu/~admorten/apache2filter_user_logging.patch http://rsug.itd.umich.edu/~admorten/apache2handler_user_logging.patch Previous Comments: [2008-09-05 19:57:04] admorten at umich dot edu Description: The apache2 handler and filter strip the user (r-user) from the request if there's no Authorization header in the request. This breaks user logging for authorization filters like mod_auth_kerb, mod_authnz_ldap and mod_cosign, which do not use the Authorization header. The patches linked to below check to see r-user is set and ensures that the user remains attached to the request, which Apache2 can then use to log the user properly. This should fix the issues reported previously in bug #44631. The issue was partially fixed with the patch in bug #22672, but that patch continued to rely on Authorization headers, and was only applied to the apache2 handler. Patches (apply to 5.2.6): http://rsug.itd.umich.edu/~admorten/sapi_apache2filter_user_logging_f ix.patch http://rsug.itd.umich.edu/~admorten/sapi_apache2handler_user_logging_ fix.patch -- Edit this bug report at http://bugs.php.net/?id=46005edit=1
