Merge r1642847 and r1673155 from trunk so that yesterday's ApacheCon talk is valid:

core: Add CGIPassAuth directive to control whether HTTP authorization headers are passed to scripts as CGI variables. PR: 56855 Reviewed by: rjung, ylavic git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1673860 13f79535-47bb-0310-9956-ffa450edef68
2025-08-10 02:56:11 +00:00 · 2015-04-15 16:42:46 +00:00
parent 9fed798142
commit bccf84f76f
7 changed files with 74 additions and 10 deletions
--- a/4
+++ b/4
@ -141,6 +141,10 @@ Changes with Apache 2.4.11
     request headers earlier.  Adds "MergeTrailers" directive to restore
     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]

+  *) core: Add CGIPassAuth directive to control whether HTTP authorization
+     headers are passed to scripts as CGI variables.  PR 56855.  [Jeff 
+     Trawick]
+
  *) mod_ssl: New directive SSLSessionTickets (On|Off).
     The directive controls the use of TLS session tickets (RFC 5077),
     default value is "On" (unchanged behavior).
--- a/8
+++ b/8
@ -138,14 +138,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     2.4.x patch: trunk works (modulo CHANGES)
     +1: ylavic, rjung, trawick

-  *) core: Add CGIPassAuth directive to control whether HTTP authorization
-     headers are passed to scripts as CGI variables.  PR: 56855
-     trunk patch: http://svn.apache.org/r1642847, http://svn.apache.org/r1673155
-     2.4.x patch: http://people.apache.org/~trawick/r1642847-r1673155-to-2.4.x.txt
-                  (trunk works if you do the normal CHANGES/ap_mmn/core_dir_config
-                   merge conflict resolution ;) )
-     +1: trawick, rjung, ylavic
-
  *) mod_logio: Log time-to-first-byte via %^FB
     trunk patch: http://svn.apache.org/r1671918
                  http://svn.apache.org/r1673113
--- a/docs/manual/mod/core.xml
+++ b/docs/manual/mod/core.xml
@ -560,6 +560,43 @@ scripts</description>
 </usage>
 </directivesynopsis>

+<directivesynopsis>
+<name>CGIPassAuth</name>
+<description>Enables passing HTTP authorization headers to scripts as CGI
+variables</description>
+<syntax>CGIPassAuth On|Off</syntax>
+<default>CGIPassAuth Off</default>
+<contextlist><context>directory</context><context>.htaccess</context>
+</contextlist>
+<override>AuthConfig</override>
+<compatibility>Available in Apache HTTP Server 2.4.13 and later</compatibility>
+
+<usage>
+    <p><directive>CGIPassAuth</directive> allows scripts access to HTTP
+    authorization headers such as <code>Authorization</code>, which is
+    required for scripts that implement HTTP Basic authentication.
+    Normally these HTTP headers are hidden from scripts, as it allows
+    scripts to see user ids and passwords used to access the server when
+    HTTP Basic authentication is enabled in the web server.  This directive
+    should be used when scripts are allowed to implement HTTP Basic
+    authentication.</p>
+
+    <p>This directive can be used instead of the compile-time setting
+    <code>SECURITY_HOLE_PASS_AUTHORIZATION</code> which has been available
+    in previous versions of Apache HTTP Server.</p>
+
+    <p>The setting is respected by any modules which use
+    <code>ap_add_common_vars()</code>, such as <module>mod_cgi</module>,
+    <module>mod_cgid</module>, <module>mod_proxy_fcgi</module>,
+    <module>mod_proxy_scgi</module>, and so on.  Notably, it affects
+    modules which don't handle the request in the usual sense but
+    still use this API; examples of this are <module>mod_include</module>
+    and <module>mod_ext_filter</module>.  Third-party modules that don't
+    use <code>ap_add_common_vars()</code> may choose to respect the setting
+    as well.</p>
+</usage>
+</directivesynopsis>
+
 <directivesynopsis>
 <name>ContentDigest</name>
 <description>Enables the generation of <code>Content-MD5</code> HTTP Response
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@ -439,6 +439,8 @@
 * 20120211.41 (2.4.11-dev) Add ap_proxy_de_socketfy to mod_proxy.h
 * 20120211.42 (2.4.13-dev) Add response_code_exprs to http_core.h
 * 20120211.43 (2.4.13-dev) Add keep_alive_timeout_set to server_rec
+ * 20120211.44 (2.4.13-dev) Add cgi_pass_auth and AP_CGI_PASS_AUTH_* to 
+ *                          core_dir_config
 */

 #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
@ -446,7 +448,7 @@
 #ifndef MODULE_MAGIC_NUMBER_MAJOR
 #define MODULE_MAGIC_NUMBER_MAJOR 20120211
 #endif
-#define MODULE_MAGIC_NUMBER_MINOR 43                   /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 44                   /* 0...n */

 /**
 * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
--- a/include/http_core.h
+++ b/include/http_core.h
@ -621,6 +621,15 @@ typedef struct {
     */
    apr_hash_t *response_code_exprs;

+#define AP_CGI_PASS_AUTH_OFF     (0)
+#define AP_CGI_PASS_AUTH_ON      (1)
+#define AP_CGI_PASS_AUTH_UNSET   (2)
+    /** CGIPassAuth: Whether HTTP authorization headers will be passed to
+     * scripts as CGI variables; affects all modules calling
+     * ap_add_common_vars(), as well as any others using this field as 
+     * advice
+     */
+    unsigned int cgi_pass_auth : 2;
 } core_dir_config;

 /* macro to implement off by default behaviour */
--- a/server/core.c
+++ b/server/core.c
@ -190,6 +190,8 @@ static void *create_core_dir_config(apr_pool_t *a, char *dir)
    conf->max_overlaps = AP_MAXRANGES_UNSET;
    conf->max_reversals = AP_MAXRANGES_UNSET;

+    conf->cgi_pass_auth = AP_CGI_PASS_AUTH_UNSET;
+
    return (void *)conf;
 }

@ -401,6 +403,8 @@ static void *merge_core_dir_configs(apr_pool_t *a, void *basev, void *newv)
    conf->max_overlaps = new->max_overlaps != AP_MAXRANGES_UNSET ? new->max_overlaps : base->max_overlaps;
    conf->max_reversals = new->max_reversals != AP_MAXRANGES_UNSET ? new->max_reversals : base->max_reversals;

+    conf->cgi_pass_auth = new->cgi_pass_auth != AP_CGI_PASS_AUTH_UNSET ? new->cgi_pass_auth : base->cgi_pass_auth;
+
    return (void*)conf;
 }

@ -1685,6 +1689,15 @@ static const char *set_override(cmd_parms *cmd, void *d_, const char *l)
    return NULL;
 }

+static const char *set_cgi_pass_auth(cmd_parms *cmd, void *d_, int flag)
+{
+    core_dir_config *d = d_;
+
+    d->cgi_pass_auth = flag ? AP_CGI_PASS_AUTH_ON : AP_CGI_PASS_AUTH_OFF;
+
+    return NULL;
+}
+
 static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[])
 {
    core_dir_config *d = d_;
@ -4121,6 +4134,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_limit, NULL,
 AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF,
              "maximum recursion depth of internal redirects and subrequests"),

+AP_INIT_FLAG("CGIPassAuth", set_cgi_pass_auth, NULL, OR_AUTHCFG,
+             "Controls whether HTTP authorization headers, normally hidden, will "
+             "be passed to scripts"),
 AP_INIT_TAKE1("ForceType", ap_set_string_slot_lower,
       (void *)APR_OFFSETOF(core_dir_config, mime_type), OR_FILEINFO,
     "a mime type that overrides other configured type"),
--- a/server/util_script.c
+++ b/server/util_script.c
@ -140,6 +140,8 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
    apr_table_t *e;
    server_rec *s = r->server;
    conn_rec *c = r->connection;
+    core_dir_config *conf =
+        (core_dir_config *)ap_get_core_module_config(r->per_dir_config);
    const char *env_temp;
    const apr_array_header_t *hdrs_arr = apr_table_elts(r->headers_in);
    const apr_table_entry_t *hdrs = (const apr_table_entry_t *) hdrs_arr->elts;
@ -188,7 +190,9 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
 #ifndef SECURITY_HOLE_PASS_AUTHORIZATION
        else if (!strcasecmp(hdrs[i].key, "Authorization")
                 || !strcasecmp(hdrs[i].key, "Proxy-Authorization")) {
-            continue;
+            if (conf->cgi_pass_auth == AP_CGI_PASS_AUTH_ON) {
+                add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
+            }
        }
 #endif
        else