Remember an authenticated user during internal redirects if the

redirection target is not access protected and pass it
to scripts using the REDIRECT_REMOTE_USER environment variable.

PR: 10678, 11602.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@100604 13f79535-47bb-0310-9956-ffa450edef68

CHANGES

@@ -2,6 +2,11 @@ Changes with Apache 2.1.0-dev
 
   [Remove entries to the current 2.0 section below, when backported]
 
+  *) Remember an authenticated user during internal redirects if the
+     redirection target is not access protected and pass it
+     to scripts using the REDIRECT_REMOTE_USER environment variable.
+     PR 10678, 11602.  [Andr<64> Malo]
+
   *) mod_rewrite: fix a problem in the proxy support of mod_rewrite.
      The broken code was inserting multiple "proxy:" fields in the
      rewritten URIs. [PR: 13946]

server/util_script.c

@@ -286,6 +286,17 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
     if (r->user) {
 	apr_table_addn(e, "REMOTE_USER", r->user);
     }
+    else if (r->prev) {
+        request_rec *back = r->prev;
+
+        while (back) {
+            if (back->user) {
+                apr_table_addn(e, "REDIRECT_REMOTE_USER", back->user);
+                break;
+            }
+            back = back->prev;
+        }
+    }
     if (r->ap_auth_type) {
 	apr_table_addn(e, "AUTH_TYPE", r->ap_auth_type);
     }

support/suexec.c

@@ -160,6 +160,7 @@ char *safe_env_lst[] =
     "REMOTE_USER=",
     "REDIRECT_HANDLER=",
     "REDIRECT_QUERY_STRING=",
+    "REDIRECT_REMOTE_USER=",
     "REDIRECT_STATUS=",
     "REDIRECT_URL=",
     "REQUEST_METHOD=",