Forwarded message:
> From khera@kci.kciLink.com Mon Oct 2 08:25:18 1995
> Message-Id: <199510021525.LAA01696@kci.kciLink.com>
> To: Apache Bugs <apache-bugs@mail.apache.org>
> CC: Nathan J Kurz <nate@tripod.tripod.com>
> Subject: Re: bug in mod_auth_msql.c
> In-reply-to: Your message of "Sun, 01 Oct 1995 06:34:43 EDT."
> <199510011034.GAA01851@tripod.tripod.com>
> Date: Mon, 02 Oct 1995 11:25:11 -0400
> From: Vivek Khera <khera@kci.kciLink.com>
>
> Here's an updated version of my mod_auth_msql.c file for the Apache contrib
> archive. It fixes a bug (segmentation violation) where the password field
> is allowed to be NULL, even though the documentation warns against it.
> Please also update the note in the "how to install extensions" to list the
> last modified date for this to be 2-OCT-95.
>
> Thanks.
>
>
> v.
>
#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.1).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.
#
# Made on 1995-10-02 11:21 EDT by <khera@kci.kciLink.com>.
# Source directory was `/usr/local/src/kciLink/apache_0.8.14/src'.
#
# Existing files will *not* be overwritten unless `-c' is specified.
#
# This shar contains:
# length mode name
# ------ ---------- ------------------------------------------
# 7755 -r--r--r-- mod_auth_msql.c
#
touch -am 1231235999 $$.touch >/dev/null 2>&1
if test ! -f 1231235999 && test -f $$.touch; then
shar_touch=touch
else
shar_touch=:
echo
echo 'WARNING: not restoring timestamps. Consider getting and'
echo "installing GNU \`touch', distributed in GNU File Utilities..."
echo
fi
rm -f 1231235999 $$.touch
#
# ============= mod_auth_msql.c ==============
if test -f 'mod_auth_msql.c' && test X"$1" != X"-c"; then
echo 'x - skipping mod_auth_msql.c (file already exists)'
else
echo 'x - extracting mod_auth_msql.c (text)'
sed 's/^X//' << 'SHAR_EOF' > 'mod_auth_msql.c' &&
X
/*-
X * Copyright (c) 1995 The Apache Group. All rights reserved.
X *
X *
X * Apache httpd license
X * ====================
X *
X *
X * This is the license for the Apache Server. It covers all the
X * files which come in this distribution, and should never be removed.
X *
X * The "Apache Group" has based this server, called "Apache", on
X * public domain code distributed under the name "NCSA httpd 1.3".
X *
X * NCSA httpd 1.3 was placed in the public domain by the National Center
X * for Supercomputing Applications at the University of Illinois
X * at Urbana-Champaign.
X *
X * As requested by NCSA we acknowledge,
X *
X * "Portions developed at the National Center for Supercomputing
X * Applications at the University of Illinois at Urbana-Champaign."
X *
X * Copyright on the sections of code added by the "Apache Group" belong
X * to the "Apache Group" and/or the original authors. The "Apache Group" and
X * authors hereby grant permission for their code, along with the
X * public domain NCSA code, to be distributed under the "Apache" name.
X *
X * Reuse of "Apache Group" code outside of the Apache distribution should
X * be acknowledged with the following quoted text, to be included with any new
X * work;
X *
X * "Portions developed by the "Apache Group", taken with permission
X * from the Apache Server http://www.apache.org/apache/ "
X *
X *
X * Permission is hereby granted to anyone to redistribute Apache under
X * the "Apache" name. We do not grant permission for the resale of Apache, but
X * we do grant permission for vendors to bundle Apache free with other software,
X * or to charge a reasonable price for redistribution, provided it is made
X * clear that Apache is free. Permission is also granted for vendors to
X * sell support for for Apache. We explicitly forbid the redistribution of
X * Apache under any other name.
X *
X * THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS ``AS IS'' AND
X * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X * ARE DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE
X * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X * SUCH DAMAGE.
X *
X */
X
X
X
/*
X * http_auth_msql: authentication
X *
X * Rob McCool & Brian Behlendorf.
X *
X * Adapted to Shambhala by rst.
X */
X
/*
X * converted to use mSQL by Vivek Khera <khera@kciLink.com>
X * only has user/passwords in mSQL database. A suitable table would be:
X *
X * CREATE TABLE user_info (
X * user char(30) primary key,
X * password char(20) not null,
X * [ any other fields if needed ]
X * )
X *
X * User must be a unique, non-empty field. Length is however long you
X * want it to be. Password length of 20 follows new-style crypt() usage.
X * The older crypt uses shorter encrypted passwords. Any other fields in
X * the named table will be ignored.
X *
X * Usage in per-directory access conf file:
X *
X * AuthName mSQL Testing
X * AuthType Basic
X * AuthGroupFile /dev/null
X * AuthMSQLHost localhost
X * AuthMSQLDB www_data
X * AuthMSQLUserTable user_info
X *
X * <Limit GET POST>
X * require valid-user
X * </Limit>
X *
X * the Host of "localhost" means use the mSQL socket instead of a TCP
X * connection to the database. The DB is the database name on the server,
X * and UserTable is the actual table name within that database.
X *
X * Groups are not implemented in mSQL. Use the original flat file or
X * the Apache DBM version.
X */
X
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include <msql.h>
X
/*
X * msqlhost is host name. localhost means use Unix Domain socket for mSQL.
X * msqlDB is the database name on that host.
X * msqlpwtable is the table name for passwords. uses fields "user","password".
X * The "user" field must be "not null" and unique. "password" is encrypted.
X * the user field must not have a ' (single quote) character in it.
X */
typedef struct {
X char *auth_msqlhost;
X char *auth_msqlDB;
X char *auth_msqlpwtable;
} msql_auth_config_rec;
X
void *create_msql_auth_dir_config (pool *p, char *d)
{
X return pcalloc (p, sizeof(msql_auth_config_rec));
}
X
command_rec msql_auth_cmds[] = {
{ "AuthMSQLHost", set_string_slot,
X (void*)XtOffsetOf(msql_auth_config_rec, auth_msqlhost),
X OR_AUTHCFG, TAKE1, "mSQL server hostname" },
{ "AuthMSQLDB", set_string_slot,
X (void*)XtOffsetOf(msql_auth_config_rec, auth_msqlDB),
X OR_AUTHCFG, TAKE1, "mSQL database name" },
{ "AuthMSQLUserTable", set_string_slot,
X (void*)XtOffsetOf(msql_auth_config_rec, auth_msqlpwtable),
X OR_AUTHCFG, TAKE1, "mSQL table name" },
{ NULL }
};
X
module msql_auth_module;
X
/*
X * get password from database
X */
char *get_msql_pw(request_rec *r, char *user, msql_auth_config_rec *m) {
X int msqlSock;
X m_result *result;
X m_row data;
X char *pw = NULL;
X char *host;
X char query[MAX_STRING_LEN];
X
X if (!m->auth_msqlhost || strcmp(m->auth_msqlhost,"localhost") == 0) {
X host = NULL;
X } else {
X host = m->auth_msqlhost;
X }
X
X if((msqlSock=msqlConnect(host)) < 0) {
X log_reason (msqlErrMsg, r->uri, r);
X return NULL;
X }
X
X if (msqlSelectDB(msqlSock,m->auth_msqlDB) < 0) {
X log_reason (msqlErrMsg, r->uri, r);
X return NULL;
X }
X
X sprintf(query,"SELECT password FROM %s WHERE user = '%s'",
X m->auth_msqlpwtable, user);
X if (msqlQuery(msqlSock, query) < 0) {
X log_reason (msqlErrMsg, r->uri, r);
X return NULL;
X }
X
X result = msqlStoreResult();
X if (msqlNumRows(result) == 1) {
X data = msqlFetchRow(result);
X if (data[0]) {
X pw = palloc (r->pool, strlen(data[0]) + 1);
X strcpy(pw,data[0]);
X } else { /* no password in mSQL table -- returns NULL */
X log_reason ("mSQL user has no valid password", r->uri, r);
X return NULL;
X }
X }
X
X msqlFreeResult(result);
X msqlClose(msqlSock);
X
X return pw;
}
X
int msql_authenticate_basic_user (request_rec *r)
{
X msql_auth_config_rec *sec =
X (msql_auth_config_rec *)get_module_config (r->per_dir_config,
X &msql_auth_module);
X conn_rec *c = r->connection;
X char *sent_pw, *real_pw;
X char errstr[MAX_STRING_LEN];
X int res;
X
X if ((res = get_basic_auth_pw (r, &sent_pw)))
X return res;
X
X if(!sec->auth_msqlpwtable)
X return DECLINED;
X
X if(!(real_pw = get_msql_pw(r, c->user, sec))) {
X sprintf(errstr,"mSQL user %s not found", c->user);
X log_reason (errstr, r->uri, r);
X note_basic_auth_failure (r);
X return AUTH_REQUIRED;
X }
X /* anyone know where the prototype for crypt is? */
X if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
X sprintf(errstr,"user %s: password mismatch",c->user);
X log_reason (errstr, r->uri, r);
X note_basic_auth_failure (r);
X return AUTH_REQUIRED;
X }
X return OK;
}
X
X
module msql_auth_module = {
X STANDARD_MODULE_STUFF,
X NULL, /* initializer */
X create_msql_auth_dir_config, /* dir config creater */
X NULL, /* dir merger --- default is to override */
X NULL, /* server config */
X NULL, /* merge server config */
X msql_auth_cmds, /* command table */
X NULL, /* handlers */
X NULL, /* filename translation */
X msql_authenticate_basic_user, /* check_user_id */
X NULL, /* check auth */
X NULL, /* check access */
X NULL, /* type_checker */
X NULL, /* fixups */
X NULL /* logger */
};
SHAR_EOF
$shar_touch -am 1002112095 'mod_auth_msql.c' &&
chmod 0444 'mod_auth_msql.c' ||
echo 'restore of mod_auth_msql.c failed'
shar_count="`wc -c < 'mod_auth_msql.c'`"
test 7755 -eq "$shar_count" ||
echo "mod_auth_msql.c: original size 7755, current size $shar_count"
fi
exit 0
> From khera@kci.kciLink.com Mon Oct 2 08:25:18 1995
> Message-Id: <199510021525.LAA01696@kci.kciLink.com>
> To: Apache Bugs <apache-bugs@mail.apache.org>
> CC: Nathan J Kurz <nate@tripod.tripod.com>
> Subject: Re: bug in mod_auth_msql.c
> In-reply-to: Your message of "Sun, 01 Oct 1995 06:34:43 EDT."
> <199510011034.GAA01851@tripod.tripod.com>
> Date: Mon, 02 Oct 1995 11:25:11 -0400
> From: Vivek Khera <khera@kci.kciLink.com>
>
> Here's an updated version of my mod_auth_msql.c file for the Apache contrib
> archive. It fixes a bug (segmentation violation) where the password field
> is allowed to be NULL, even though the documentation warns against it.
> Please also update the note in the "how to install extensions" to list the
> last modified date for this to be 2-OCT-95.
>
> Thanks.
>
>
> v.
>
#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.1).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.
#
# Made on 1995-10-02 11:21 EDT by <khera@kci.kciLink.com>.
# Source directory was `/usr/local/src/kciLink/apache_0.8.14/src'.
#
# Existing files will *not* be overwritten unless `-c' is specified.
#
# This shar contains:
# length mode name
# ------ ---------- ------------------------------------------
# 7755 -r--r--r-- mod_auth_msql.c
#
touch -am 1231235999 $$.touch >/dev/null 2>&1
if test ! -f 1231235999 && test -f $$.touch; then
shar_touch=touch
else
shar_touch=:
echo
echo 'WARNING: not restoring timestamps. Consider getting and'
echo "installing GNU \`touch', distributed in GNU File Utilities..."
echo
fi
rm -f 1231235999 $$.touch
#
# ============= mod_auth_msql.c ==============
if test -f 'mod_auth_msql.c' && test X"$1" != X"-c"; then
echo 'x - skipping mod_auth_msql.c (file already exists)'
else
echo 'x - extracting mod_auth_msql.c (text)'
sed 's/^X//' << 'SHAR_EOF' > 'mod_auth_msql.c' &&
X
/*-
X * Copyright (c) 1995 The Apache Group. All rights reserved.
X *
X *
X * Apache httpd license
X * ====================
X *
X *
X * This is the license for the Apache Server. It covers all the
X * files which come in this distribution, and should never be removed.
X *
X * The "Apache Group" has based this server, called "Apache", on
X * public domain code distributed under the name "NCSA httpd 1.3".
X *
X * NCSA httpd 1.3 was placed in the public domain by the National Center
X * for Supercomputing Applications at the University of Illinois
X * at Urbana-Champaign.
X *
X * As requested by NCSA we acknowledge,
X *
X * "Portions developed at the National Center for Supercomputing
X * Applications at the University of Illinois at Urbana-Champaign."
X *
X * Copyright on the sections of code added by the "Apache Group" belong
X * to the "Apache Group" and/or the original authors. The "Apache Group" and
X * authors hereby grant permission for their code, along with the
X * public domain NCSA code, to be distributed under the "Apache" name.
X *
X * Reuse of "Apache Group" code outside of the Apache distribution should
X * be acknowledged with the following quoted text, to be included with any new
X * work;
X *
X * "Portions developed by the "Apache Group", taken with permission
X * from the Apache Server http://www.apache.org/apache/ "
X *
X *
X * Permission is hereby granted to anyone to redistribute Apache under
X * the "Apache" name. We do not grant permission for the resale of Apache, but
X * we do grant permission for vendors to bundle Apache free with other software,
X * or to charge a reasonable price for redistribution, provided it is made
X * clear that Apache is free. Permission is also granted for vendors to
X * sell support for for Apache. We explicitly forbid the redistribution of
X * Apache under any other name.
X *
X * THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS ``AS IS'' AND
X * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
X * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
X * ARE DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE
X * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
X * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
X * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
X * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
X * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
X * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
X * SUCH DAMAGE.
X *
X */
X
X
X
/*
X * http_auth_msql: authentication
X *
X * Rob McCool & Brian Behlendorf.
X *
X * Adapted to Shambhala by rst.
X */
X
/*
X * converted to use mSQL by Vivek Khera <khera@kciLink.com>
X * only has user/passwords in mSQL database. A suitable table would be:
X *
X * CREATE TABLE user_info (
X * user char(30) primary key,
X * password char(20) not null,
X * [ any other fields if needed ]
X * )
X *
X * User must be a unique, non-empty field. Length is however long you
X * want it to be. Password length of 20 follows new-style crypt() usage.
X * The older crypt uses shorter encrypted passwords. Any other fields in
X * the named table will be ignored.
X *
X * Usage in per-directory access conf file:
X *
X * AuthName mSQL Testing
X * AuthType Basic
X * AuthGroupFile /dev/null
X * AuthMSQLHost localhost
X * AuthMSQLDB www_data
X * AuthMSQLUserTable user_info
X *
X * <Limit GET POST>
X * require valid-user
X * </Limit>
X *
X * the Host of "localhost" means use the mSQL socket instead of a TCP
X * connection to the database. The DB is the database name on the server,
X * and UserTable is the actual table name within that database.
X *
X * Groups are not implemented in mSQL. Use the original flat file or
X * the Apache DBM version.
X */
X
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_protocol.h"
#include <msql.h>
X
/*
X * msqlhost is host name. localhost means use Unix Domain socket for mSQL.
X * msqlDB is the database name on that host.
X * msqlpwtable is the table name for passwords. uses fields "user","password".
X * The "user" field must be "not null" and unique. "password" is encrypted.
X * the user field must not have a ' (single quote) character in it.
X */
typedef struct {
X char *auth_msqlhost;
X char *auth_msqlDB;
X char *auth_msqlpwtable;
} msql_auth_config_rec;
X
void *create_msql_auth_dir_config (pool *p, char *d)
{
X return pcalloc (p, sizeof(msql_auth_config_rec));
}
X
command_rec msql_auth_cmds[] = {
{ "AuthMSQLHost", set_string_slot,
X (void*)XtOffsetOf(msql_auth_config_rec, auth_msqlhost),
X OR_AUTHCFG, TAKE1, "mSQL server hostname" },
{ "AuthMSQLDB", set_string_slot,
X (void*)XtOffsetOf(msql_auth_config_rec, auth_msqlDB),
X OR_AUTHCFG, TAKE1, "mSQL database name" },
{ "AuthMSQLUserTable", set_string_slot,
X (void*)XtOffsetOf(msql_auth_config_rec, auth_msqlpwtable),
X OR_AUTHCFG, TAKE1, "mSQL table name" },
{ NULL }
};
X
module msql_auth_module;
X
/*
X * get password from database
X */
char *get_msql_pw(request_rec *r, char *user, msql_auth_config_rec *m) {
X int msqlSock;
X m_result *result;
X m_row data;
X char *pw = NULL;
X char *host;
X char query[MAX_STRING_LEN];
X
X if (!m->auth_msqlhost || strcmp(m->auth_msqlhost,"localhost") == 0) {
X host = NULL;
X } else {
X host = m->auth_msqlhost;
X }
X
X if((msqlSock=msqlConnect(host)) < 0) {
X log_reason (msqlErrMsg, r->uri, r);
X return NULL;
X }
X
X if (msqlSelectDB(msqlSock,m->auth_msqlDB) < 0) {
X log_reason (msqlErrMsg, r->uri, r);
X return NULL;
X }
X
X sprintf(query,"SELECT password FROM %s WHERE user = '%s'",
X m->auth_msqlpwtable, user);
X if (msqlQuery(msqlSock, query) < 0) {
X log_reason (msqlErrMsg, r->uri, r);
X return NULL;
X }
X
X result = msqlStoreResult();
X if (msqlNumRows(result) == 1) {
X data = msqlFetchRow(result);
X if (data[0]) {
X pw = palloc (r->pool, strlen(data[0]) + 1);
X strcpy(pw,data[0]);
X } else { /* no password in mSQL table -- returns NULL */
X log_reason ("mSQL user has no valid password", r->uri, r);
X return NULL;
X }
X }
X
X msqlFreeResult(result);
X msqlClose(msqlSock);
X
X return pw;
}
X
int msql_authenticate_basic_user (request_rec *r)
{
X msql_auth_config_rec *sec =
X (msql_auth_config_rec *)get_module_config (r->per_dir_config,
X &msql_auth_module);
X conn_rec *c = r->connection;
X char *sent_pw, *real_pw;
X char errstr[MAX_STRING_LEN];
X int res;
X
X if ((res = get_basic_auth_pw (r, &sent_pw)))
X return res;
X
X if(!sec->auth_msqlpwtable)
X return DECLINED;
X
X if(!(real_pw = get_msql_pw(r, c->user, sec))) {
X sprintf(errstr,"mSQL user %s not found", c->user);
X log_reason (errstr, r->uri, r);
X note_basic_auth_failure (r);
X return AUTH_REQUIRED;
X }
X /* anyone know where the prototype for crypt is? */
X if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
X sprintf(errstr,"user %s: password mismatch",c->user);
X log_reason (errstr, r->uri, r);
X note_basic_auth_failure (r);
X return AUTH_REQUIRED;
X }
X return OK;
}
X
X
module msql_auth_module = {
X STANDARD_MODULE_STUFF,
X NULL, /* initializer */
X create_msql_auth_dir_config, /* dir config creater */
X NULL, /* dir merger --- default is to override */
X NULL, /* server config */
X NULL, /* merge server config */
X msql_auth_cmds, /* command table */
X NULL, /* handlers */
X NULL, /* filename translation */
X msql_authenticate_basic_user, /* check_user_id */
X NULL, /* check auth */
X NULL, /* check access */
X NULL, /* type_checker */
X NULL, /* fixups */
X NULL /* logger */
};
SHAR_EOF
$shar_touch -am 1002112095 'mod_auth_msql.c' &&
chmod 0444 'mod_auth_msql.c' ||
echo 'restore of mod_auth_msql.c failed'
shar_count="`wc -c < 'mod_auth_msql.c'`"
test 7755 -eq "$shar_count" ||
echo "mod_auth_msql.c: original size 7755, current size $shar_count"
fi
exit 0